60 minutes · The only module where the anti-patterns carry criminal penalties — plus a layer of law with no pentest analogue
You are attacking AI systems. Every statute that governs attacking a database governs attacking the agent that reaches it — plus an AI-specific layer the deployer cannot waive.
Pillar 0 — Foundations
Course 2A — security harness
Target: networks, apps, contracts. Owner: the deployer. Law: CFAA / CMA / EU 2013-40. The law you already know.
Course 2B — the AI itself
Target: the model, the prompt, the memory. Owner splits: provider (built it) + deployer (runs it). Law: traditional plus an AI-specific layer.
| Layer | Governs | Key instruments |
|---|---|---|
| Traditional | The infrastructure: server, DB, API gateway | CFAA § 1030 · UK CMA · EU 2013/40 + GDPR · NIS2 |
| AI-specific | The model & its outputs: weights, prompt, jailbreak | EU AI Act 2024/1689 · DTSA + EU Trade Secrets · DMCA § 1201 · US EO 14110 / OMB M-24-10 |
The statutes, the chain, the contract
Model PROVIDER ──ToS / waiver──▶ DEPLOYER
(owns weights) (runs agent)
│ │
▼ ▼
Engagement Sponsor ──▶ RoE/Scope ──▶ Scope File
(CISO / AI-sec lead) (machine-checkable)
│
▼
Harness scope GATE
│
▼
Individual test action
| Regime | What it does to a red-team |
|---|---|
| EU AI Act (2024/1689) | A finding may be a legal non-compliance, not just a bug (Art. 5 prohibitions). GPAI systemic-risk providers must red-team (Art. 55). |
| US EO 14110 / OMB M-24-10 | A finding may be a reportable incident. Verify current administration policy. |
| State bot/deepfake laws | CA AB 2013 / SB 942, TX — touch synthetic-content payloads. |
CVD for AI + the dual-use dilemma
| Class | Example | Rule |
|---|---|---|
| Public | Technique description (no recipe) | Retain indefinitely |
| Provider-Only | The recipe, system prompt | Engagement + provider tail, NDA |
| Restricted | PII / weights in retrieved context | Destroy on report |
| Destroy-on-Report | Working jailbreak prompts | Destroy, never cross-client |
Five risks, five controls
| Risk | Control |
|---|---|
| Weight exfiltration | Minimum-proof: path + hash + byte count, never the file |
| Dual-use publication | 4 principles codified in the RoE before testing |
| Third-party model harm (sweeps degrade shared infra) | Dedicated/preview tier or local model; cap volume |
| Provider ToS conflict | provider_authorization check as a precondition |
| Test-data contamination | Opt out of training; test on frozen checkpoints |
Everything from B1 onward assumes this control plane exists. B1 builds the threat model; B2–B12 attack and defend within it. The scope file and the gate are the legal layer made engineering.
Lab (07): extract provider-ToS clauses, build the JSON scope file separating deployer vs. provider surfaces, write the CVD + dual-use rubric, implement provider_authorization_check().