Security is essential to the safe development and deployment of frontier AI. The safety of advanced AI systems cannot be assured without robust security practices and controls to protect frontier models from theft and loss, as well as misuse and exploitation.
Responsibly securing frontier AI systems requires a blend of existing and novel security approaches. Many security best practices for conventional software—from information security policies and procedures to physical security measures—are no less foundational to frontier AI security. Yet those practices must also be coupled with practices tailored to the unique risks posed by frontier AI systems. As frontier AI systems become more capable, developing and implementing a security strategy that effectively layers and integrates both traditional and tailored approaches will be vital. Such a strategy will also need to account for the distinct security challenges involved in the training and inference stages of frontier AI.
This issue brief is the first in a series of publications that will aim to document emerging practices for securing frontier AI systems. Drawn from information published by member firms of the Frontier Model Forum as well as discussions with firm security experts, the series will aim to document consensus approaches to securing frontier AI systems. Where possible, the series will also reflect input and feedback from the external security community.
By articulating an initial set of high-level principles and practices, most of which draw heavily from existing cybersecurity approaches, this first brief aims to set out a baseline understanding of how firms currently approach frontier AI security. Future briefs and reports will go into greater depth and detail on specific practices and approaches unique to frontier model security.
Recommended Practices for Frontier AI Security
We recommend frontier AI firms develop and implement security practices based on the foundational principles and frameworks highlighted below. Drawn loosely from the “Secure by Design” approach to software security, the recommendations aim to ensure that security is prioritized throughout the lifecycle of a given frontier AI model or system.
Apply fundamental security principles. Core security principles serve as the foundation of a robust defense strategy. By adhering to the following principles, organizations can build a comprehensive security posture that safeguards their assets, mitigates risks, and establishes trust:
- Defense in depth involves implementing multiple layers of security controls such that the failure of one control or one set of controls does not result in a system compromise. It protects against diverse threats, providing redundancy and resilience.
- Least privilege dictates that users and software components be granted only the minimum level of access necessary to perform their duties, thereby minimizing the potential for and impact of security vulnerabilities or breaches and insider threats.
- Quorum-based access operations require two or more privileged administrators to cooperate in order to carry out security-critical tasks, increasing accountability. This decreases the risk of both malicious activity and negligent errors.
- Separation of duties reduces the risk of fraud or errors by dividing tasks among multiple teams and individuals such that no individual team or person can carry out operations that have a broad impact on an overall system.
- Zero trust principles are important and go beyond the traditional perimeter-based security model by assuming that threats may exist both inside and outside the network, requiring continuous verification of user identity and devices. Zero trust recognizes that traditional network perimeter-based security is inadequate and that while network controls are still important and useful, network location by itself is not an adequate type of protection—it must always be coupled with identity-based and device-based controls.
- Robust identity management and access control schemes (e.g., role-based or attribute-based access control) utilize phishing-resistant multi-factor authentication and avoid static or persistent credentials.
- Segmentation and privileged access with appropriate network boundaries should be established between different network zones. Methods to access privileged zones should enforce additional layers of security (e.g., security keys).
Establish proactive security management. Identifying and addressing vulnerabilities before malicious actors can exploit them is core to a proactive security strategy. Options for doing so include:
- Internal security reviews involve conducting comprehensive reviews of systems, networks, and applications before their initial deployment, following significant changes, and periodically thereafter, to identify weaknesses and gaps in security controls.
- Penetration testing and red teaming allow organizations to simulate cyberattacks on their systems and networks to assess resilience to real-world threats. By emulating the tactics, techniques, and procedures used by attackers, these assessments help uncover vulnerabilities and weaknesses that adversaries could exploit.
- Bug bounty programs incentivize security researchers to identify and report security vulnerabilities within an organization’s systems and applications. Frontier firms should engage in bug bounty programs or set up programs when appropriate.
- Regular assessments of security controls, policies, plans, procedures, and other governance and risk management mechanisms to align with industry best practices and regulatory requirements. These assessments help organizations identify areas for improvement, fine-tune security measures, and adapt to evolving threat landscapes.
- Compromise assessments identify indicators of compromise in an environment. Establish independent reviews or other mechanisms to determine if there is any evidence an environment has been compromised.
- Vulnerability and patch management for critical development environments and the systems that connect to them to maintain security and stability.
Secure model deployment and distribution. Securing the deployment and distribution of AI models includes controlling access to model weights, enforcing licensing agreements, and preventing the unauthorized sharing or distribution of the models and other security and safety-critical system components. Best practices for securing model deployment and distribution include:
- Encrypt model assets, including model weights stored at rest in databases, file systems, and backups using strong encryption standards (e.g., AES-256) and data in transit using Transport Layer Security (TLS) versions 1.2 or later.
- Implement robust backup and disaster recovery procedures, ensuring model information can be quickly recovered and operations restored in the case of corruption, tampering, or loss.
- Monitor and enforce a licensing agreement that extends the security controls into the distribution environment.
- Create clearly scoped acceptable use policies for any third-party accessing model assets for testing and evaluation purposes.
- Employ robust identity management and access control schemes that clearly delineate the model provider and distributor roles.
Implement insider threat detection programs. Firm personnel can pose threats to frontier AI security. To identify and mitigate insider threats, firms should do the following:
- Implement least-privileged controls and quorum-based controls to minimize the harm that could result from either negligent or malicious behavior by insiders.
- Maintain accurate and up-to-date employee credentials, permissions, and system access records.
- Deploy appropriate tools to monitor user behavior, log actions, and detect anomalous activity.
- Label sensitive information and data accordingly.
- Implement employee training and awareness programs on insider threats to improve peer-to-peer accountability.
Develop and regularly test robust incident response and recovery procedures. The more advanced AI systems become, the more important strong incident response procedures will be. Mature incident response, escalation, and remediation plans allow organizations to detect, contain, and mitigate security incidents. Firms should establish both:
- Incident response protocols outline the steps for identifying threats, ensuring incidents are promptly elevated to the appropriate stakeholders, quickly mobilizing response teams, and restoring operations as soon as possible.
- Recovery strategies that allow defenders to resolve vulnerabilities, implement corrective measures, and reinforce defenses to prevent future incidents.
Leverage existing standards and frameworks. Existing cybersecurity best practices and compliance standards can be successfully leveraged in the frontier AI space to protect assets and other sensitive information. We recommend firms:
- In certain cases and where applicable, frontier AI firms should leverage their regulatory compliance with applicable frameworks such as GDPR, HIPAA, and ISO 27001 or voluntary or contractually required compliance with SOC 2. Since these frameworks and standards speak to robust practices (some of which focus on a particular sector, e.g., HIPAA), firms should consider leveraging many of their underlying protocols and practices on a voluntary basis.
- Voluntary best practices such as the Supply-chain Levels for Software Artifacts, and NIST’s Cybersecurity Framework 2.0, SP 800-218 Secure Software Development Framework, and SP 800-218A Secure Software Development Practices for Generative AI and Dual-Use Foundation Models can help organizations design with security in mind. In addition to applicable regulatory and legal requirements, frontier AI firms should consider adhering to these frameworks as well.
- Even when not required, independent auditing of security practices and processes can enable frontier AI firms to demonstrate compliance with best practices (e.g., SOC 3) and identify gaps or weaknesses within their framework and approach.
- Minimum security baselines should use standards and best practices for implementing proactive, detective, and corrective security controls, such as CIS Critical Security Controls.
As noted earlier, these recommendations are intended as a starting point for greater public understanding of frontier AI security and may not apply to all firms in all situations. We will explore detailed understandings of specific best practices in the future as a part of our broader series on security practices for frontier AI.