Agnostic AI Protection Profile in the Era of the EU AI Act (B31b)
The AI Act is impacting how developers must train, deploy and evaluate AI Systems. While key elements of the act focus on a quality management system for the purpose of developing AI models (i.e. any subset of learning based methods) there are obvious technical aspects to be covered by harmonized standard. In that sense JTC21 of CEN/CLC is playing a crucial role in defining these standards. The presenters propose in the presenters’ work, a common criteria based cybersecurity evaluation of AI systems in an agnostic manner, where the presenters developed a modular protection profile covering the broader aspects of machine learning based systems. While state of the art considers cybersecurity of the AI model itself with evaluation activities focusing on exploiting the model itself, the presenters showcase another logic where the presenters demonstrate how vulnerability analysis and traditional penetration testing activities with a focus on AI specific assets, well defined in the harmonized standard on cybersecurity (prEN 18282), can serve as a solid cybersecurity evaluation and certification of an AI system.