Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

AI Governance

AI Governance

Section titled “AI Governance”

5 automated security scanners

Model Monitoring Implementation

Section titled “Model Monitoring Implementation”

Purpose: The purpose of the Model Monitoring Implementation Scanner is to detect and assess the effectiveness of performance tracking, drift detection, and alert mechanisms within a company’s AI governance framework. This tool aims to ensure that models are monitored effectively, and any deviations from expected behavior are promptly identified and addressed.

What It Detects:

  • Performance Tracking Indicators: The scanner identifies mentions of KPIs (Key Performance Indicators) related to model performance, including references to metrics such as accuracy, precision, recall, F1-score, etc.
  • Drift Detection Mechanisms: The tool searches for descriptions of how the company monitors data drift and concept drift through statistical tests or anomaly detection methods.
  • Alert Mechanisms: It identifies processes and tools in place to alert stakeholders when model performance degrades or when drift is detected, including notification systems, dashboards, or automated alerts.
  • Documentation of Monitoring Practices: The scanner checks for the presence of documented policies and procedures related to model monitoring, such as regular audits, reviews, or updates to monitoring strategies.
  • Compliance with Standards: It detects references to compliance with industry standards in AI governance and model monitoring, including ISO/IEC 27001, SOC 2, penetration tests, or vulnerability assessments.

Inputs Required:

  • domain (string): The primary domain of the company’s website to be analyzed (e.g., acme.com).
  • company_name (string): The name of the company for which the statement searching is conducted (e.g., “Acme Corporation”).

Business Impact: Monitoring model performance and detecting deviations is crucial for maintaining the reliability and accuracy of AI models, which directly impacts decision-making processes and overall business operations.

Risk Levels:

  • Critical: Conditions that could lead to severe consequences, such as significant financial loss or legal repercussions due to incorrect model predictions.
  • High: Conditions where model performance degrades significantly, potentially affecting critical business functions or regulatory compliance.
  • Medium: Conditions where there is a moderate risk of performance issues or drift detection failures, requiring immediate attention but not posing an imminent threat.
  • Low: Conditions with minimal impact on model performance and monitoring effectiveness, generally considered less urgent unless they escalate in severity.
  • Info: Informal findings that provide supplementary information about the company’s AI governance practices without directly impacting operational risk.

Example Findings:

  1. “We have implemented a system to track accuracy and precision metrics for all model predictions.”
  2. “Our data drift monitoring includes regular statistical tests to ensure real-time adjustments are made based on input changes.”

Model Documentation Currency

Section titled “Model Documentation Currency”

Purpose: Ensures that the security documentation of a company is up-to-date by detecting recent updates to specifications, current limitations, and evaluation results. This helps in maintaining compliance and trustworthiness in the organization’s AI governance framework.

What It Detects:

  • Identifies recent changes or additions to technical specifications, looking for timestamps or version numbers indicating updates.
  • Detects sections that outline current limitations of the models, ensuring these limitations are clearly documented and up-to-date.
  • Finds references to recent evaluations, audits, or assessments, checking for dates associated with evaluation results to ensure recency.
  • Searches for key security policy terms such as “security policy,” “incident response,” “data protection,” and “access control.”
  • Looks for compliance certifications like SOC 2, ISO 27001, penetration tests, and vulnerability scans.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Ensuring that the security documentation is up-to-date and comprehensive helps in maintaining compliance with regulatory requirements, enhancing trust among stakeholders, and ensuring the reliability of AI models used within the organization.

Risk Levels:

  • Critical: The scanner identifies significant updates to technical specifications or limitations that have not been documented, which could lead to non-compliance with legal and contractual obligations.
  • High: Incomplete or outdated documentation on current limitations can result in operational risks, including potential system failures or security breaches due to unaddressed vulnerabilities.
  • Medium: Lack of clear policy statements regarding data protection and access control might lead to uncertainty about how personal information is handled within the organization, affecting user trust but not posing immediate risk.
  • Low: Informational findings such as minor updates in specifications without significant impact on compliance or security could be considered for future enhancements rather than critical issues.

Example Findings:

  1. The documentation lacks a recent update to technical specifications despite multiple versions being released by the vendor.
  2. Current limitations are not documented, which might lead to unacknowledged risks during audits and assessments.

Model Testing Coverage

Section titled “Model Testing Coverage”

Purpose: The Model Testing Coverage Scanner is designed to ensure that the test set used for model evaluation accurately represents real-world scenarios and includes all necessary validation processes. It also identifies potential gaps in model performance by detecting edge cases, ensuring comprehensive documentation of testing procedures, and verifying compliance with relevant security standards.

What It Detects:

  • Test Set Representativeness: Checks if the test set includes a diverse range of data points that reflect real-world scenarios, identifying any significant imbalances or omissions in the test data distribution compared to production data.
  • Validation Completeness: Verifies that all necessary validation steps are documented and executed, covering various aspects such as accuracy, precision, recall, and F1-score.
  • Edge Case Inclusion: Detects whether edge cases (rare or unusual data points) are included in the test set, identifying gaps where critical edge cases might be overlooked, leading to potential model failures.
  • Documentation Review: Examines company security documentation for mentions of testing and validation processes, ensuring clear guidelines and procedures are outlined for ensuring test set quality and completeness.
  • Compliance Certification Verification: Searches for compliance certifications related to AI governance and data handling, validating adherence to standards such as SOC 2, ISO 27001, and other relevant certifications.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Ensuring that the test set used for model evaluation is representative of operational data and that all necessary validation processes are complete helps in identifying potential gaps in model performance, which is crucial for maintaining a robust and accurate machine learning model. This directly impacts the security posture by preventing potential failures and ensuring compliance with industry standards.

