Dejan KosuticThis article is based on an episode from the Cyber & AI Perspectives podcast. Prefer listening instead? Listen to the audio version below.
Cybersecurity has relied on a guiding principle, or principles, for more than 30 years: confidentiality, integrity, and availability — the C-I-A Triad. But now we face an even bigger challenge: how to govern artificial intelligence. And surprisingly, some of the lessons we learned from the C-I-A Triad may also help us tackle one of the biggest questions in AI governance: how to build trustworthy AI.
The C-I-A Triad changed cybersecurity by giving companies a clear way to manage risks. Now, AI governance frameworks are using trustworthiness in a similar way — as the key principle for identifying, prioritizing, and reducing AI risks.
Why is the C-I-A Triad important for cybersecurity?
Let’s dive first into the C-I-A Triad — since it was first introduced back in 1990, it has become the ultimate guiding principle for handling cybersecurity because it gives security professionals a clear goal regarding what needs to be achieved when protecting data.
So, how does the C-I-A Triad help companies? It gives them a clear direction on how to manage risks.
Risk identification. First, it helps them identify risks because, when assessing risks, you ask yourself: What can negatively impact the confidentiality, integrity, or availability of my data? Then you start to find the risks related to an unauthorized entity accessing or changing your data, as well as the risks of losing your data.
Risk analysis. Second, it helps you assess how important those risks are, because you can measure the potential impact of incidents on the confidentiality, integrity, and availability of your data. This way, out of hundreds or thousands of identified risks, you can distinguish which are the most important ones to focus on.
Risk treatment. Finally, the third way the C-I-A Triad helps is by enabling you to select controls based on how they mitigate negative impacts on confidentiality, integrity, and availability.
For example, when you create backups, you protect data against loss, which means you’re protecting the availability of data. But you’re also protecting data integrity because, if data becomes corrupted on your production systems, you can restore uncorrupted data from backups. When you encrypt data, you protect its confidentiality, but also its integrity because, if the data cannot be accessed, it cannot be corrupted, either.
Importance of trustworthiness for AI
Now let’s switch to AI governance. According to three out of the four leading AI governance frameworks (the OECD AI Principles, the EU AI Act, and the NIST AI Risk Management Framework), trustworthiness is the leading principle for AI systems, just like the C-I-A Triad is for cybersecurity.
And funnily enough, the fourth framework, and also my favorite, ISO 42001, does mention trustworthiness, but it does not set it as the main principle. However, I’m sure this will be corrected in the next revision of this standard.
Why is trustworthiness such a great leading principle for AI? When you think about it, one of the biggest challenges with AI systems is that, unlike traditional software, they are not deterministic. Give an AI system the same set of inputs multiple times, and it will provide a different output each time. As a consequence, companies are often hesitant to deploy AI in critical operations because they don’t know whether everything will turn out as expected. From that perspective, trustworthiness becomes a key condition that must be fulfilled before AI is adopted more broadly.
What can AI governance learn from cyber?
Similar to the C-I-A Triad, when you set trustworthiness as the ultimate goal, it becomes easier to introduce AI governance into companies. And here is the interesting part: In the same way that the C-I-A Triad provides direction for managing cybersecurity risks, trustworthiness provides direction for managing AI risks.
When keeping trustworthiness in mind as a guiding principle, first of all, it becomes easier to identify which risks exist. If AI produces outputs that are biased, this will decrease trust in a particular AI system — for example, if an AI system that approves loans in a bank prefers men over women, then both employees and customers will not trust such a system anymore.
Second, you can measure how significant those risks are by assessing their impact on trust. Following the same example, using questionnaires or some other methods, you can measure the reputational damage to this bank.
And third, when selecting controls to reduce AI risks, you can evaluate those controls based on how they help build or preserve trust. In the case of this bank, you could choose training data that you trust or introduce a trusted person to review all loan decisions.
Addressing larger challenges
But there are other major challenges with AI. As Anthropic’s AI model (called Mythos) has shown, AI has the capability to find vulnerabilities in almost any IT system. Furthermore, it is believed that AI models will soon be capable of suggesting ways to create biological weapons. In both cases, if such AI models fall into the wrong hands, they could cause catastrophic consequences.
This means that we need to be able to trust not only the AI systems we deploy, but also the companies developing AI models — and this brings trustworthiness to a different level. But again, trustworthiness can provide the same direction here — first for identifying risks, then for prioritizing them, and finally for implementing controls to reduce those risks.
Finally, AI systems will change the entire economy by automating many processes and leaving many people without work, or significantly changing the nature of their work. This means we need to trust our societies and governments to make this transition as humane as possible. Indeed, this is trustworthiness on a whole new level. Can trustworthiness provide direction for managing this difficult societal transition ahead of us in the same way as for AI deployment and for AI development? Maybe — time will tell.
But in any case, there is a lot we can learn from cybersecurity that can be applied to AI.
Here’s a video that explains in more detail goals that support this overall concept of trustworthiness: AI Goals and Objectives: Why is Trustworthiness Important? | AI Literacy Series