付録 A: 用語集
この包括的な用語集では、AISVS 全体で使用される主要なAI、ML、セキュリティ用語の定義を提供し、明確さと共通理解を確保します。
Adapter – A lightweight module (e.g., LoRA, QLoRA) added to a pre-trained model to specialize its behavior on a specific task without modifying the original weights.
Adversarial Example – An input deliberately crafted to cause an AI model to make a mistake, often by adding subtle perturbations imperceptible to humans.
Adversarial Robustness – A model's ability to maintain its performance and resist being fooled or manipulated by intentionally crafted, malicious inputs designed to cause errors.
Adversarial Training – A training technique that augments training data with adversarial examples to improve model robustness against perturbation attacks.
Agent – An AI software system that uses reasoning, planning, and memory to pursue goals and complete tasks on behalf of users, with a degree of autonomy to make decisions, learn, and adapt. Also referred to as Agentic AI.
AI BOM (AI Bill of Materials) – A structured record of all components in an AI system, including models, datasets, weights, hyperparameters, frameworks, and licenses. May follow SPDX or CycloneDX formats. Distinct from a traditional SBOM in that it covers model-specific artifacts beyond software dependencies.
AppArmor – A Linux kernel security module that restricts program capabilities through per-program security profiles, used to sandbox AI workloads.
Attention Map – A visualization of which parts of an input a transformer model attends to when producing an output, used as an interpretability tool.
Attribute-Based Access Control (ABAC) – An access control paradigm where authorization decisions are based on attributes of the user, resource, action, and environment, evaluated at query time.
Backdoor Attack – A type of data poisoning attack where the model is trained to respond in a specific way to certain triggers while behaving normally otherwise.
Bias – Systematic errors in AI model outputs that can lead to unfair or discriminatory outcomes for certain groups or in specific contexts.
Bias Exploitation – An attack technique that takes advantage of known biases in AI models to manipulate outputs or outcomes.
Blue-Green Deployment – A deployment strategy that runs two identical production environments (blue and green), allowing instant rollback by switching traffic between them.
Byzantine Fault Tolerance – The ability of a distributed system to reach consensus and continue operating correctly even when some nodes fail or act maliciously.
Canary Deployment – A deployment strategy that gradually routes a small percentage of traffic to a new model version to detect issues before full rollout.
Cedar – An open-source policy language and evaluation engine for fine-grained permissions, originally created by Amazon. Used in implementing ABAC for AI systems.
Certified Robustness – A formal mathematical guarantee that a model's prediction will not change within a specified perturbation bound around an input, verified through techniques such as interval-bound propagation.
Chain of Thought – A technique for improving reasoning in language models by generating intermediate reasoning steps before producing a final answer.
CI/CD (Continuous Integration / Continuous Deployment) – A software engineering practice that automates building, testing, and deploying code changes, used in AI systems for model and pipeline deployment.
Circuit Breaker – A mechanism that automatically halts AI system operations when specific risk thresholds are exceeded, such as runaway agent loops or budget exhaustion.
CMP (Consent Management Platform) – A system that tracks user consent preferences including opt-in status, purpose, and retention period, and enforces consent decisions across data processing pipelines.
Concept Drift – A change in the statistical relationship between model inputs and outputs over time, causing model predictions to become less accurate even if input distributions remain stable.
Confidential Computing – A security paradigm that protects data in use by performing computation within hardware-enforced trusted execution environments, ensuring code and data remain encrypted and isolated from the host.
Confidential Inference – An inference service that runs AI models inside a trusted execution environment (TEE), ensuring model weights and inference data remain encrypted, sealed, and protected from unauthorized access or tampering.
Counterfactual Explanation – An interpretability technique that explains a model decision by describing the minimal changes to input features that would change the prediction outcome.
Covert Channel – An unintended communication path that can be exploited to transfer information in violation of security policy, such as through timing or resource usage patterns in shared AI infrastructure.
CycloneDX – An open standard for software and AI bill of materials, supporting component inventory, vulnerability tracking, and license compliance.
DAG (Directed Acyclic Graph) – A graph structure with directed edges and no cycles, used in AI systems to represent agent decision paths, reasoning traces, and workflow dependencies.
