On April 29, 2024, the U.S. Department of Commerce (DoC) announced that the National Institute of Standards and Technology (NIST) published four documents on artificial intelligence (AI) 180 days after the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. In particular, NIST highlighted that the draft publications serve as companion resources to the NIST AI Risk Management Framework (AI RMF) and Secure Software Development Framework (SSDF).

The four publications include:

• NIST AI 600-1 - Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (the Generative AI Profile);
• NIST Special Publication (SP) 800-218A - Secure Software Development Practices for Generative AI and Dual-Use Foundation Models (NIST SP 800-218A);
• NIST AI 100-4 - Reducing Risks Posed by Synthetic Content (the Synthetic Content Profile); and
• NIST AI 100-5 - A Plan for Global Engagement on AI Standards (the AI Standards Profile).

Generative AI

The Generative AI Profile aims to help organizations identify risks posed by generative AI in the format of 13 risks that are novel to or exacerbated by the use of generative AI. These risks include:

• CBRN information - lowered barriers to entry or eased access to materially nefarious information related to chemical, biological, radiological, or nuclear (CBRN) weapons;
• confabulation - the production of confidently stated but erroneous or false content (hallucinations or fabrications);
• data privacy - leaked and unauthorized disclosure or de-anonymization of biometric, health, personally identifiable, or other sensitive data;
• human-AI configuration - algorithmic aversion, automation bias, deceptive or obfuscating behaviors by AI systems based on programming, or anticipated human validation;
• information security - lowered barriers for offensive cyber capabilities, including ease of security attacks, hacking, malware, phishing, and offensive cyber operations through accelerated automated discovery and exploitation of vulnerabilities; and
• value chain and component integration - non-transparent or untraceable integration of upstream third-party components.

SSDF and generative AI

NIST SP 800-218A provides recommendations specific to AI throughout the software development lifecycle, focusing on AI model producers, AI system producers, and AI system acquirers.

Synthetic content

The Synthetic Content Profile outlines methods for detecting, authenticating, and labeling synthetic content, such as digital watermarking and metadata recording. Methods for testing and evaluating provenance data tracking and synthetic content detection techniques are also established. Specifically, in facilitating digital transparency, the Synthetic Content Profile provides that organizations can manage and reduce the risk of synthetic content by:

• attesting that a particular system produced a piece of content;
• asserting ownership of content;
• providing tools to label and identify AI-generated content; and
• mitigating the production and dissemination of AI-generated child sexual abuse material and non-consensual intimate imagery of real individuals.

Global AI standards

The AI Standards Profile requests feedback on areas and topics that require standardization. This includes topics such as mechanisms for enhancing awareness of the origin of digital content and shared practices for testing, evaluation, and verification of AI systems. In developing further standardization around AI, the AI Standards Profile recognizes that AI standards must be:

• context-sensitive;
• performance-based;
• human-centered; and
• sensitive to societal considerations.

You can read the DoC press release here, the Generative AI Profile here, NIST SP 800-218A here, the Synthetic Content Profile here, and the Global AI Standards Profile here.