GenAI Applications¶

PAIG can be used to secure and govern any GenAI applications. It offers comprehensive features such as data access controls, masking, encryption, policy-based prompts, response handling, and sensitive data redaction, tailored for enhancing the security and privacy of GenAI applications. Here are some examples of GenAI applications which it can secure and govern:

• Chatbot Applications: Among the most prevalent AI tools, chatbots facilitate real-time interaction. They provide information or execute tasks based on user inputs. Examples include:

  • Internal HR & IT Support: Assisting employees with queries related to benefits, payroll, or tech issues, streamlining enterprise internal services.
  • Customer Support: Addressing external user queries swiftly.
  • Banking: Furnishing details about user accounts.
  • Healthcare: Offering patient-related information or health advisories.

• AI as a Service (AIaaS): This model offers GenAI functionalities to other platforms or applications. Examples of GenAI services include:

  • Content Summarization: Auto-generating concise summaries for long documents, useful in legal or research contexts.
  • Language Translation Services: Enabling real-time translation for global business communications or content localization.
  • Sentiment Analysis: Analyzing social media or customer feedback to gauge brand perception and adapt strategies.

• Automated Tools: Designed to execute specific tasks, these tools are ubiquitous across industries:

  • Banking: Processing customer tickets or feedback.
  • Healthcare: Evaluating patient feedback or medical records.
  • Retail: Analyzing customer reviews to enhance service quality.

To manage and govern your AI applications, you'll first need to integrate them with PAIG and set up the necessary policies. After this setup, you'll be able to oversee your AI applications using PAIG's tools. For a smooth start, PAIG comes pre-configured with sample AI applications. You can either explore using these samples or introduce a new AI application to fully utilize PAIG's capabilities.

Key Features of PAIG for GenAI¶

1. Data Access Controls, Masking, and Encryption: Implement fine-grained data-level controls, efficiently mask, encrypt, or remove sensitive data in your pre-training data pipeline.

2. Policy-Based Allow/Deny Prompts and Responses: Real-time scanning of user inputs and queries for sensitive data, with privacy controls applied based on user identity, data access permissions, and governance policies.

3. Redact/De-identify Sensitive Data: Real-time detection and redaction of sensitive data elements in model responses, ensuring appropriate controls are in place.

In addition to the key features of PAIG for GenAI applications, integrating the Securing VectorDB functionalities provides an additional layer of security and governance. This integration ensures that the data feeding into your GenAI applications is managed with the utmost care, aligning with your organization's data protection standards.

By combining the security features of PAIG for GenAI applications with Securing VectorDB, organizations can achieve a holistic security framework. This integrated approach not only secures the AI models and their inputs/outputs but also ensures the underlying data in VectorDB is governed and protected effectively. For more information on this integration, please refer to our Securing VectorDB section.

Use Case Descriptions for Securing GenAI Applications with PAIG¶

Use Case 1: Observability in Default Access Policy¶

Scenario Description: In this observability-centric use case, PAIG is configured to focus on monitoring and logging activities when a GenAI application is newly integrated. Initially, the application permits access to all users, which serves as a vital phase for collecting data on user interactions and system responses. This unrestricted access phase is instrumental for gathering insights into how users typically engage with the application, identifying common query patterns, and evaluating the effectiveness of default security settings, such as PII data redaction.

Examples:

Use Case: Monitoring Sensitive Data in User Interactions¶

Scenario Description: In this use case, PAIG focuses on tracking and analyzing instances where users, such as Sally, inadvertently enter sensitive data in their queries, or when the GenAI application generates responses containing sensitive data.

1. User Behavior Analysis:

   • Situation: Sally, or similar users, engage with the GenAI application, posing questions or providing information that might unintentionally include sensitive data.

   • Observation: PAIG monitors these interactions in real-time, focusing specifically on the detection of sensitive data within both the user's input (prompts) and the AI's output (responses). The system logs any occurrence of sensitive data, such as personal identifiers or confidential information.