Data Augmentation – A technique that creates modified copies of training data (e.g., through rotation, noise addition, or paraphrasing) to increase dataset diversity and improve model robustness.
Data Drift – A change in the statistical distribution of model input data over time compared to the data the model was trained on, potentially degrading prediction quality.
Data Leakage – Unintended exposure of sensitive information through AI model outputs or behavior.
Data Poisoning – The deliberate corruption of training data to compromise model integrity, often to install backdoors or degrade performance.
Defense-in-Depth – A security strategy that layers multiple independent defensive controls so that if one layer fails, others continue to provide protection.
Defensive Distillation – A training technique where a model is trained on the soft probability outputs of another model to smooth decision boundaries and reduce susceptibility to adversarial perturbation.
Differential Privacy – A mathematically rigorous framework for releasing statistical information about datasets while protecting the privacy of individual data subjects, quantified by an epsilon (ε) privacy budget.
DoS (Denial of Service) – An attack that attempts to make a system unavailable by overwhelming it with requests or exhausting its resources.
DPIA (Data Protection Impact Assessment) – A formal assessment required under regulations such as GDPR to evaluate and mitigate risks to personal data before processing begins.
DP-SGD (Differentially Private Stochastic Gradient Descent) – A training algorithm that adds calibrated noise to gradient updates during model training to provide formal differential privacy guarantees.
DRTM (Dynamic Root of Trust for Measurement) – A hardware mechanism that establishes a trusted execution starting point at runtime, enabling integrity verification of AI accelerator workloads.
Embeddings – Dense vector representations of data (text, images, etc.) that capture semantic meaning in a high-dimensional space.
Explainability – The ability of an AI system to provide human-understandable reasons for its decisions and predictions, through techniques such as SHAP, LIME, attention maps, and counterfactual explanations. Also referred to as Explainable AI (XAI).
Feature Attribution – An interpretability method that assigns importance scores to individual input features indicating their contribution to a specific model prediction.
Federated Learning – A machine learning approach where models are trained across multiple decentralized devices holding local data samples, without exchanging the data itself.
Fine-tuning – The process of continuing to train a pre-trained model on a smaller, task-specific dataset to adapt it for a particular use case.
FIPS 140-3 – A U.S. government standard that defines security requirements for cryptographic modules, with Level 3 requiring physical tamper-resistance and identity-based authentication.
Guardrails – Constraints implemented to prevent AI systems from producing harmful, biased, or otherwise undesirable outputs.
Hallucination – A phenomenon where an AI model generates incorrect or misleading information that is not grounded in its training data, retrieved context, or factual reality.
Homoglyph – A character that visually resembles another character from a different script or encoding (e.g., Cyrillic "а" vs. Latin "a"), exploited in attacks to bypass text-based input validation.
HSM (Hardware Security Module) – A dedicated physical device that manages, processes, and stores cryptographic keys in a tamper-resistant environment.
Human-in-the-Loop (HITL) – Systems designed to require human oversight, verification, or intervention at crucial decision points.
Infrastructure as Code (IaC) – Managing and provisioning infrastructure through code instead of manual processes, enabling security scanning and consistent deployments.
Interval-Bound Propagation – A formal verification technique that propagates bounds through neural network layers to certify that model predictions are robust within specified input perturbation ranges.
Jailbreak – Techniques used to circumvent safety guardrails in AI systems, particularly in large language models, to produce prohibited content.
JWT (JSON Web Token) – A compact, self-contained token format for securely transmitting identity and authorization claims between parties, signed to ensure integrity.
k-anonymity – A privacy property where each record in a dataset is indistinguishable from at least k-1 other records with respect to certain identifying attributes.
KMS (Key Management Service) – A managed service for creating, storing, rotating, and controlling access to cryptographic keys used to protect data and artifacts.
l-diversity – A privacy property extending k-anonymity that requires each equivalence class to contain at least l distinct values for sensitive attributes, preventing attribute disclosure.
Least Privilege – The security principle of granting only the minimum necessary access rights for users and processes.