Risk Levels:

  • Critical: Conditions where significant imbalances or omissions in the test data distribution compared to production data are detected, leading to potential performance gaps in the model.
  • High: Conditions where necessary validation steps are not documented or executed correctly, affecting the overall accuracy and reliability of the model.
  • Medium: Conditions where edge cases are overlooked, potentially impacting the robustness and generalizability of the model.
  • Low: Informal documentation practices that do not significantly impact the testing or validation process but still contribute to maintaining best practices in AI governance.
  • Info: Compliance with basic security policies and procedures without specific implications for critical risks.

Example Findings:

  1. The test set includes only a limited variety of data points, failing to represent real-world scenarios adequately.
  2. Key validation steps such as accuracy testing are missing from the documentation, raising concerns about the model’s performance metrics.

Retraining Frequency Adequacy

Section titled “Retraining Frequency Adequacy”

Purpose: Ensures that the AI models within an organization are regularly retrained to maintain accuracy and security. Detects training schedule adherence, update delays, and version staleness by analyzing company policies and documentation.

What It Detects:

  • Training Schedule Adherence: Checks for explicit mentions of regular model retraining schedules and identifies specific intervals (e.g., monthly, quarterly) for retraining.
  • Update Delays: Looks for indications of delayed or missed retraining cycles and detects any mention of outdated models being in use.
  • Version Staleness: Searches for references to model versions and their last update dates. Flags instances where the latest version is not mentioned or appears stale.
  • Policy Compliance: Verifies that retraining policies align with industry standards and best practices. Checks for compliance certifications related to AI governance (e.g., SOC 2, ISO 27001).
  • Documentation Availability: Ensures that relevant documentation is accessible and up-to-date. Identifies gaps in security documentation that may indicate inadequate retraining processes.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Regularly retraining AI models is crucial for maintaining their accuracy and security, which directly impacts the overall security posture of an organization. This ensures that models are continuously updated with new data and can adapt to changing patterns without becoming outdated or vulnerable.

Risk Levels:

  • Critical: Conditions where there are no explicit mentions of retraining schedules or when the latest model version is not mentioned, indicating a significant risk of performance degradation and potential security vulnerabilities.
  • High: Delays in retraining cycles that could lead to models being used with outdated data, increasing the likelihood of incorrect predictions and reduced trust in AI systems.
  • Medium: Stale references to previous versions without clear timelines for updating, which may not pose immediate risks but can become problematic over time if no action is taken.
  • Low: Compliance with general industry standards that do not specifically require regular retraining, though still important for maintaining model performance and security.
  • Info: Availability of documentation on retraining practices without specific details about schedules or compliance, providing basic transparency but lacking detailed governance around AI model maintenance.

Example Findings:

  1. The company’s privacy policy does not mention any regular updates to the machine learning algorithms used for data anonymization, indicating a potential risk in meeting GDPR requirements.
  2. A recent report indicates that the latest version of the anomaly detection model was released six months ago, but no mention is made of this update in the official documentation or communications with stakeholders.

Model Lifecycle Management

Section titled “Model Lifecycle Management”

Purpose: The Model_Lifecycle_Management Scanner is designed to ensure robust version control, deployment processes, and retirement procedures are in place to maintain the integrity and security of AI models throughout their lifecycle. This includes identifying presence or absence of version control systems, evaluating automated deployment pipelines, checking for compliance with regulatory requirements during retirement, and reviewing public policy pages for detailed descriptions of model lifecycle management practices.

What It Detects:

  • Version Control Practices: Identifies the presence or absence of version control systems (e.g., Git), checks for regular commits and branching strategies, and verifies code review processes before merging changes.
  • Deployment Processes: Evaluates automated deployment pipelines and CI/CD practices, detects manual deployment procedures that may introduce human error, and ensures proper configuration management during deployments.
  • Retirement Procedures: Identifies policies for decommissioning outdated models, checks for data deletion and cleanup processes post-retirement, and verifies compliance with regulatory requirements during retirement.
  • Security Documentation Review: Scans company security documentation for version control, deployment, and retirement procedures, looks for references to specific standards (e.g., SOC 2, ISO 27001).
  • Public Policy Pages and Trust Center Information: Reviews public policy pages for transparency on model lifecycle management practices and checks trust center information for detailed descriptions of version control, deployment, and retirement processes.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • company_name (string): Company name for statement searching (e.g., “Acme Corporation”)

Business Impact: Adequate management of AI models’ lifecycle is crucial for preventing vulnerabilities, unauthorized access, and compliance issues that can lead to significant security risks and potential regulatory non-compliance.

Risk Levels:

  • Critical: Conditions where version control systems are absent or insufficient, manual deployment procedures prevalent, or retirement policies fail to meet regulatory standards.
  • High: Conditions where automated deployment pipelines are inadequate, code review processes are lax, or there is a lack of detailed documentation on lifecycle management practices.
  • Medium: Conditions where compliance with certain standards (e.g., SOC 2) is partially met, but room for improvement exists in terms of automation and documentation completeness.
  • Low: Conditions where basic version control systems are present, deployment processes follow standard practices, and retirement procedures adhere to general regulatory guidelines.
  • Info: Conditions that merely indicate the presence of generic lifecycle management practices without specific concerns or areas needing attention.

Example Findings:

  1. A company lacks a formal version control system, which could lead to unauthorized modifications and loss of historical data.
  2. Manual deployment procedures are still in use despite the existence of automated CI/CD pipelines, increasing the risk of human error during deployments.