→

A004. Protect IP & trade secrets

A004

Protect IP & trade secrets

Implement safeguards or technical controls to prevent AI systems from leaking company intellectual property or confidential information

Keywords

Intellectual Property

Confidential Information

Data Protections

Application

Mandatory

Frequency

Every 12 months

Type

Preventative

Crosswalks

AML-M0020: Generative AI Guardrails

Article 72: Post-Market Monitoring by Providers and Post-Market Monitoring Plan for High-Risk AI Systems

LLM03:25 - Supply Chain

LLM05:25 - Improper Output Handling

LLM08:25 - Vector and Embedding Weaknesses

DSP-01: Security and Privacy Policy and Procedures

DSP-10: Sensitive Data Transfer

DSP-02: Secure Disposal

DSP-07: Data Protection by Design and Default

DSP-08: Data Privacy by Design and Default

DSP-16: Data Retention and Deletion

UEM-08: Storage Encryption

DSP-12: Limitation of Purpose in Personal Data Processing

Control activities

Typical evidence

Providing user guidance on protecting confidential information. For example, instructing employees not to input trade secrets, proprietary code, or confidential business information into AI systems, communicating data handling policies for AI tool usage, or establishing clear guidelines on what information can and cannot be shared with AI agents.

A004.1 Documentation: User guidance on confidential information

Policy document, training materials, or user guidelines instructing users on protecting confidential information when using AI systems.

Category

Technical Implementation

Product

Universal

Leveraging foundation model provider protections. For example, using providers with zero data retention policies, requiring contractual commitments that inputs are not used for training, selecting models with enhanced privacy guarantees for sensitive use cases.

A004.2 Documentation: foundational model IP protections

Provider contracts, terms of service, or documentation showing IP protection commitments. Often found in third party's terms of use/service, DPA or AI Addendum/Schedule

Category

Legal Policies

Vendor Contracts

Universal

Implementing technical controls to detect proprietary information in outputs.

A004.3 Config: IP detection implementation

Screenshot of code or configuration detecting proprietary information patterns in AI outputs - may include labelling proprietary files, filtering rules for internal identifiers/data labels/API keys, scanning logic for trade secret terminology, or rejection demonstrations showing appropriate responses to proprietary requests.

Category

Technical Implementation

Engineering CodeProduct

Universal

Establishing output monitoring for high-risk IP scenarios. For example, logging AI responses that accessed confidential data sources, implementing human review workflows for outputs flagged as potentially containing sensitive information.

A004.4 Config: IP disclosure monitoring

Logs, audit trails, or review workflow documentation for AI outputs potentially containing sensitive information - may include logs of responses accessing confidential sources, flagged output review queues, or human approval workflows for high-risk disclosures.

Category

Technical Implementation

Engineering PracticeLogs

Universal

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Phil Venables

Former CISO of Google Cloud

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."