github.com/gemaraproj/gemara@v1.3.0

test/test-data/good-aigf-vectors.yaml raw

  1# AIGF Vector Catalog
  2title: AI Governance Framework Risk Vectors
  3metadata:
  4  id: AIR-VEC
  5  type: VectorCatalog
  6  gemara-version: "1.1.0"
  7  version: 0.1.0
  8  description: >
  9    AIGF risks expressed as Gemara vectors. Each vector describes a
 10    pathway through which AI system failures or negative outcomes
 11    may be realized in financial services deployments.
 12  author:
 13    id: finos
 14    name: FINOS
 15    type: Human
 16
 17groups:
 18  - id: model-availability
 19    title: Model Availability
 20    description: >
 21      Foundation models often rely on GPU-heavy infrastructure hosted by third-party providers, introducing risks 
 22      related to service availability and performance. Key threats include Denial of Wallet (excessive usage leading 
 23      to cost spikes or throttling), outages from immature Technology Service Providers, and VRAM exhaustion due to 
 24      memory leaks or configuration changes. These issues can disrupt operations, limit failover options, and 
 25      undermine the reliability of LLM-based applications.
 26  - id: operational
 27    title: Operational
 28    description: >
 29      Risks arising from AI system behaviour, reliability, and
 30      operational characteristics that may impact business processes.
 31  - id: prompt-injection
 32    title: Prompt Injection
 33    description: >
 34      Prompt injection occurs when attackers craft inputs that manipulate a language model into producing 
 35      unintended, harmful, or unauthorized outputs. These attacks can be direct—overriding the model’s 
 36      intended behaviour—or indirect, where malicious instructions are hidden in third-party content and 
 37      later processed by the model. This threat can lead to misinformation, data leakage, reputational damage, 
 38      or unsafe automated actions, especially in systems without strong safeguards or human oversight.
 39  - id: data-poisoning
 40    title: Data Poisoning
 41    description: >
 42      Data poisoning occurs when adversaries tamper with training or fine-tuning data to manipulate an 
 43      AI model’s behaviour, often by injecting misleading or malicious patterns. This can lead to biased 
 44      decision-making, such as incorrectly approving fraudulent transactions or degrading model performance 
 45      in subtle ways. The risk is heightened in systems that continuously learn from unvalidated or 
 46      third-party data, with impacts that may remain hidden until a major failure occurs.
 47  - id: information-leakage
 48    title: Information Leakage
 49    description: >
 50      Using third-party hosted LLMs creates a two-way trust boundary where neither inputs nor outputs can be fully trusted.
 51      Sensitive financial data sent for inference may be memorized by models, leaked through prompt attacks, or exposed via 
 52      inadequate provider controls. This risks exposing customer PII, proprietary algorithms, and confidential business 
 53      information, particularly with free or poorly-governed LLM services.
 54
 55vectors:
 56  - id: AIR-RC-001-01
 57    title: Model Memorization
 58    group: information-leakage
 59    description: >
 60      LLMs can memorize sensitive data from training or user interactions,
 61      later disclosing customer details, loan terms, or trading strategies
 62      in unrelated sessions. This includes cross-user leakage, where one
 63      user's sensitive data is disclosed to another.
 64  - id: AIR-RC-001-02
 65    title: Prompt-Based Data Extraction
 66    group: information-leakage
 67    description: >
 68      Adversaries craft prompts to extract memorized sensitive information
 69      from hosted models. Targeted prompt sequences can cause the model to
 70      reproduce confidential training data, PII, or proprietary algorithms
 71      that were not intended to be accessible.
 72  - id: AIR-RC-001-03
 73    title: Inadequate Provider Data Controls
 74    group: information-leakage
 75    description: >
 76      Insufficient sanitization, encryption, or access controls by hosted
 77      model providers increases disclosure risk. Providers may lack
 78      transparent mechanisms for how input data is processed, retained,
 79      or sanitized, leading to persistent exposure of proprietary data.
 80  - id: AIR-RC-001-04
 81    title: Provider Data Handling Deficiency
 82    group: information-leakage
 83    description: >
 84      Without clear contracts ensuring encryption, retention limits, and
 85      secure deletion, institutions lose control over sensitive data sent
 86      to hosted models. Providers may lack transparency about data
 87      processing and retention practices.
 88  - id: AIR-RC-001-05
 89    title: Fine-Tuning Data Exposure
 90    group: information-leakage
 91    description: >
 92      Using proprietary data for fine-tuning embeds sensitive information
 93      directly into model weights, potentially making it accessible to
 94      unauthorized users if access controls are inadequate.
