Position: Mind the Gap-AI Security and the Limits of Current Reporting Standards

TL;DR

This paper critically examines the limitations of current AI security incident reporting standards, emphasizing the need for specialized practices as AI systems and agents become more prevalent.

Contribution

It highlights fundamental shortcomings of existing reporting practices for AI security and advocates for developing specialized standards tailored to AI systems.

Findings

Current AI incident reporting practices are misaligned with AI security needs.

Existing standards do not address AI-specific characteristics and challenges.

The rise of AI agents necessitates advanced, specialized security incident reporting.

Abstract

AI systems face a growing number of AI security threats that are increasingly exploited in the real world. Hence, shared AI incident reporting practices are emerging in industry as best practice and as mandated by regulatory requirements. Although non-AI cybersecurity and non-security AI reporting have progressed as industrial and policy norms, existing collections of practices do not meet the specific requirements posed by AI security reporting. we argue that established processes are not well aligned with AI security reporting due to fundamental shortcomings for the distinctive characteristics of AI systems. Some of these shortcomings are immediately addressable, while others remain unresolved technically or within social systems, like the treatment of IP or the ownership of a vulnerability. Based on this position, we examine the limitations of current AI security incident reporting proposals. We conclude that the advent of AI agents will further reinforce the need to advance specialized AI security incident reporting.