Secure AI Development: Understanding the Security Risks and Developing Advice and Global Technical Standards
Abstract
The session described how the UK government, through the UK AI Security Institute and the National Cyber Security Centre, is partnering with global governments, industry, academia and civil society to map emerging AI‑related cyber threats and translate that knowledge into practical security advice and the world’s first global AI‑security technical standard. The presentation covered the ecosystem of standards bodies, the unique AI threat landscape, a set of 13 security principles that span the AI lifecycle, the multi‑year, multi‑stakeholder development process that produced ETSI Technical Specification TS 104223 (later EN 304223), supporting reports and a forthcoming conformity‑assessment framework, and responded to audience queries about mandatory versus voluntary provisions, alignment with other national frameworks, and the need for ongoing updates.
Detailed Summary
- The speaker opened by emphasizing that the UK works beyond North America and Europe, engaging partners across the Global South, academia (universities, think‑tanks), and the general public.
- The relationship with stakeholders is bidirectional: the UK provides advice, but also gathers feedback to craft “practical and realistic” guidance.
- Core UK activities:
- Understanding evolving cyber threats.
- Developing mitigations, publishing guidance, and improving resilience of public and private networks.
- Incident response – stepping in when severe cyber incidents occur.
2. Why Technical Standards Matter
- Definition – A technical standard describes “good practice” for designing, developing, and deploying a digital technology.
- Purpose – Standards enable compatibility and interoperability (e.g., making phones work across borders) and accelerate innovation.
- Security relevance – Standards set a minimum baseline of security, ensuring products and services are safe and trustworthy.
3. The Landscape of Standards‑Development Organizations (SDOs)
| Acronym | Full name | Primary focus | UK involvement |
|---|---|---|---|
| ISO | International Organisation for Standardisation | General‑purpose standards (global) | Delegated through the British Standards Institute (BSI). |
| ITU | International Telecommunication Union (UN) | Telecom standards led by governments | UK participates as a government delegate. |
| ETSI | European Telecommunications Standards Institute (referred to as “Etsy” in the talk) | ICT & telecom standards, global reach | Main vehicle for the AI security TS/EN. |
| 3GPP | Third Generation Partnership Project | Mobile network standards (3G/4G/5G/6G) | UK contributes through ETSI. |
| W3C | World Wide Web Consortium | Web standards | UK engagement. |
| IETF | Internet Engineering Task Force | Internet protocols & governance | UK participates, especially on security‑privacy balances. |
- Each body has different governance (industry‑led vs government‑led) and different pros/cons for security‑focused work.
- The UK government engages with the bodies highlighted in yellow on the slide (ISO, ITU, ETSI, 3GPP, W3C, IETF).
4. AI‑Specific Threat Landscape
The speaker outlined both traditional software threats (which still apply) and AI‑unique threats, noting that the UK is still learning about many of them.
| Threat type | Description |
|---|---|
| Adversarial inputs | Maliciously crafted data that tricks models into wrong or harmful outputs. |
| Data poisoning | Insertion of corrupted data into training sets, compromising model integrity. |
| Model inversion / Membership inference | Attacks that extract sensitive training‑data information from model outputs. |
| Indirect prompt injection | Manipulating input prompts to override system rules or produce unintended results. |
- The UK’s role is to provide actionable guidance on mitigating these novel risks, as existing cyber‑security best practices are insufficient on their own.
5. The 13‑Principle Framework for Secure AI
The core advice distilled into 13 principles across five AI‑lifecycle phases (design, development, deployment, operation, end‑of‑life). The speaker highlighted that the principles are baseline; organisations may exceed them if resources permit.
| Phase | Principle (brief) | Key focus |
|---|---|---|
| Design | 1. Raise awareness of AI security threats. | Education & risk awareness. |
| 2. Build security into design alongside functionality. | Secure‑by‑design. | |
| 3. Evaluate threats & manage risks. | Threat modelling. | |
| 4. Enable human responsibility. | Accountability & governance. | |
| Development | 5. Identify, track, protect assets. | Asset management. |
| 6. Secure infrastructure. | Hardening hardware/software. | |
| 7. Secure supply chain. | Third‑party risk. | |
| 8. Document data, models, prompts. | Traceability. | |
| 9. Conduct appropriate testing & evaluation. | Verification. | |
| Deployment | 10. Communicate processes to end‑users & affected parties. | Transparency. |
| 11. Maintain regular updates, patches, mitigations. | Patch management. | |
| 12. Monitor system behaviour continuously. | Runtime monitoring. | |
| End‑of‑life | 13. Ensure proper data & model disposal. | Secure decommissioning. |
- Mandatory vs. voluntary provisions: Within each principle, some clauses are “shall” (mandatory) and others “should” (voluntary). The exact list of mandatory clauses is recorded in the standard itself; the speaker noted that the debate over which clauses should be mandatory was intense during the ETSI consultation.
6. Development Process & Global Consultation
6.1 Initial Guidelines (2021‑2023)
- NCSC (National Cyber Security Centre) produced the Guidelines for Secure AI System Development (≈2.5 years ago), timed for the first AI Summit at Bletchley Park.
- Co‑authored with CISA (US) and ≈20 other national cyber‑security agencies across all continents.
6.2 Draft Code of Practice
- The UK Department for Science, Innovation & Technology (DSIT) adapted the guidelines into a draft code of practice and launched a global, four‑month public consultation.
- Hundreds of stakeholders (governments, industry giants, SMEs, academia) submitted feedback.
