AI 组织责任：治理、风险管理、合规与文化方面

AI组织责任工作组的永久官方地址是https://cloudsecurityalliance.org/research/working-groups/ai-organizational-sponsibility ©2025云安全联盟大中华区——保留所有权利。你可以在你的电脑上下载、储存、展示、查看及打印，或者访问云安全联盟大中华区官网(https://www.c-csa.cn)。须遵守以下:(a)本文只可作个人、信息获取、非商业用途;(b)本文内容不得篡改;(c)本文不得转发;(d)该商标、版权或其他声明不得删除。在遵循中华人民共和国著作权法相关条款情况下合理使用本文内容，使用时请注明引用于云安全联盟大中华区。 目录 引言.....................................................................................................................................6所有责任的六个跨领域关注点.................................................................................6假设.....................................................................................................................................7目标受众.............................................................................................................................7责任角色定义.....................................................................................................................8管理和策略.................................................................................................................8治理、风险与合规.....................................................................................................9技术与安全.................................................................................................................9运营与开发...............................................................................................................10规范性引用.......................................................................................................................11术语表...............................................................................................................................12 1.风险管理.......................................................................................................................121.1威胁建模.............................................................................................................121.2风险评估.............................................................................................................141.3攻击模拟.............................................................................................................191.4事件响应计划.....................................................................................................231.5运营弹性.............................................................................................................271.6审计日志与活动监控.........................................................................................341.7风险缓解.............................................................................................................381.8数据漂移监控.....................................................................................................412.治理与合规...................................................................................................................45 2.1AI安全政策、流程和程序................................................................................46 2.2审计.....................................................................................................................50 2.3董事会报告.........................................................................................................562.4法律监管要求-法律..........................................................................................632.5实施可测量/可审计的控制措施........................................................................672.6欧盟AI法案，美国行政命令：开发安全、可信的AI等.............................692.7AI使用政策........................................................................................................702.8模型治理.............................................................................................................723.安全文化与培训...........................................................................................................773.1基于角色的教育.................................................................................................783.2意识建立.............................................................................................................803.3负责任的AI培训...............................................................................................843.4沟通与报告.........................................................................................................884.影子AI防范.................................................................................................................914.1AI系统清单........................................................................................................924.2差距分析.............................................................................................................974.3未经授权的系统识别.......................................................................................1004.4访问控制...........................................................................................................1044.5活动监控...........................................................................................................1084.6变更控制流程.......................................................................