Security & Privacy
AI systems introduce new security and privacy risks — personal data in prompts, model outputs that may reveal sensitive training data, and third-party vendors with access to your users' information. This section covers the controls for handling personal data correctly, securing access, evaluating vendor risk, and meeting data retention obligations.
In This Section
PII Handling & Redaction
Identifying and redacting personal data before it reaches AI models — detection approaches, redaction strategies, and re-identification risks.
Encryption Basics
Encryption requirements for AI systems — data in transit, at rest, and in vector stores — and what your AI vendor's encryption covers.
Access Controls
Role-based access for AI tools and APIs, API key management, least-privilege principles, and audit trails for AI system access.
Vendor Risk Management
Evaluating AI vendors for security and privacy risk — what to assess, what certifications to require, and contract provisions that matter.
Data Retention
Retention obligations for AI interaction data — conversation logs, embeddings, fine-tuning data — and how to implement deletion rights.