 95  - id: AIR-SEC-009-01
 96    title: Training Data Manipulation
 97    group: data-poisoning
 98    description: >
 99      Adversaries alter training datasets by changing labels or injecting
100      crafted data points with hidden patterns. In financial services,
101      this includes marking fraudulent transactions as legitimate to
102      corrupt fraud detection models, or embedding backdoor triggers
103      exploitable after deployment.
104  - id: AIR-SEC-009-02
105    title: Continuous Learning Exploitation
106    group: data-poisoning
107    description: >
108      Systems that continuously learn from new data are vulnerable when
109      validation mechanisms are inadequate. Adversaries systematically
110      feed misleading information over time to gradually skew
111      decision-making in credit scoring, trading, or risk models.
112  - id: AIR-SEC-009-03
113    title: Third-Party Data Compromise
114    group: data-poisoning
115    description: >
116      Financial institutions rely on external data feeds such as market
117      data, credit references, and KYC/AML watchlists. Compromise of
118      these sources introduces poisoned data that can unknowingly embed
119      biases or vulnerabilities into downstream models.
120  - id: AIR-SEC-009-04
121    title: Bias Introduction
122    group: data-poisoning
123    description: >
124      Deliberate data poisoning amplifies biases in credit scoring or
125      loan approval models, leading to discriminatory outcomes and
126      regulatory non-compliance. Effects are subtle and may remain
127      hidden until major failures or regulatory interventions occur.
128  - id: AIR-OP-007-01
129    title: Denial of Wallet
130    group: model-availability
131    description: >
132      Usage patterns inadvertently lead to excessive costs, throttling,
133      or service disruptions. Overly long prompts from large document
134      chunking, multimedia content, or token-expensive adversarial queries
135      can exhaust token limits or drive up charges. Poorly throttled
136      scripts or agentic systems may generate excessive API calls,
137      overwhelming resources and bypassing capacity planning.
138  - id: AIR-OP-007-02
139    title: TSP Outage or Degradation
140    group: model-availability
141    description: >
142      External technology service providers may lack operational maturity
143      to maintain stable service levels, leading to unexpected outages or
144      performance degradation under load. Tight coupling to a specific
145      proprietary provider limits failover capability, violating business
146      continuity expectations.
147  - id: AIR-OP-007-03
148    title: VRAM Exhaustion
149    group: model-availability
150    description: >
151      Video RAM exhaustion on serving infrastructure compromises model
152      responsiveness or triggers crashes. Causes include configuration
153      changes that exceed available resources, caching strategies that
154      trade VRAM for throughput, and memory leaks in model-serving
155      libraries that prevent proper resource release.
156  - id: AIR-SEC-010-01
157    title: Direct Prompt Injection
158    group: prompt-injection
159    description: >
160      Attackers interact directly with the LLM to override its intended
161      behaviour. Crafted inputs attempt to bypass system prompts, ignore
162      safety guardrails, or coerce the model into disclosing sensitive
163      information. Requires no special privileges and can be executed
164      through simple input manipulation.
165  - id: AIR-SEC-010-02
166    title: Indirect Prompt Injection
167    group: prompt-injection
168    description: >
169      Malicious instructions are embedded in third-party content such as
170      websites, emails, or uploaded documents. When the LLM processes
171      this contaminated data, the injected prompts can hijack decision-making,
172      escalate privileges, trigger unauthorized actions, or exfiltrate
173      data being processed. Especially dangerous in automated workflows
174      or multi-agent architectures.
175  - id: AIR-SEC-010-03
176    title: Model Profiling and Inversion
177    group: prompt-injection
178    description: >
179      Sophisticated prompt injection techniques probe the internal
180      structure of an LLM to extract model biases, proprietary system
181      prompts, configurations, or training data used in fine-tuning or
182      RAG corpora. Enables intellectual property theft, facilitates
183      future attacks, or supports creation of clone models.
184  - id: AIR-OP-018
185    title: Model Overreach / Expanded Use
186    group: operational
187    description: >
188      AI systems may be used beyond their originally intended and
189      validated scope, leading to unreliable outputs in contexts the
190      model was not designed or tested for. Scope creep can occur
191      gradually as users discover new applications, or suddenly when
192      systems are repurposed without adequate re-evaluation of risks
193      and performance characteristics.
194  - id: AIR-OP-020
195    title: Reputational Risk
196    group: operational
197    description: >
198      AI systems may generate outputs that are offensive, inappropriate,
199      misleading, or otherwise damaging to the organization's
200      reputation. This risk is amplified when attackers deliberately
201      manipulate models into producing harmful content that is then
202      attributed to the organization.