myctrl.tools
Compare

A004Protect IP & trade secrets

>Control Description

Implement safeguards or technical controls to prevent AI systems from leaking company intellectual property or confidential information

Application

Mandatory

Frequency

Every 12 months

Capabilities

Universal

>Controls & Evidence (4)

Technical Implementation

A004.1
Documentation: User guidance on confidential information

Core - This should include:

- Providing user guidance on protecting confidential information. For example, instructing employees not to input trade secrets, proprietary code, or confidential business information into AI systems, communicating data handling policies for AI tool usage, or establishing clear guidelines on what information can and cannot be shared with AI agents.

Typical evidence: Policy document, training materials, or user guidelines instructing users on protecting confidential information when using AI systems.
Location: Product
A004.3
Config: IP detection implementation

Supplemental - This may include:

- Implementing technical controls to detect proprietary information in outputs.

Typical evidence: Screenshot of code or configuration detecting proprietary information patterns in AI outputs - may include labelling proprietary files, filtering rules for internal identifiers/data labels/API keys, scanning logic for trade secret terminology, or rejection demonstrations showing appropriate responses to proprietary requests.
Location: Engineering Code, Product
A004.4
Config: IP disclosure monitoring

Supplemental - This may include:

- Establishing output monitoring for high-risk IP scenarios. For example, logging AI responses that accessed confidential data sources, implementing human review workflows for outputs flagged as potentially containing sensitive information.

Typical evidence: Logs, audit trails, or review workflow documentation for AI outputs potentially containing sensitive information - may include logs of responses accessing confidential sources, flagged output review queues, or human approval workflows for high-risk disclosures.
Location: Engineering Practice, Logs

Legal Policies

A004.2
Documentation: foundational model IP protections

Supplemental - This may include:

- Leveraging foundation model provider protections. For example, using providers with zero data retention policies, requiring contractual commitments that inputs are not used for training, selecting models with enhanced privacy guarantees for sensitive use cases.

Typical evidence: Provider contracts, terms of service, or documentation showing IP protection commitments. Often found in third party's terms of use/service, DPA or AI Addendum/Schedule
Location: Vendor Contracts

>Cross-Framework Mappings

NIST AI RMF

GOVERN-6.2
MANAGE-2.2
MANAGE-3.2

OWASP Top 10 for LLMs

LLM03
Compare
LLM05
Compare
LLM08
Compare

Ask AI

Configure your API key to use AI features.