Legal, Ethics, and Disclosure for AI Security Testing
The traditional computer-crime statutes still apply — plus an AI-specific layer (EU AI Act, DMCA § 1201, trade-secret law, incident-reporting regimes) the deployer cannot waive. The authorization chain splits at the provider link. A jailbreak is dual-use: a finding and a weapon.
The 'asset owner' splits into provider and deployer. The provider built the model and owns the weights and terms of service; the deployer runs the agent and owns the data. The deployer can authorize testing of their system but cannot authorize violation of the provider's terms. This split is the single most important legal difference from 2A, and the provider link is where most AI red-team legal mistakes happen.
Two legal layers stack: traditional computer-crime (CFAA/CMA/EU 2013-40) governs the infrastructure; an AI-specific layer (EU AI Act, DTSA/EU Trade Secrets, DMCA § 1201, US EO/OMB) governs the model and its outputs. A finding often implicates both. Weights are a trade secret — copying the file IS the harm, with no COUNT(*) equivalent. DMCA § 1201 can criminalize bypassing a model's access control independent of any CFAA question.
A successful jailbreak is dual-use: simultaneously a security finding (report it) and a misuse recipe (suppress it). The same artifact is both, and the gap between research and offensive capability is narrower for a jailbreak than for a buffer overflow. Four disclosure principles resolve it — provider first, existence not recipe by default, ≥180-day embargo for model-level findings, and withhold pure-misuse content with no defensive lesson. This is where AI CVD diverges from 'publish everything.'
Weight extraction requires minimum-proof discipline enforced in code. Prove reachability with a path + hash + byte count, never the file. The red-team harness must enforce the green path — a test that 'accidentally' exfiltrates 40GB of weights has committed the harm it was hired to prevent. The provider_authorization field in the scope file is the AI analogue of 2A's 'scope enforcement is a legal control.'