The rapid expansion of Artificial Intelligence into new industries with new stakeholders, coupled with an evolving threat landscape and huge growth in AI, presents tough challenges for security. The ISG SAI creates high quality technical standards to combat these challenges.

Artificial Intelligence impacts our lives every day, from local AI systems on mobile phones suggesting the next word in our sentences to large manufacturers using AI to improve industrial processes. AI has the potential to revolutionize our interactions with technology, improve our quality of life and enrich security – but without high quality technical standards and good practices, AI has the potential to create new attacks and worsen existing security measures.

The ETSI Industry Specification Group on Securing Artificial Intelligence (ISG SAI) has a key role to play in improving the security of AI through production of high-quality technical standards; the ISG SAI will create standards to preserve and improve the security of new AI technologies.

Role & Activities

The SAI develops technical specifications and reports to address 3 aspects of artificial intelligence in standards:

  • Securing AI from attack: where AI is a component in a system that needs protection
  • Mitigating against malicious AI: where AI is used to improve and enhance conventional attack vectors, or create new attack vectors
  • Using AI to enhance security measures: protecting systems against attack where using AI is part of the ‘solution’ or is used to improve and enhance more conventional countermeasures

The ETSI ISG SAI develops the technical knowledge that acts as a baseline in ensuring that artificial intelligence is secure. Stakeholders impacted by the activity of ETSI’s group include end users, manufacturers, operators and governments.

More details are available in "Our work".


A full list of related standards in the public domain is accessible via the ISG SAI committee page.

Our work

Securing AI problem statement

ai puzzle piecesETSI GR SAI 004 describes the problem of securing AI-based systems and solutions, with a focus on machine learning, and the challenges relating to confidentiality, integrity and availability at each stage of the machine learning lifecycle. It also points out some of the broader challenges of AI systems including bias, ethics and ability to be explained. A number of different attack vectors are outlined, as well as several cases of real-world use and attacks.The recommendations contained in this report will be used to define the scope and timescales for the follow-up work.

AI threat ontologyai ticking bomb

Currently, there is no common understanding of what constitutes an attack on AI systems, nor how it might be created, hosted and propagated. ETSI GR SAI 001 defines what is considered an AI threat and how it differs from threats to traditional systems.

The AI Threat Ontology specification seeks to align terminology across different stakeholders and multiple industries to underpin the future work of the ISG SAI. This will define specific terms in the context of cyber and physical security, with a narrative that is readily accessible. This Threat Ontology will address AI as system, and both as an attacker and a defender of security.

ai arrow loop


Data supply chain report

Data is a critical component in the development of AI systems, both raw data, and information and feedback from other AI systems and humans in the loop. However, access to suitable data is often limited, causing a need to resort to less suitable sources of data. Compromising the integrity of data has been demonstrated to be a viable attack vector against an AI system.

ETSI GR SAI 002 report summarizes the methods currently used to source data for training AI, along with a review of existing initiatives for developing data sharing protocols and analyse requirements for standards for ensuring integrity in the shared data, information and feedback, as well as the confidentiality of these.

Mitigation strategy reportai tick

ETSI GR SAI 005 summarizes and analyze existing and potential mitigation against threats for AI-based systems and produce guidelines for mitigating against threats introduced by adopting AI into systems. These guidelines shed light on security baselines of AI-based systems by mitigating against known or potential security threats.

ai lab testingSecurity testing of AI

This work will identify methods and techniques for security testing of AI-based components and produce a thorough gap analysis to identify the limitations and capabilities in security testing of AI. The guidelines for security testing of AI and AI-based components will consider different algorithms and address relevant threats from AI Threat Ontology work.



Role of hardware

ETSI GR SAI 006 identifies the role of hardware, both specialized and general-purpose, in the security of AI. It will address the mitigations available in hardware to prevent attacks and address the general hardwarerequirements on hardware to support SAI (expanding from SAI-004). In addition, this report addresses possible strategies to use AI for protection of hardware. The report also provides a summary of academic and industrial experience in hardware security for AI. In addition, the report addresses vulnerabilities or weaknesses introduced by hardware that may amplify attack vectors on AI.

The ISG is also working on an AI computing platform security framework.

Expanding the work

The group is addressing the explicability and transparency of AI processing, the traceability of AI Models, and the privacy aspects of AI/ML systems.

Future work

Although the phrase was coined in the 1950s, practical AI systems have only really been implemented in recent years, driven by:

  • Evolution of advanced AI techniques including neural networks, deep learning
  • Availability of significant data sets to enable robust training
  • Advances in high performance computing enabling highly performing devices and the availability of hyperscale performance through cloud services

These new techniques and capabilities, together with the availability of data and compute resources, mean that AI systems will only become more prevalent. However, this results in a series of challenges both old and new. See below for a list of potential future topics for the ISG SAI.

  • Data security, integrity and privacy
  • Training data: quality, quantity, confidentiality and labelling
  • Transferability (re-use of models across tasks and industries)
  • Misuse
  • Bias and unintended consequences
  • Data Processing / Machine Learning Life Cycle
  • AI to AI communication
  • AI retraining

The group will consider how its own activities can contribute to the development of future EU Harmonised Standards under the EU AI Act.

Find out more

For more on ETSI's general security work, check out the cyber security page on our website.

If you are interested in joining ETSI, including ISG SAI, please refer to membership information and contacts on the SAI committee page.