Operating as an AI red teamer means navigating a complex web of laws, regulations, and standards. Your actions, especially when handling sensitive data or testing production systems, have real-world legal implications. This glossary provides a reference for the key compliance concepts that define the boundaries of professional and lawful engagement.
Key Legal and Compliance Terms
Understanding these terms is not optional; it is fundamental to mitigating risk for both you and your client. They dictate how you handle data, structure your tests, and report your findings.
| Term | Hungarian Equivalent | Relevance in AI Red Teaming |
|---|---|---|
| General Data Protection Regulation (GDPR) | Általános Adatvédelmi Rendelet | A comprehensive EU data protection law. If your target AI system processes data of EU residents, all your testing activities, especially those involving production or training data, must be GDPR-compliant. This includes ensuring a legal basis for processing, respecting data subject rights, and handling personal data securely. |
| EU AI Act | EU Mesterséges Intelligencia Törvény | A landmark EU regulation classifying AI systems by risk level (unacceptable, high, limited, minimal). As a red teamer, you’ll be tasked with testing high-risk systems to ensure they meet the Act’s stringent requirements for robustness, accuracy, and security before they can enter the market. Your findings will be critical for conformity assessments. |
| NIST AI Risk Management Framework (AI RMF) | NIST MI Kockázatkezelési Keretrendszer | A voluntary framework from the U.S. National Institute of Standards and Technology that provides a structured approach to managing AI risks. Red teaming activities directly support the “Test & Evaluation” and “Measure” functions of the RMF, helping organizations identify and document AI system trustworthiness. |
| Personally Identifiable Information (PII) | Személyazonosításra Alkalmas Információ (SZAI) | Any data that can be used to identify a specific individual. During a red team engagement, you may encounter PII in datasets, user prompts, or model outputs. You are legally obligated to protect this information, often through anonymization or operating under a strict Data Processing Agreement. |
| Data Processing Agreement (DPA) | Adatfeldolgozási Szerződés | A legally binding contract that governs the processing of personal data between a data controller (the client) and a data processor (you/your firm). A DPA is mandatory under GDPR for any engagement involving personal data and outlines your responsibilities, security measures, and the scope of permitted activities. |
| Anonymization & Pseudonymization | Anonimizálás és Álnevesítés | Techniques to protect privacy. Anonymization irreversibly removes PII. Pseudonymization replaces PII with artificial identifiers. You must understand the distinction; pseudonymized data is still considered personal data under GDPR, while truly anonymized data is not. Your testing may involve assessing the effectiveness of these techniques. |
| Liability | Felelősség | The legal responsibility for harm caused by an AI system. Red teaming helps organizations identify potential failures that could lead to liability claims. Your reports provide evidence of due diligence, but your engagement’s scope of work must clearly define the limits of your own liability. |
| Intellectual Property (IP) | Szellemi Tulajdon | This includes the AI model itself (as a trade secret or patented invention), the training data, and proprietary algorithms. Your rules of engagement must explicitly state how you will handle the client’s IP, ensuring confidentiality and preventing any unauthorized disclosure or use of proprietary information discovered during testing. |
| Data Breach Notification | Adatvédelmi Incidens Bejelentése | A legal requirement under regulations like GDPR to report a data breach to authorities (and sometimes affected individuals) within a specific timeframe (e.g., 72 hours). If your red teaming activities inadvertently cause a breach, you must be prepared to follow the client’s incident response plan, which includes these notification procedures. |
| Authorized Access / Ethical Hacking | Jogosult Hozzáférés / Etikus Hackelés | The legal foundation of your work. Your engagement is sanctioned by a contract that provides explicit, written permission to test specific systems within a defined scope. Operating outside this scope can expose you to civil and criminal liability. This authorization distinguishes red teaming from illegal hacking. |