1# AIGF Vector Catalog
2title: AI Governance Framework Risk Vectors
3metadata:
4 id: AIR-VEC
5 type: VectorCatalog
6 gemara-version: "1.1.0"
7 version: 0.1.0
8 description: >
9 AIGF risks expressed as Gemara vectors. Each vector describes a
10 pathway through which AI system failures or negative outcomes
11 may be realized in financial services deployments.
12 author:
13 id: finos
14 name: FINOS
15 type: Human
16
17groups:
18 - id: model-availability
19 title: Model Availability
20 description: >
21 Foundation models often rely on GPU-heavy infrastructure hosted by third-party providers, introducing risks
22 related to service availability and performance. Key threats include Denial of Wallet (excessive usage leading
23 to cost spikes or throttling), outages from immature Technology Service Providers, and VRAM exhaustion due to
24 memory leaks or configuration changes. These issues can disrupt operations, limit failover options, and
25 undermine the reliability of LLM-based applications.
26 - id: operational
27 title: Operational
28 description: >
29 Risks arising from AI system behaviour, reliability, and
30 operational characteristics that may impact business processes.
31 - id: prompt-injection
32 title: Prompt Injection
33 description: >
34 Prompt injection occurs when attackers craft inputs that manipulate a language model into producing
35 unintended, harmful, or unauthorized outputs. These attacks can be direct—overriding the model’s
36 intended behaviour—or indirect, where malicious instructions are hidden in third-party content and
37 later processed by the model. This threat can lead to misinformation, data leakage, reputational damage,
38 or unsafe automated actions, especially in systems without strong safeguards or human oversight.
39 - id: data-poisoning
40 title: Data Poisoning
41 description: >
42 Data poisoning occurs when adversaries tamper with training or fine-tuning data to manipulate an
43 AI model’s behaviour, often by injecting misleading or malicious patterns. This can lead to biased
44 decision-making, such as incorrectly approving fraudulent transactions or degrading model performance
45 in subtle ways. The risk is heightened in systems that continuously learn from unvalidated or
46 third-party data, with impacts that may remain hidden until a major failure occurs.
47 - id: information-leakage
48 title: Information Leakage
49 description: >
50 Using third-party hosted LLMs creates a two-way trust boundary where neither inputs nor outputs can be fully trusted.
51 Sensitive financial data sent for inference may be memorized by models, leaked through prompt attacks, or exposed via
52 inadequate provider controls. This risks exposing customer PII, proprietary algorithms, and confidential business
53 information, particularly with free or poorly-governed LLM services.
54
55vectors:
56 - id: AIR-RC-001-01
57 title: Model Memorization
58 group: information-leakage
59 description: >
60 LLMs can memorize sensitive data from training or user interactions,
61 later disclosing customer details, loan terms, or trading strategies
62 in unrelated sessions. This includes cross-user leakage, where one
63 user's sensitive data is disclosed to another.
64 - id: AIR-RC-001-02
65 title: Prompt-Based Data Extraction
66 group: information-leakage
67 description: >
68 Adversaries craft prompts to extract memorized sensitive information
69 from hosted models. Targeted prompt sequences can cause the model to
70 reproduce confidential training data, PII, or proprietary algorithms
71 that were not intended to be accessible.
72 - id: AIR-RC-001-03
73 title: Inadequate Provider Data Controls
74 group: information-leakage
75 description: >
76 Insufficient sanitization, encryption, or access controls by hosted
77 model providers increases disclosure risk. Providers may lack
78 transparent mechanisms for how input data is processed, retained,
79 or sanitized, leading to persistent exposure of proprietary data.
80 - id: AIR-RC-001-04
81 title: Provider Data Handling Deficiency
82 group: information-leakage
83 description: >
84 Without clear contracts ensuring encryption, retention limits, and
85 secure deletion, institutions lose control over sensitive data sent
86 to hosted models. Providers may lack transparency about data
87 processing and retention practices.
88 - id: AIR-RC-001-05
89 title: Fine-Tuning Data Exposure
90 group: information-leakage
91 description: >
92 Using proprietary data for fine-tuning embeds sensitive information
93 directly into model weights, potentially making it accessible to
94 unauthorized users if access controls are inadequate.
95 - id: AIR-SEC-009-01
96 title: Training Data Manipulation
97 group: data-poisoning
98 description: >
99 Adversaries alter training datasets by changing labels or injecting
100 crafted data points with hidden patterns. In financial services,
101 this includes marking fraudulent transactions as legitimate to
102 corrupt fraud detection models, or embedding backdoor triggers
103 exploitable after deployment.
