RAIRC03-BP05 Measure privacy protection
Measure how well your system protects each type of confidential or personal information that your risk assessment identified as at risk. This may include detecting privacy leaks, unauthorized data access patterns, or inappropriate data retention issues your risk assessment determined to be most likely or impactful. Assess private data identification and redaction capabilities for the data types that your risk assessment prioritized and consult with your legal team on the specific privacy regulations relevant to your use case.
Level of risk exposed if this best practice is not established: High
Implementation considerations
-
Build privacy attack tests that target the vulnerabilities your RAIBR02 risk assessment found, using both automated tools such as Promptfoo
and manual testing to check for membership inference, data extraction, and prompt injections. Create standard test cases with clear success measures and document your testing methods so you can repeat them across different system versions. -
Set up automated detection tests that check your system's ability to find and remove the types of confidential and personal information that your risk assessment prioritized. Build testing pipelines that measure how accurately your system detects these data types.
Resources
Related documents:
-
ISO/IEC 42001:2023
A.6.2.4 AI system verification and validation -
Remove PII from conversations by using sensitive information filters
Related tools: