-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path2.2_vulnerability_actors_part2.html
More file actions
472 lines (427 loc) · 30.9 KB
/
2.2_vulnerability_actors_part2.html
File metadata and controls
472 lines (427 loc) · 30.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>2.2 AI system security vulnerabilities and attacks - Vulnerability (Actors)</title>
<link href="https://fonts.googleapis.com/css2?family=Figtree:wght@300;400;500;600;700&display=swap" rel="stylesheet">
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
font-family: 'Figtree', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
background-color: #ffffff;
color: #000000;
line-height: 1.3;
}
.container {
max-width: 1200px;
margin: 0 auto;
padding: 8px;
flex: 1;
min-width: 200px;
overflow-wrap: break-word;
word-break: break-word;
}
h1 {
text-align: center;
margin-bottom: 8px;
color: #000000;
font-weight: 600;
font-size: 18px;
}
.selection-title {
text-align: center;
font-size: 14px;
font-weight: 600;
color: #666666;
margin-bottom: 10px;
}
.nav-pills {
display: flex;
flex-wrap: wrap;
gap: 4px;
margin-bottom: 15px;
justify-content: center;
}
.nav-pill {
background: #f8f9fa;
border: 1px solid #e0e0e0;
border-radius: 25px;
padding: 12px 20px;
cursor: pointer;
font-family: 'Figtree', sans-serif;
font-size: 16px;
font-weight: 500;
transition: all 0.3s ease;
color: #000000;
}
.nav-pill:hover {
background: #e9ecef;
border-color: #000000;
}
.nav-pill.active {
background: #000000;
color: white;
border-color: #000000;
}
.entity-section {
display: none;
}
.entity-section.active {
display: block;
}
.content-grid {
display: flex;
width: 100%;
gap: 4px;
}
.content-column {
background: #ffffff;
border: 1px solid #e0e0e0;
border-radius: 8px;
padding: 8px;
flex: 1;
min-width: 200px;
overflow-wrap: break-word;
word-break: break-word;
}
.criteria-header {
font-size: 12px;
font-weight: 600;
margin-bottom: 15px;
padding-bottom: 10px;
border-bottom: 2px solid;
}
.criteria-header.higher {
color: #FF0000;
border-bottom-color: #FF0000;
}
.criteria-header.lower {
color: #2E5C8A;
border-bottom-color: #2E5C8A;
}
.summary-section {
margin-bottom: 20px;
}
.summary-text {
margin-bottom: 15px;
font-weight: 500;
color: #000000;
font-size: 15px;
}
.quote-details {
margin-top: 15px;
}
.quote-toggle {
cursor: pointer;
color: #000000;
font-weight: 500;
font-size: 16px;
background-color: #ffff00;
padding: 10px 15px;
border-radius: 4px;
display: inline-block;
}
.quote-toggle:hover {
color: #333333;
}
.quote-list {
margin-top: 15px;
padding-left: 20px;
}
.quote-list li {
margin-bottom: 12px;
font-size: 16px;
padding: 10px 15px;
line-height: 1.3;
color: #000000;
}
@media (max-width: 768px) {
.content-grid {
gap: 4px;
}
.selection-title {
text-align: center;
font-size: 14px;
font-weight: 600;
color: #666666;
margin-bottom: 10px;
}
.nav-pills {
justify-content: flex-start;
}
.nav-pill {
font-size: 16px;
padding: 4px 8px;
}
}
</style>
</head>
<body>
<div class="container">
<h1>2.2 AI system security vulnerabilities and attacks - Vulnerability (Actors)</h1>
<div class="selection-title">Select a actor:</div>
<div class="nav-pills">
<button class="nav-pill active" data-target="AIDeveloperSpecializedAI">
AI Developer (Specialized AI)
</button>
<button class="nav-pill" data-target="AIInfrastructureProvider">
AI Infrastructure Provider
</button>
<button class="nav-pill" data-target="AffectedStakeholder">
Affected Stakeholder
</button>
</div>
<div class="content-sections">
<div class="entity-section active" id="AIDeveloperSpecializedAI">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> One expert commented: "My ratings track where the attack surface and control plane actually live. Specialized devs (Extreme) operate in sensitive domains and often double as deployers, so one flaw bites harder. "</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (1)</summary>
<ul class="quote-list">
<li>"My ratings track where the attack surface and control plane actually live. Specialized devs (Extreme) operate in sensitive domains and often double as deployers, so one flaw bites harder."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> [NO EXPERT COMMENTS PROVIDED]</p>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AIInfrastructureProvider">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Multiple respondents emphasized high-to-extreme vulnerability because infrastructure providers are critical points in the AI security chain where compromise can lead to widespread disruptions, large-scale attacks, and data loss. Lack of transparency and control over model updates poses systemic risks. They face multi-tenant isolation challenges, snapshot/backup vulnerabilities, and vector stores and observability pipelines that aggregate sensitive inputs. They control access, scalability, and system integrity, and breaches at this level can compromise multiple models and applications. They are increasingly targeted vectors due to centrality in system operation, particularly at communication and integration layers where local precision exists without global alignment.</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"AI governance actors, deployers, and infrastructure providers are increasingly targeted vectors due to their centrality in system operation and their dependence on legacy tools not built on deterministic or clarity-based frameworks. While individual users and affected stakeholders are indeed vulnerable, their exposure is often indirect or downstream. I raised the governance and infrastructure ratings to reflect systemic vulnerability at the communication and integration layers, particularly where local precision exists without global alignment. This lack of clarity between components is a primary vulnerability not accounted for by technical safeguards alone."</li> <li>"My ratings track where the attack surface and control plane actually live. Infra (High) faces multi-tenant isolation, snapshot/backup, vector stores, and observability pipelines that aggregate sensitive inputs."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Several respondents argued minimal-to-moderate vulnerability, noting that infrastructure providers are likely to have capacity to put security controls and risk mitigations in place. They would often not be the primary target (making them less exposed), nor would attacks impact them as much as developers or users. One didn't understand arguments about their proximity to model weights or exposure to toolchains, aguing these make infrastructure providers responsible (to protect assets under their control) but not vulnerable (they're not sensitive to the harm but to its causes).</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"AI Infrastructure Provider: I don't understand the arguments raised about their proximity to model weights or their exposure to toolchains. This makes them responsible (to protect the assets that are under their control), not vulnerable (they are not sensitive to the harm but to the causes of that harm)."</li> <li>"Upon further review, infrastructure providers seem also at least moderately vulnerable, although they are likely to have the capacity to put security controls and risk mitigations against adversarial attacks in place. They would often not be the primary target (which makes them less exposed), nor would such attacks impact them as much as the developers or users of these systems (as opposed to, e.g., leaked API keys or other unauthorized access)."</li>
</ul>
</details>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AffectedStakeholder">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Respondents emphasized moderate-to-high vulnerability because affected stakeholders (public, employees, customers) may suffer indirect consequences like algorithmic bias, data leaks, or erroneous automated decisions. While they don't control AI systems, impact can be significant. They experience indirect but significant harms including privacy loss, reputational damage, and erosion of digital trust. Although not interacting directly with system architecture, they're materially affected by breaches, insecure integrations, and downstream misuse of compromised models.</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"Affected stakeholders are extremely vulnerable because as attackers exploit AI systems, they will be used in attacks against 3rd parties - who are not the AI system users, owners, deployers."</li> <li>"My ratings track where the attack surface and control plane actually live. Affected stakeholders (Minimal) bear impacts but aren't on the controls."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> [NO EXPERT COMMENTS PROVIDED]</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AIDeveloperSpecializedAI">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> One expert commented: "My ratings track where the attack surface and control plane actually live. Specialized devs (Extreme) operate in sensitive domains and often double as deployers, so one flaw bites harder. "</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (1)</summary>
<ul class="quote-list">
<li>"My ratings track where the attack surface and control plane actually live. Specialized devs (Extreme) operate in sensitive domains and often double as deployers, so one flaw bites harder."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> [NO EXPERT COMMENTS PROVIDED]</p>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AIDeployer">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> They integrate AI into operational systems, exposing infrastructure, personnel, and customers to attacks like data exfiltration, adversarial manipulation, or denial-of-service. Deployers are prime targets for prompt injection and other attacks.</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (4)</summary>
<ul class="quote-list">
<li>"AI governance actors, deployers, and infrastructure providers are increasingly targeted vectors due to their centrality in system operation and their dependence on legacy tools not built on deterministic or clarity-based frameworks. While individual users and affected stakeholders are indeed vulnerable, their exposure is often indirect or downstream. I raised the governance and infrastructure ratings to reflect systemic vulnerability at the communication and integration layers, particularly where local precision exists without global alignment. This lack of clarity between components is a primary vulnerability not accounted for by technical safeguards alone."</li> <li>"Deployers integrate AI into operational systems, exposing their infrastructure, personnel, and customers to attacks such as data exfiltration, adversarial manipulation, or denial-of-service."</li> <li>"Increased Deployer vulnerability rating one level, accounting for organisations like retailers and the like potentially vulnerable to prompt injection. In general I think the expert median is too high, because each actor has reasons to be reluctant to adopt systems which are known to be prone to these risks, limiting exposure. The downside (sensitivity) is also much less severe (perhaps some financial harm or sensitive data leak) compared with other risks on the survey."</li> <li>"My ratings track where the attack surface and control plane actually live. Deployers (Extreme) run the live stack such as models, RAG, agents/plugins, CI/CD, secrets, logging. So they're the prime target for prompt injection, poisoning, artifact swap, key leakage, and supply-chain pivots."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> [NO EXPERT COMMENTS PROVIDED]</p>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AIInfrastructureProvider">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Multiple respondents emphasized high-to-extreme vulnerability because infrastructure providers are critical points in the AI security chain where compromise can lead to widespread disruptions, large-scale attacks, and data loss. Lack of transparency and control over model updates poses systemic risks. They face multi-tenant isolation challenges, snapshot/backup vulnerabilities, and vector stores and observability pipelines that aggregate sensitive inputs. They control access, scalability, and system integrity, and breaches at this level can compromise multiple models and applications. They are increasingly targeted vectors due to centrality in system operation, particularly at communication and integration layers where local precision exists without global alignment.</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"AI governance actors, deployers, and infrastructure providers are increasingly targeted vectors due to their centrality in system operation and their dependence on legacy tools not built on deterministic or clarity-based frameworks. While individual users and affected stakeholders are indeed vulnerable, their exposure is often indirect or downstream. I raised the governance and infrastructure ratings to reflect systemic vulnerability at the communication and integration layers, particularly where local precision exists without global alignment. This lack of clarity between components is a primary vulnerability not accounted for by technical safeguards alone."</li> <li>"My ratings track where the attack surface and control plane actually live. Infra (High) faces multi-tenant isolation, snapshot/backup, vector stores, and observability pipelines that aggregate sensitive inputs."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Several respondents argued minimal-to-moderate vulnerability, noting that infrastructure providers are likely to have capacity to put security controls and risk mitigations in place. They would often not be the primary target (making them less exposed), nor would attacks impact them as much as developers or users. One didn't understand arguments about their proximity to model weights or exposure to toolchains, aguing these make infrastructure providers responsible (to protect assets under their control) but not vulnerable (they're not sensitive to the harm but to its causes).</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"AI Infrastructure Provider: I don't understand the arguments raised about their proximity to model weights or their exposure to toolchains. This makes them responsible (to protect the assets that are under their control), not vulnerable (they are not sensitive to the harm but to the causes of that harm)."</li> <li>"Upon further review, infrastructure providers seem also at least moderately vulnerable, although they are likely to have the capacity to put security controls and risk mitigations against adversarial attacks in place. They would often not be the primary target (which makes them less exposed), nor would such attacks impact them as much as the developers or users of these systems (as opposed to, e.g., leaked API keys or other unauthorized access)."</li>
</ul>
</details>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AIUser">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> End users interact with AI systems but usually lack technical expertise to detect or mitigate security risks. Exposure includes personal data leakage, AI-driven fraud, or manipulation (e.g., phishing via AI-generated content).</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"End users interact with AI systems but usually lack technical expertise to detect or mitigate security risks. Exposure includes personal data leakage, AI-driven fraud, or manipulation (e.g., phishing via AI-generated content)."</li> <li>"My ratings track where the attack surface and control plane actually live. Users (Moderate) get phished/jailbroken but don't operate systems."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> One respondent argued: "I see that the median expert assesses AI users as "highly vulnerable" to AI system security attacks. I think users are sensitive to this risk, in that they would be harmed. But I don't think they are exposed in the relevant sense. It's the developers and deployers who are exposed. Yes, the consequence of many or most harms ultimately falls on users. But we are asking about the vulnerability to the risk vector, not the harm to the user."</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (1)</summary>
<ul class="quote-list">
<li>"I see that the median expert assesses AI users as "highly vulnerable" to AI system security attacks. I think users are sensitive to this risk, in that they would be harmed. But I don't think they are exposed in the relevant sense. It's the developers and deployers who are exposed. Yes, the consequence of many or most harms ultimately falls on users. But we are asking about the vulnerability to the risk vector, not the harm to the user."</li>
</ul>
</details>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AffectedStakeholder">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Respondents emphasized moderate-to-high vulnerability because affected stakeholders (public, employees, customers) may suffer indirect consequences like algorithmic bias, data leaks, or erroneous automated decisions. While they don't control AI systems, impact can be significant. They experience indirect but significant harms including privacy loss, reputational damage, and erosion of digital trust. Although not interacting directly with system architecture, they're materially affected by breaches, insecure integrations, and downstream misuse of compromised models.</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (2)</summary>
<ul class="quote-list">
<li>"Affected stakeholders are extremely vulnerable because as attackers exploit AI systems, they will be used in attacks against 3rd parties - who are not the AI system users, owners, deployers."</li> <li>"My ratings track where the attack surface and control plane actually live. Affected stakeholders (Minimal) bear impacts but aren't on the controls."</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> [NO EXPERT COMMENTS PROVIDED]</p>
</div>
</div>
</div>
</div>
<div class="entity-section" id="AIGovernanceActor">
<div class="content-grid">
<div class="content-column">
<h3 class="criteria-header higher">Reasons for Higher Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> Governance actors don't operate AI systems directly but are indirectly exposed through responsibility for enforcement, oversight, and policy. They're increasingly targeted vectors due to centrality in system operation, particularly at communication and integration layers. They're prime targets for influence and deception campaigns. If systems are attacked, governance actors will be first to be held accountable, making them vulnerable.</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (4)</summary>
<ul class="quote-list">
<li>"AI governance actors, deployers, and infrastructure providers are increasingly targeted vectors due to their centrality in system operation and their dependence on legacy tools not built on deterministic or clarity-based frameworks. While individual users and affected stakeholders are indeed vulnerable, their exposure is often indirect or downstream. I raised the governance and infrastructure ratings to reflect systemic vulnerability at the communication and integration layers, particularly where local precision exists without global alignment. This lack of clarity between components is a primary vulnerability not accounted for by technical safeguards alone."</li> <li>"Regulators are indirectly exposed: they don't operate AI systems directly, but are responsible for enforcement, oversight, and policy."</li> <li>"AI governance actors are a prime target for influence and deception campaigns."</li> <li>"If the system is attacked, then AI Governance Actors will be the first to be held accountable, so I believe they are extremely vulnerable"</li>
</ul>
</details>
</div>
</div>
<div class="content-column">
<h3 class="criteria-header lower">Reasons for Lower Vulnerability</h3>
<div class="summary-section">
<p class="summary-text"><strong>AI-generated summary:</strong> One respondent said: "My ratings track where the attack surface and control plane actually live. Deployers (Extreme) run the live stack such as models, RAG, agents/plugins, CI/CD, secrets, logging. Governance actors (Minimal) are targeted by influence, not runtime exploits. "</p>
<details class="quote-details">
<summary class="quote-toggle">See all expert comments (1)</summary>
<ul class="quote-list">
<li>"My ratings track where the attack surface and control plane actually live. Deployers (Extreme) run the live stack such as models, RAG, agents/plugins, CI/CD, secrets, logging. Governance actors (Minimal) are targeted by influence, not runtime exploits."</li>
</ul>
</details>
</div>
</div>
</div>
</div>
</div>
</div>
<script>
document.addEventListener('DOMContentLoaded', function() {
const pills = document.querySelectorAll('.nav-pill');
const sections = document.querySelectorAll('.entity-section');
pills.forEach(pill => {
pill.addEventListener('click', function() {
pills.forEach(p => p.classList.remove('active'));
sections.forEach(s => s.classList.remove('active'));
this.classList.add('active');
const targetId = this.getAttribute('data-target');
const targetSection = document.getElementById(targetId);
if (targetSection) {
targetSection.classList.add('active');
}
});
});
});
</script>
</body>
</html>