104 - id: AIR-SEC-009-02
105 title: Continuous Learning Exploitation
106 group: data-poisoning
107 description: >
108 Systems that continuously learn from new data are vulnerable when
109 validation mechanisms are inadequate. Adversaries systematically
110 feed misleading information over time to gradually skew
111 decision-making in credit scoring, trading, or risk models.
112 - id: AIR-SEC-009-03
113 title: Third-Party Data Compromise
114 group: data-poisoning
115 description: >
116 Financial institutions rely on external data feeds such as market
117 data, credit references, and KYC/AML watchlists. Compromise of
118 these sources introduces poisoned data that can unknowingly embed
119 biases or vulnerabilities into downstream models.
120 - id: AIR-SEC-009-04
121 title: Bias Introduction
122 group: data-poisoning
123 description: >
124 Deliberate data poisoning amplifies biases in credit scoring or
125 loan approval models, leading to discriminatory outcomes and
126 regulatory non-compliance. Effects are subtle and may remain
127 hidden until major failures or regulatory interventions occur.
128 - id: AIR-OP-007-01
129 title: Denial of Wallet
130 group: model-availability
131 description: >
132 Usage patterns inadvertently lead to excessive costs, throttling,
133 or service disruptions. Overly long prompts from large document
134 chunking, multimedia content, or token-expensive adversarial queries
135 can exhaust token limits or drive up charges. Poorly throttled
136 scripts or agentic systems may generate excessive API calls,
137 overwhelming resources and bypassing capacity planning.
138 - id: AIR-OP-007-02
139 title: TSP Outage or Degradation
140 group: model-availability
141 description: >
142 External technology service providers may lack operational maturity
143 to maintain stable service levels, leading to unexpected outages or
144 performance degradation under load. Tight coupling to a specific
145 proprietary provider limits failover capability, violating business
146 continuity expectations.
147 - id: AIR-OP-007-03
148 title: VRAM Exhaustion
149 group: model-availability
150 description: >
151 Video RAM exhaustion on serving infrastructure compromises model
152 responsiveness or triggers crashes. Causes include configuration
153 changes that exceed available resources, caching strategies that
154 trade VRAM for throughput, and memory leaks in model-serving
155 libraries that prevent proper resource release.
156 - id: AIR-SEC-010-01
157 title: Direct Prompt Injection
158 group: prompt-injection
159 description: >
160 Attackers interact directly with the LLM to override its intended
161 behaviour. Crafted inputs attempt to bypass system prompts, ignore
162 safety guardrails, or coerce the model into disclosing sensitive
163 information. Requires no special privileges and can be executed
164 through simple input manipulation.
165 - id: AIR-SEC-010-02
166 title: Indirect Prompt Injection
167 group: prompt-injection
168 description: >
169 Malicious instructions are embedded in third-party content such as
170 websites, emails, or uploaded documents. When the LLM processes
171 this contaminated data, the injected prompts can hijack decision-making,
172 escalate privileges, trigger unauthorized actions, or exfiltrate
173 data being processed. Especially dangerous in automated workflows
174 or multi-agent architectures.
175 - id: AIR-SEC-010-03
176 title: Model Profiling and Inversion
177 group: prompt-injection
178 description: >
179 Sophisticated prompt injection techniques probe the internal
180 structure of an LLM to extract model biases, proprietary system
181 prompts, configurations, or training data used in fine-tuning or
182 RAG corpora. Enables intellectual property theft, facilitates
183 future attacks, or supports creation of clone models.
184 - id: AIR-OP-018
185 title: Model Overreach / Expanded Use
186 group: operational
187 description: >
188 AI systems may be used beyond their originally intended and
189 validated scope, leading to unreliable outputs in contexts the
190 model was not designed or tested for. Scope creep can occur
191 gradually as users discover new applications, or suddenly when
192 systems are repurposed without adequate re-evaluation of risks
193 and performance characteristics.
194 - id: AIR-OP-020
195 title: Reputational Risk
196 group: operational
197 description: >
198 AI systems may generate outputs that are offensive, inappropriate,
199 misleading, or otherwise damaging to the organization's
200 reputation. This risk is amplified when attackers deliberately
201 manipulate models into producing harmful content that is then
202 attributed to the organization.