LIME (Local Interpretable Model-agnostic Explanations) – A technique to explain the predictions of any machine learning classifier by approximating it locally with an interpretable model.
Linkage Attack – An attack that combines quasi-identifiers across multiple datasets to re-identify individuals whose data was supposedly anonymized.
Machine Unlearning – Techniques to remove the influence of specific training data from a trained model, supporting data subject deletion requests and regulatory compliance.
MCP (Model Context Protocol) – A protocol that enables AI models and agents to access external tools, data sources, and resources by exchanging structured, typed requests and responses over a defined transport.
Membership Inference Attack – An attack that aims to determine whether a specific data point was used to train a machine learning model.
MIG (Multi-Instance GPU) – An NVIDIA technology that partitions a single GPU into multiple isolated instances, each with dedicated memory and compute resources for secure multi-tenant workloads.
MITRE ATLAS – Adversarial Threat Landscape for Artificial-Intelligence Systems; a knowledge base of adversarial tactics and techniques against AI systems.
Model Card – A document that provides standardized information about an AI model's performance, limitations, intended uses, and ethical considerations to promote transparency and responsible AI development.
Model Extraction – An attack where an adversary repeatedly queries a target model to create a functionally similar copy without authorization. Also referred to as model stealing or model theft.
Model Inversion – An attack that attempts to reconstruct training data by analyzing model outputs.
Model Lifecycle Management – The process of overseeing all stages of an AI model's existence, including design, development, deployment, monitoring, maintenance, and eventual retirement.
Model Poisoning – Introducing vulnerabilities or backdoors directly into a model during the training process.
mTLS (Mutual TLS) – A TLS configuration where both client and server authenticate each other using certificates, ensuring bidirectional identity verification for service-to-service communication.
Multi-agent System – A system composed of multiple interacting AI agents, each with potentially different capabilities and goals.
NFC (Normal Form Composed) – A Unicode normalization form that decomposes characters and then recomposes them into a canonical representation, used to prevent encoding-based bypass attacks.
NVLink – A high-bandwidth interconnect technology for GPU-to-GPU communication, requiring authentication and encryption in multi-tenant AI environments.
OAuth 2.1 – An authorization framework that consolidates OAuth 2.0 best practices into a single specification, used in AISVS as the required authentication mechanism for MCP clients and servers.
OIDC (OpenID Connect) – An identity layer built on OAuth 2.0 that enables clients to verify user identity based on authentication performed by an authorization server.
OPA (Open Policy Agent) – An open-source, general-purpose policy engine that evaluates authorization and admission control policies written in Rego, enabling unified policy enforcement across applications, APIs, and infrastructure.
PII (Personally Identifiable Information) – Any information that can be used to identify, contact, or locate a specific individual, either alone or combined with other data.
Policy-as-Code – The practice of defining security and compliance policies in machine-readable code that can be version-controlled, tested, and automatically enforced in CI/CD pipelines.
Privacy-Preserving Machine Learning (PPML) – Techniques and methods to train and deploy ML models while protecting the privacy of the training data.
Prompt Injection – An attack where malicious instructions are embedded in inputs to override a model's intended behavior.
RAG (Retrieval-Augmented Generation) – A technique that enhances large language models by retrieving relevant information from external knowledge sources before generating a response.
RBAC (Role-Based Access Control) – An access control model where permissions are assigned to roles rather than individual users, and users are granted access by being assigned to appropriate roles.
Red-Teaming – The practice of actively testing AI systems by simulating adversarial attacks to identify vulnerabilities.
Re-identification Risk – The probability that an individual can be identified from a supposedly anonymized dataset, measured against defined thresholds.
Remote Attestation – A mechanism by which a trusted execution environment provides cryptographic proof to a remote party that specific code is running in a genuine, unmodified TEE.
RLHF (Reinforcement Learning from Human Feedback) – A training technique where a model is fine-tuned using human preference judgments as a reward signal to improve alignment with human values and safety requirements.
SAML (Security Assertion Markup Language) – An XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
SBOM (Software Bill of Materials) – A formal record containing the details and supply chain relationships of software components used in building an application. See also AI BOM for model-specific artifacts.
