Risk
Misclassified or Undocumented Sensitive Data Usage
Description
Sensitive data is misclassified, undocumented, or used without proper authorization, leading to security or compliance risks
Example
Sensitive user data is used for fine-tuning without being documented or classified, resulting in lack of controls and auditability.
Assets Affected
Dataset / RAG
Model metadata
Model files
App Usage log
Mitigation
- Implement and enforce strict data classification policies
- Train personnel on data handling and classification
- Validate data classifications during discovery audits
- Document data resources thoroughly
Standards Mapping
- ISO 42001: A.7.3, A.7.6, A.5.2
- OWASP Top 10 for LLM: LLM02
- NIST AI RMF: MEASURE 2.10, MAP 5.1
- DASF v2: RAW DATA 1.2, DATASETS 3.2