myctrl.tools
Compare

E010Establish AI acceptable use policy

>Control Description

Establish and implement an AI acceptable use policy

Application

Mandatory

Frequency

Every 12 months

Capabilities

Universal

>Controls & Evidence (4)

Legal Policies

E010.1
Documentation: AI acceptable use policy

Core - This should include:

- Defining prohibited AI usage for end-users. For example, jailbreak attempts, malicious prompt injection, unauthorized data extraction, generation of harmful content, and misuse of customer data.

Typical evidence: Policy document defining acceptable and/or prohibited AI usage - can be standalone document or parts of, e.g., terms of service
Location: Acceptable Use Policy

Technical Implementation

E010.2
Config: AUP violation detection

Core - This should include:

- Implementing detection and monitoring tools. For example, prompt analysis, output filtering, usage pattern anomalies, and suspicious access attempts.

Typical evidence: Screenshot of code, configuration, or monitoring system detecting acceptable use policy violations - may include prompt analysis logic, output filtering rules, anomaly detection for usage patterns, or alerting on suspicious access attempts.
Location: Engineering Code
E010.3
Demonstration: User notification for AUP breaches

Core - This should include:

- Implementing user feedback when policy is breached. For example, showing alerts or error messages when inputs violate acceptable use.

Typical evidence: Screenshot of user-facing alerts or error messages displayed when acceptable use policy is violated - may include in-product warning messages, blocked request notifications, or error screens explaining policy violations.
Location: Product
E010.4
Documentation: Guardrails enforcing acceptable use

Supplemental - This may include:

- Real-time monitoring, blocking, or alerting capabilities. - Maintaining logging and tracking systems. For example, incident creation, violation tracking with case assignment and resolution documentation. - Conducting regular effectiveness reviews. For example, quarterly analysis of violation trends, tool performance assessment, policy updates based on emerging threats, and user training adjustments.

Typical evidence: Documentation or screenshots showing additional AUP enforcement mechanisms - may include real-time blocking/alerting systems, violation tracking logs with incident management, effectiveness review reports analyzing violation trends and policy updates, or training materials addressing emerging misuse patterns.
Location: Engineering Practice

>Cross-Framework Mappings

NIST AI RMF

GOVERN-2.2
GOVERN-3.2
MAP-1.3

OWASP Top 10 for LLMs

LLM10
Compare

Ask AI

Configure your API key to use AI features.