MITRE partners with Robust Intelligence to tackle AI supply chain risks in open-source models
MITRE is collaborating with Robust Intelligence to enhance a free tool to help organizations assess the supply chain risks of publicly available artificial intelligence (AI) models online today.
The collaboration also includes work with Indiana University to develop automated risk assessment tools.
The availability of sophisticated models in public repositories has made it easier for organizations to incorporate AI into their systems. However, there are few tools for independent testing to examine risk.
In response, Robust Intelligence created the AI Risk Database in March 2023 as a community resource. After enhancing it further in collaboration with MITRE, a new open-source version is now available on GitHub with a long-term plan to host it under the broader set of MITRE ATLAS tools.
ATLAS is a globally accessible knowledge base that includes a list of adversary tactics and techniques based on real-world attack observations and AI red teaming. ATLAS also includes links to other tools that allow for the emulation of attacks.
The Robust Intelligence and MITRE collaboration will result in the characterization and operationalization of risks, such as risk scores, software vulnerabilities, and related CVEs. Those characterizations will help create increased awareness of risks and vulnerabilities that may arise when users use open-source AI models.
“This collaboration and release of the AI Risk Database can directly enable more organizations to see for themselves how they are directly at risk and vulnerable in deploying specific types of AI-enabled systems,” said Douglas Robbins, MITRE VP, engineering and prototyping. “As the latest open-source tool under MITRE ATLAS, this capability will continue to inform risk assessment and mitigation priorities for organizations around the globe.”
Researchers at Indiana University’s Kelley’s Data Science and Artificial Intelligence Lab are also incorporating an ability to scan GitHub repositories used to create models available on third-party platforms, allowing users to spot publicly reported software vulnerabilities that exist upstream of the delivered model artifact.
“Most organizations today acknowledge that AI supply chain risk is an important yet unmanaged aspect of their AI stack. We are thrilled to partner with MITRE to further advance our goal of helping organizations easily assess the security, ethical, and operational risk of public models,” explained Yaron Singer, CEO of Robust Intelligence. “MITRE ATLAS is the ideal steward for the AI Risk Database. Our joint expertise and breadth will empower the safe use of open-source models in the years to come.”
MITRE, Robust Intelligence, and the broader AI security and assurance community will continue working together to expand the impact and utility of the AI Risk Database as a free and community-supported resource.