Module B0 — Legal, Ethics, and Disclosure for AI Security Testing

Legal, Ethics, and Disclosure for AI Security Testing

The traditional computer-crime statutes still apply — plus an AI-specific layer (EU AI Act, DMCA § 1201, trade-secret law, incident-reporting regimes) the deployer cannot waive. The authorization chain splits at the provider link. A jailbreak is dual-use: a finding and a weapon.

60
minutes
8
artifacts
3
sub-sections
You are attacking AI systems. Every statute that governs attacking a database governs attacking the agent that reaches it — plus a layer of law, contract, and policy with no pentest analogue. The asset owner splits into provider (built the model) and deployer (runs the agent). The deployer cannot authorize what the provider forbids. This module is the legal control plane everything from B1 onward assumes.
Key Claims
Load-Bearing Claims

The 'asset owner' splits into provider and deployer. The provider built the model and owns the weights and terms of service; the deployer runs the agent and owns the data. The deployer can authorize testing of their system but cannot authorize violation of the provider's terms. This split is the single most important legal difference from 2A, and the provider link is where most AI red-team legal mistakes happen.

Two legal layers stack: traditional computer-crime (CFAA/CMA/EU 2013-40) governs the infrastructure; an AI-specific layer (EU AI Act, DTSA/EU Trade Secrets, DMCA § 1201, US EO/OMB) governs the model and its outputs. A finding often implicates both. Weights are a trade secret — copying the file IS the harm, with no COUNT(*) equivalent. DMCA § 1201 can criminalize bypassing a model's access control independent of any CFAA question.

A successful jailbreak is dual-use: simultaneously a security finding (report it) and a misuse recipe (suppress it). The same artifact is both, and the gap between research and offensive capability is narrower for a jailbreak than for a buffer overflow. Four disclosure principles resolve it — provider first, existence not recipe by default, ≥180-day embargo for model-level findings, and withhold pure-misuse content with no defensive lesson. This is where AI CVD diverges from 'publish everything.'

Weight extraction requires minimum-proof discipline enforced in code. Prove reachability with a path + hash + byte count, never the file. The red-team harness must enforce the green path — a test that 'accidentally' exfiltrates 40GB of weights has committed the harm it was hired to prevent. The provider_authorization field in the scope file is the AI analogue of 2A's 'scope enforcement is a legal control.'

After This Module
01
Distinguish authorized testing of an AI system from illegal access under the CFAA, UK CMA, and EU regimes — and explain what Van Buren (2021) changed and did not.
02
Apply AI-specific law: the EU AI Act's prohibitions and GPAI obligations, US EO/OMB incident-reporting duties, and DMCA § 1201 as it applies to model access controls and red-teaming.
03
Map the AI attack surface to legal categories: prompt injection vs. unauthorized access, weight exfiltration vs. trade-secret theft, jailbreak disclosure vs. coordinated vulnerability disclosure.
04
Write an AI-specific authorization and disclosure agreement covering provider-ToS compliance, dual-use handling, weight-leak handling, and DMCA waiver.
05
Explain the dual-use dilemma unique to AI red teaming and articulate the four disclosure principles that resolve it.
06
Define the five AI-specific legal/ethical risks and the control for each, and build the provider_authorization_check() gate the harness runs before provider-surface techniques.
Artifacts