Security Tips for Developing AI Solution

Securing an AI solution requires a “Security by Design” approach that addresses risks across the entire development lifecycle—from data collection and model training to deployment and maintenance. Below are some tips for developers to safeguard their AI solution and data.

Data Protection and Governance
- Collect only adequate but not excessive amount of personal data for the AI model. Make sure the use of personal data is compatible with the original purpose of collection. Collect, hold, process and use personal data lawfully in accordance with the requirements under PDPO when develop and use AI.
- Anonymise, pseudonyms, or synthetic personal data to ensure data privacy.
- Encrypt both data at rest and in transit.
- Taking all practicable steps to verify that training data has not been tampered with or poisoned before use and ensure the accuracy, reliability, consistency, completeness, relevance and usability.
- Test the data for fairness and avoid unjust bias before using it to train the AI model.
- Erasing personal data when the original purpose of collection has been archived.
- Designate personnel to review and update data regularly to ensure data quality.
- Proper documentation of the handling of data including how the data are collected, used and stored.

Model Development, Code Review and Runtime Protection
- Only use models, libraries, and tools from trusted sources.
- Understand different types of machine learning algorithms and select the one which meet the needs.
- Double-check the AI-generated code, scripts or technical recommendations before using them, make sure no malicious code is inserted and avoid security breaches.
- Implement user input validation to prevent prompt injection attacks. Filter model outputs to ensure sensitive information or toxic content is not inadvertently disclosed.
- Run development and training in secure, isolated environments like virtual machines or containers to prevent unauthorized access or accidental exposure.
- Perform testing of the AI models to ensure their reliability, robustness and fairness by comparing the AI decisions, testing malicious inputs, and conducting repeatability and reproducibility test to see whether the AI system can produce the same results.
- Allow human oversights and interventions when necessary.
- Provide transparent explanations for outputs and incorporate mechanisms for source verification, fact-checking, and validation.
- Incorporate regular code review and vulnerability assessment to identify potential vulnerabilities, and ensure the development and the use of the AI system complies with relevant University policies and regulation requirements.
- Use established libraries for authentication and data encryption. Adopt strong authentication for API access and apply the Least Privilege principle to limit what the AI and users can do.
- Set secure cookie attributes and use modern hashing methods.
- Implement security measures to protect the AI system and data against attacks and leakages.
- Restrict the number of requests an API can handle from a single source to prevent abuse and denial-of-service (DoS) attacks.
- Establish traceability and auditability (by logs) of the AI system.
- Establish contingency plan for promptly suspending the AI system or triggering fallback solution if necessary.
- Proper documentation for understanding and auditing the codes and AI model.

Continuous Monitoring and Compliance
- Implement real-time monitoring to track API interactions and system logs for abnormal activities.
- Maintain human oversight, especially for AI-generated code or critical decision-making processes, to catch security flaws that automated systems might miss.
- Maintain robust security measures throughout the AI system life cycle.
- Proper documentations of risk assessments, design, development, testing and use of the AI system.
- Conduct re-assessment of the risks of the AI system to identify any new risks when there is a significant change to the functionalities, operation of the AI system, regulatory or technological environment.
- Regular review the AI models to ensure that they are operating as expected.
- Regularly tuning and re-training the AI models with new data.
- Stay updated with the requirements of global data privacy regulations.

Reference:

PCPD Guidance on the Ethical Development and Use of Artificial Intelligence
(https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf)
DPO Generative Artificial Intelligence Technical and Application Guideline
(https://www.digitalpolicy.gov.hk/en/our_work/data_governance/policies_standards/ethical_ai_framework/doc/HK_Generative_AI_Technical_and_Application_Guideline_en.pdf)

Published on: Apr 2026

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.