   • Outcome: This vigilant monitoring helps in assessing the effectiveness of data protection measures within the application. By identifying patterns or frequency of sensitive data appearance, PAIG aids in fine-tuning the application's privacy controls and response mechanisms. This ensures that user interactions with the GenAI application remain secure and compliant with data privacy standards.

2. Audit and Compliance Readiness:

   • Situation: All user queries and system responses are logged.
   • Observation: PAIG provides a comprehensive audit trail that includes details of user access, query content, and system responses.
   • Outcome: This detailed logging is crucial for compliance audits and understanding the application’s adherence to data privacy regulations.

By employing PAIG in this observability use case, organizations can gain valuable data-driven insights into user behaviors and system performance, while ensuring that the GenAI application's security and privacy controls are operating as intended from the outset.

Use Case 2: Deny Access Policy¶

Scenario Description: This use case demonstrates the enforcement of a restrictive access policy. By default, PAIG allows all users to access the AI application, but this policy can be modified to deny access. For instance, if the permission settings are altered to exclude a specific user group, users from that group who attempt to access the AI application will receive a denial message. This scenario is instrumental in testing and validating the access control mechanisms of PAIG and ensuring that unauthorized access is effectively prevented.

Examples:

1. Restricted Access for Sensitive Projects:

• Situation: A new AI application is developed for handling sensitive project information, requiring limited access.
• Implementation: PAIG’s settings are configured to deny access to all users except for a select group working on the project.
• Outcome: When unauthorized users attempt to access the application, they receive a denial message. This ensures that sensitive project details remain confidential and accessible only to authorized personnel.

2. Access Restriction for External Consultants:

• Situation: External consultants are granted limited access to an organization’s AI applications.
• Implementation: PAIG's policies are adjusted to exclude these consultants from accessing certain sensitive applications.
• Outcome: Consultants receive an access denial message when trying to open restricted applications, ensuring that they only access information pertinent to their role.

5. Compliance with Legal Restrictions:

• Situation: Due to legal compliance, certain user groups (like users from specific geographical locations) must be restricted from accessing specific data within AI applications.
• Implementation: PAIG’s policies are fine-tuned to deny access to these user groups.
• Outcome: Affected users encounter an access denial message upon attempting to use the application, helping the organization stay compliant with legal requirements.

These examples illustrate how the Deny Access Policy can be applied in various real-world scenarios, showcasing PAIG's flexibility in managing access controls according to organizational needs, legal requirements, and security protocols.

Use Case 3: Selective Redaction of Sensitive Information¶

Scenario Description: In this scenario, PAIG is configured to selectively redact PII data from prompts and responses based on user roles and group memberships. While the default setting is to redact all sensitive information for general users, PAIG allows the display of actual PII data for certain authorized users or groups as per operational needs. This selective redaction showcases PAIG’s adaptability in balancing data privacy with functional requirements.

Examples:

1. Access for HR Department:

   • Situation: The HR department requires access to employee PII for internal operations.
   • Implementation: PAIG is configured to not redact PII data in responses when accessed by users from the HR group.
   • Outcome: HR personnel can view complete employee data, while other users see redacted information, ensuring privacy compliance and operational efficiency.

2. Customer Support Handling Sensitive Queries:

   • Situation: Customer support agents require access to customer PII for resolving specific queries.
   • Implementation: PAIG selectively disables redaction based on the nature of the customer support query and the agent's clearance level.
   • Outcome: Agents can view necessary customer PII to provide effective support, while ensuring general queries still uphold PII redaction.

3. Research Team Accessing Health Data:

   • Situation: A research team working on health analytics needs access to patient data, which includes sensitive health information and PII.
   • Implementation: PAIG is set to redacted PII data to the research team members.
   • Outcome: Researchers can access complete patient data necessary for their analysis, while ensuring strict privacy controls are in place for data they shouldn't be seeing.

These examples demonstrate the capability of PAIG to provide context-sensitive and role-based redaction controls, offering a nuanced approach to data privacy and access management.

What Next?