Govern Artificial Intelligence & Autonomous Technologies (AAT) through trustworthy, secure and resilient lifecycle practices that manage intended and unintended outcomes.
Organizations ensure AAT capabilities are designed, developed, deployed, monitored and governed to be reliable, safe, fair, secure, resilient, transparent, explainable and privacy-enhancing, with risk management practices that address model, agent and autonomous decision-making risks.
Artificial Intelligence (AI) introduces risks that no existing domain fully covers. Traditional software security addresses code; the AAT domain addresses model behavior, training data integrity, agent autonomy and decision-making processes that may be opaque even to their operators.
The SCF's intent for AAT is lifecycle-based. Development, deployment, monitoring and governance all require distinct practices. A model that behaves correctly in testing may behave unpredictably under adversarial inputs or distributional shift. An autonomous agent granted excessive permissions creates an attack surface that has no equivalent in conventional software. The intent behind AAT is that organizations treat AI capabilities with the same rigor applied to other high-risk Technology Assets, Applications and Services (TAAS), with additional requirements for explainability and fairness that don't apply to static applications.
The domain also addresses unintended outcomes explicitly, not just security failures. An AI system that produces biased decisions, leaks training data through inference attacks, or makes autonomous decisions without adequate human oversight creates compliance and liability exposure beyond what traditional security controls address. AAT acknowledges that governing AI requires a different mental model, not just an extension of existing controls.