6.3 From Draft to Formal Standard
- Selection of ETSI (Etsy) as the standards body:
- Known for fast, high‑quality AI & cyber‑security work.
- Produces free standards (unlike ISO, which charges fees).
- Technical Specification (TS) 104223 → European Norm (EN) 304223:
- Up‑grade added additional consultation via CENELEC (European standards body) and aligned the document with the EU AI Act (mandatory for firms operating in the EU).
- Supporting Documents:
- Technical Report TR 104128 – a freely available implementation guide with concrete examples (chatbots, fraud‑detection ML, LLM providers, etc.).
- Conformity‑assessment specification (pending, TS 104216) – will enable self‑assessment or third‑party certification of compliance.
6.4 Multi‑Stakeholder Validation
- The standard was tested with hundreds of organisations across all continents (except Antarctica).
- Input came from government, industry, academia, cyber‑security experts, AI researchers, and standards professionals.
7. Q&A – Highlights of Audience Interaction
| Question (summarised) | Speaker response & key points |
|---|---|
| Which provisions are mandatory? | Standards are voluntary overall, but within each principle mandatory clauses are expressed as “shall”. The exact list is in the EN 304223 document; the speaker could not recall them all on the spot. |
| Relation to Singapore’s AI verification framework | The speaker acknowledged the Singapore effort, noting that the UK work complements other national frameworks. The forthcoming conformity‑assessment will provide a concrete “hardness” test similar to what Singapore offers. |
| Keeping standards pace with rapid AI evolution | Standards take time; the UK will review the standard in 1–2 years and may provide annexes or supplementary guidance to capture emerging threats (e.g., AGI, generative AI). |
| Data minimisation & oversight in the 13 principles | The standard focuses on security of data (secure sourcing, handling, disposal) rather than ethical limits on data quantity. Data‑minimisation is addressed by other ethics‑focused standards, which the UK supports in parallel. Oversight is built in via role‑based responsibilities, documentation, and monitoring provisions. |
| Cross‑jurisdictional flexibility | The UK treats standards as voluntary, leaving it to other jurisdictions (e.g., EU AI Act) to decide whether to embed them in regulation. The upgrade to EN 304223 ensures EU‑compatibility, but the UK does not enforce it domestically. |
| Process of engaging with multiple SDOs and regulators | The team consulted ETSI, CENELEC, ISO, and national standards bodies (including India’s). The aim was to avoid duplication, ensure complementarity, and incorporate global viewpoints. |
| Implementation of the end‑of‑life principle | Currently only one principle (proper data/model disposal) exists; the team expects more research and future revisions to expand this area. |
| Monitoring emergent AI behaviour | Continuous monitoring (Principle 12) is essential; the standard encourages runtime behavioural analytics to detect unforeseen actions, acknowledging that future updates will be needed as AI capabilities evolve. |
8. Future Work & Closing Remarks
- Upcoming Conformity‑Assessment (TS 104216) – expected within a few months; will be free and may support either self‑assessment or third‑party certification.
- Planned review of the standard in 1–2 years to incorporate new research on AI threats, emergent behaviours, and end‑of‑life processes.
- Commitment to maintain open dialogue with global partners, industry bodies, and the public to keep the guidance relevant, practical, and widely adoptable.
Key Takeaways
- The UK government, via the UK AI Security Institute and NCSC, is leading the creation of the world’s first global AI‑security technical standard.
- 13 baseline security principles cover the entire AI lifecycle—from awareness in the design phase to secure decommissioning.
- The standard was developed through an extensive multi‑stakeholder, multi‑jurisdictional process, involving ≈20 national cyber‑security agencies, ETSI, CENELEC, and global industry/academic input.
- Technical Specification TS 104223 (now EN 304223) provides the core security requirements; TR 104128 offers a practical implementation guide; a conformity‑assessment (TS 104216) is forthcoming.
- Mandatory provisions are expressed as “shall” clauses within the standard; the overall framework is voluntary, leaving room for national regulation (e.g., the EU AI Act).
- The standard is free to access, supporting both large corporations and small‑scale developers.
- Ongoing updates and supplementary annexes are planned to keep pace with rapid AI advances and emerging threats such as adversarial attacks, data poisoning, and model inversion.
- Cross‑jurisdictional alignment was a design priority – the UK consulted with ISO, ETSI, CENELEC, and national bodies (including India) to ensure the standard is globally applicable.
- Future work includes finalising the conformity‑assessment, expanding guidance on AI end‑of‑life disposal, and revisiting the principles within the next 1‑2 years as the AI threat landscape matures.
See Also:
- navigating-the-ai-regulatory-landscape-a-cross-compliance-framework-for-safety-and-governance
- building-sovereign-deep-tech-for-a-resilient-future-solutions-from-finland-and-india
- enterprise-adoption-of-responsible-ai-challenges-frameworks-and-solutions
- responsible-ai-at-scale-governance-integrity-and-cyber-readiness-for-a-changing-world
- governing-safe-and-responsible-ai-within-digital-public-infrastructure
- shaping-secure-ethical-and-accountable-ai-systems-for-a-shared-future
- scaling-trusted-ai-for-8-billion
- ai-capacity-building-scaling-knowledge-driving-innovation
- welfare-for-all-ensuring-equitable-ai-growth-across-the-worlds-largest-and-oldest-democracies
- best-practices-from-the-international-network-for-advanced-ai-measurement-evaluation-and-science