The rapid expansion of Artificial Intelligence into new industries with new stakeholders, coupled with an evolving threat landscape and huge growth in AI, presents tough challenges for security. The ISG SAI creates high quality technical standards to combat these challenges.

Artificial Intelligence impacts our lives every day, from local AI systems on mobile phones suggesting the next word in our sentences to large manufacturers using AI to improve industrial processes. AI has the potential to revolutionize our interactions with technology, improve our quality of life and enrich security – but without high quality technical standards and good practices, AI has the potential to create new attacks and worsen existing security measures.

The ETSI Industry Specification Group on Securing Artificial Intelligence (ISG SAI) has a key role to play in improving the security of AI through production of high-quality technical standards; the ISG SAI will create standards to preserve and improve the security of new AI technologies.

Role & Activities

The SAI develops technical specifications and reports to address 3 aspects of artificial intelligence in standards:

  • Securing AI from attack: where AI is a component in a system that needs protection
  • Mitigating against malicious AI: where AI is used to improve and enhance conventional attack vectors, or create new attack vectors
  • Using AI to enhance security measures: protecting systems against attack where using AI is part of the ‘solution’ or is used to improve and enhance more conventional countermeasures

The ETSI ISG SAI develops the technical knowledge that acts as a baseline in ensuring that artificial intelligence is secure. Stakeholders impacted by the activity of ETSI’s group include end users, manufacturers, operators and governments.

More details are available in "Our work".


A full list of related standards in the public domain is accessible via the ISG SAI committee page.

Our work

The ISG SAI first outputs will centre around six key topics:

  • Problem Statement, that will guide the work of the group
  • Threat Ontology for AI, to align terminology
  • Data Supply Chain, focused on data issues and risks in for training AI
  • Mitigation Strategy, with guidance to mitigate the impact of AI threats
  • Security testing of AI
  • Role of hardware in security of AI

Read on for more details about each work item.

Securing AI problem statement

ai puzzle piecesThe first SAI report ETSI GR SAI 004 describes the problem of securing AI-based systems and solutions, with a focus on machine learning, and the challenges relating to confidentiality, integrity and availability at each stage of the machine learning lifecycle. It also points out some of the broader challenges of AI systems including bias, ethics and ability to be explained. A number of different attack vectors are outlined, as well as several cases of real-world use and attacks.The recommendations contained in this report will be used to define the scope and timescales for the follow-up work.

AI threat ontologyai ticking bomb

Currently, there is no common understanding of what constitutes an attack on AI systems, nor how it might be created, hosted and propagated. This work will seek to define what is considered an AI threat and how it differs from threats to traditional systems.

The AI Threat Ontology specification seeks to align terminology across different stakeholders and multiple industries to underpin the future work of the ISG SAI. This will define specific terms in the context of cyber and physical security, with a narrative that is readily accessible. This Threat Ontology will address AI as system, and both as an attacker and a defender of security.

ai arrow loop


Data supply chain report

Data is a critical component in the development of AI systems, both raw data, and information and feedback from other AI systems and humans in the loop. However, access to suitable data is often limited, causing a need to resort to less suitable sources of data. Compromising the integrity of data has been demonstrated to be a viable attack vector against an AI system.

This report will summarize the methods currently used to source data for training AI, along with a review of existing initiatives for developing data sharing protocols and analyse requirements for standards for ensuring integrity in the shared data, information and feedback, as well as the confidentiality of these.

Mitigation strategy reportai tick

This work item will summarize and analyze existing and potential mitigation against threats for AI-based systems and produce guidelines for mitigating against threats introduced by adopting AI into systems. These guidelines will shed light on security baselines of AI-based systems by mitigating against known or potential security threats. The guidelines will also address security capabilities, challenges, and limitations when adopting mitigation for AI-based systems in certain use cases.

ai lab testingSecurity testing of AI

This work will identify methods and techniques for security testing of AI-based components and produce a thorough gap analysis to identify the limitations and capabilities in security testing of AI. The guidelines for security testing of AI and AI-based components will consider different algorithms and address relevant threats from AI Threat Ontology work.



Role of hardware

The work will identify the role of hardware, both specialized and general-purpose, in the security of AI. This will address the mitigations available in hardware to prevent attacks and address the general hardwarerequirements on hardware to support SAI (expanding from SAI-004). In addition, this report will address possible strategies to use AI for protection of hardware. The report will also provide a summary of academic and industrial experience in hardware security for AI. In addition, the report will address vulnerabilities or weaknesses introduced by hardware that may amplify attack vectors on AI.

Future work

Although the phrase was coined in the 1950s, practical AI systems have only really been implemented in recent years, driven by:

  • Evolution of advanced AI techniques including neural networks, deep learning
  • Availability of significant data sets to enable robust training
  • Advances in high performance computing enabling highly performing devices and the availability of hyperscale performance through cloud services

These new techniques and capabilities, together with the availability of data and compute resources, mean that AI systems will only become more prevalent. However, this results in a series of challenges both old and new. See below for a list of future topics for the ISG SAI.

  • Data security, integrity and privacy
    • Training data: quality, quantity, confidentiality and labelling
  • Transferability (re-use of models across tasks and industries)
  • Transparency
  • Explainability (for regulation purposes)
  • Ethics and misuse
  • Bias
  • Unintended consequences

Find out more

For more on ETSI's general security work, check out the cyber security page on our website.

If you are interested in joining ETSI, including ISG SAI, please refer to membership information and contacts on the SAI committee page.