Secure Boot – A firmware security feature that verifies the cryptographic signature of each component in the boot chain before execution, preventing unauthorized or tampered software from loading.
Secure Multi-Party Computation (SMPC) – A cryptographic technique that enables multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other.
seccomp (Secure Computing Mode) – A Linux kernel feature that restricts the system calls a process can make, used to sandbox AI workloads and reduce attack surface.
SELinux (Security-Enhanced Linux) – A Linux kernel security module that provides mandatory access controls using security policies, used to enforce fine-grained process isolation for AI workloads.
Shadow Model – A model trained by an attacker to mimic a target model's behavior, used in membership inference attacks and as a baseline for evaluating machine unlearning effectiveness.
SHAP (SHapley Additive exPlanations) – A game theoretic approach to explain the output of any machine learning model by computing the contribution of each feature to the prediction.
Side-Channel Attack – An attack that extracts information from a system through indirect observation of physical characteristics such as timing, power consumption, electromagnetic emissions, or cache behavior, rather than exploiting software vulnerabilities.
SIEM (Security Information and Event Management) – A platform that aggregates, correlates, and analyzes security event data from multiple sources to detect threats, support incident response, and satisfy compliance requirements.
SPDX (Software Package Data Exchange) – An open standard for communicating software and AI component bill of materials information, including component origin, licensing, and security references.
SSE (Server-Sent Events) – A web technology that enables a server to push real-time updates to a client over an HTTP connection, used as a transport mechanism in MCP.
Steganography – The practice of hiding data within other media (images, audio, video) in a way that is not apparent to observers, used as an attack vector to smuggle payloads past content filters.
stdio (Standard Input/Output) – A process communication mechanism using standard input, output, and error streams, used in MCP as a local-only transport restricted to single-process, same-machine communication.
Strong Authentication – Authentication that resists credential theft and replay by requiring at least two factors (knowledge, possession, inherence) and phishing-resistant mechanisms such as FIDO2/WebAuthn, certificate-based service auth, or short-lived tokens.
Supply Chain Attack – Compromising a system by targeting less-secure elements in its supply chain, such as third-party libraries, datasets, or pre-trained models.
Synthetic Data – Artificially generated data that preserves the statistical properties of real data while containing no actual individual records, used to protect privacy during model training and testing.
TEE (Trusted Execution Environment) – A hardware-isolated processing environment that provides confidentiality and integrity guarantees for code and data, protecting them from the host operating system and other tenants.
Temperature Scaling – A post-hoc calibration technique that adjusts model output confidence scores to better reflect true prediction probabilities.
TLS (Transport Layer Security) – A cryptographic protocol that provides end-to-end encryption, authentication, and integrity for data transmitted over a network. AISVS requires TLS 1.3 or later.
Tokenizer – A component that converts raw text into a sequence of tokens (subwords, words, or characters) that a language model can process as input.
TPM (Trusted Platform Module) – A dedicated hardware chip that provides cryptographic functions including secure key generation, storage, and platform integrity measurement.
Transfer Learning – A technique where a model developed for one task is reused as the starting point for a model on a second task.
Vector Database – A specialized database designed to store high-dimensional vectors (embeddings) and perform efficient similarity searches.
VRAM (Video Random Access Memory) – Memory on a GPU used to store model weights, activations, and intermediate computations during AI inference and training, requiring zeroing between tenant workloads.
Vulnerability Scanning – Automated tools that identify known security vulnerabilities in software components, including AI frameworks and dependencies.
WASM (WebAssembly) – A portable binary instruction format that enables sandboxed execution of code, used as an isolation mechanism for AI tools and plugins.
Watermarking – Techniques to embed imperceptible markers in AI-generated content or model weights to track origin, detect unauthorized copies, or identify AI-generated media.
WORM (Write-Once-Read-Many) – A storage technology that prevents modification or deletion of data after it is written, used for tamper-evident audit logs and backup protection.
Zero-Day Vulnerability – A previously unknown vulnerability that attackers can exploit before developers create and deploy a patch.
Zero-Trust – A security model that assumes no implicit trust for any user, device, or network, requiring continuous verification of identity and authorization for every access request.
Last updated