Risk
Misclassified or Undocumented Sensitive Data Usage
Description
Sensitive data is misclassified, undocumented, or used without proper authorization, leading to security or compliance risks.
Example
Sensitive user data is used for fine-tuning without being documented or classified, resulting in lack of controls and auditability.
Assets Affected
Dataset / RAG
Model Metadata
Model Files
App Usage Log
Mitigation
- Implement and enforce strict data classification policies
- train personnel on data handling and classification
- validate data classifications during discovery audits
- document data resources thoroughly.
Standards Mapping
- ISO: A.7.3, A.7.6
- OWASP LLM: LLM02:2025
- EU AI Act: Art. 10
- DASF: Raw Data 1.2, Datasets 3.2
- AIUC-1: A001, A006