NEC Corporation: G7 Hiroshima AI Process (HAIP) Transparency Report

Risks are identified, analyzed, classified and assessed based on data flows during the AI lifecycles in line with the business models/processes. The results are integrated and mapped into the company-wide enterprise risks list, where and when necessary.

NEC Corporation (hereby, the company) has identified AI related risks at appropriate timing and recently has also been updating the latest AI risks based on the business processes. This activity involves CxOs, e.g., CRO: Chief Risk Officer and related CxOs, and executives/AI experts across division/departments. 

Red teaming: Conducting red teaming to assess model/system suitability for migration beyond the development phase.

Depending on the security levels, developers are required/recommended to conduct self-diagnose using vulnerability diagnostics and/or penetration tests delivered by internal security teams.

Independent external testing: Conducting independent external testing to assess the suitability of the models/systems for migration beyond/after the development phase. 

Regarding the third-party evaluation (independent external tests), the organization can undergo a penetration test by an in-house or by security specialist teams in the group companies who are different entitles from the project.

Quantitative Assessment Test: Metrics are adopted for quantitative risk assessment in Upstream processes, the internal documents including "Cyber Security Checklists" are used for evaluations. The evaluation before shipment, the CVSS value are adopted.

Yes

In upstream processes, the internal documents including "Cyber Security Checklists" are used for evaluations. The evaluation before shipment, the CVSS value are adopted.

A security incident escalation mechanism is in place for vulnerability reporting.

No incentive program to disclose vulnerabilities

Conducting independent external testing to assess the suitability of the models/systems. Regarding the third-party evaluation (independent external tests), the organization can undergo a penetration test by an in-house or by security specialist teams in the group companies who are different entitles from the development/migration project.

The secure development processes and the operation check mechanism are utilized in accordance with the company-wide rules/guidelines.

Regarding generative AI, vulnerability assessments and reports related to security are externally conducted.

The company has contributed to development of international standards by SDOs and best practices by industries globally. 

NEC is ranked as one of the top companies according to the number of treatises between 2000 to 2022 at prestigious conferences such as NeurIPS, ICML, ECML-PKDD, KDD, and ICDM. The company also promote participation in global AI discussions at international organizations, and participate in standards activities for international standards (ISO, IEC, ITU, etc.), regional standards, domestic standards, etc.

There are several guidelines internally to check risks and countermeasures in each business/service areas such as AI, System Integration, and products. Those requirements in the guidelines are normally operated with necessary combinations. When feedbacks and updates are made, it is shared with internal stakeholders and reflected to the guidelines on demand basis.

The Internal stakeholders are identified in each case and needs are shared across divisions/departments to cover from AI development (R&D) to sales. Risk mitigation measures are also implemented based on the above collaborations.

The processes are operated in the Research and Development (R&D) , for example; 

-possible threats are listed at each phase in the AI lifecycle,

-verification and evaluation on the existing technologies are conducted to respond to the threats,

-R&Ds are investigated to new technologies,

-Risk assessments by external parties are regularly taken, and 

-the original risk assessment methods are also developed internally.

As for the generative AI business, to identify risks, security assessments are taken by the external party and also quality assessments required by internal criteria are adopted.

Regarding the AI models, the risks identified by the external evaluation are shared with internal stakeholders in the AI model development division and business divisions, and countermeasures are consulted, by them. 

Based on "the NEC Security Policy", as a prerequisite for service provision, evaluations are conducted in secure environments with required security measures, e.g., blocking networks from outside and authenticated accesses.

The company has introduced a system to check whether AI has harmful biases, and guardrails to detect biases in AI outputs, with the cooperation of partner companies.

The company has also created a dataset to detect biases internally, and use it to inspect AI at the time of shipment.

The company protects intellectual property by understanding the intellectual property systems and precedents of each country, acquiring intellectual property rights such as patents and trademarks, managing know-how, negotiating licenses, and handling disputes such as litigation. The company also respects the intellectual property of third parties, and investigate the rights of others to ensure that the company does not infringe on their rights in the company's own business activities. Furthermore, based on the “NEC Group AI and Human Rights Principles”, the company has established internal usage rules to protect the intellectual property of others, such as copyrights.

- NEC Group AI and Human Rights Principles

https://www.nec.com/en/press/201904/images/0201-01-01.pdf

The company makes necessary implementations in accordance with the AI and human rights principles and the internal personal information protection rules and guidelines which are applied to the company-wide and all group companies. 

The company responds to the leakage of confidential or secret data in accordance with the Rules for Trade Secret Management. The company makes necessary implementations in accordance with the internal secure development guidelines. Surveys, research, and introduction studies of existing guardrail technologies to prevent leaks are also conducted.

g. Within the company, the security department is implementing measures in accordance with international frameworks such as the NIST Cyber Security Framework.

In terms of security measures in operations, cyber security measures, physical security measures, and risk hunting, appropriate security measures and secure development are implemented according to the critical level of the system based on various internal evaluation standards. 

g-i. Within the company, the security department evaluates compliance with international frameworks such as the NIST Cyber Security Framework and implements policies.It is mandated/recommended that action items from developers' self-diagnose using vulnerability diagnostics to penetration testing by internal security teams, should be performed, depending on security level.

In terms of security measures in operations, cyber security measures, physical security measures, and risk hunting, appropriate security measures and secure development are implemented according to the critical level of the system based on various internal evaluation standards. 

g-ii. Within the company, the Three Lines Model is used to manage important information, and each business owner defines important information and manages it strictly.

The company has a mechanism for detecting insider risks and monitoring information leakage channel. Through the mechanism, risky behavior including internal improprieties can be detected and visualized in order to check and prevent information leakage. Alerts are issued in case external leakage of critical information or unusual behavior.

It is mandated/recommended that action items from developers' self-diagnose using vulnerability diagnostics to penetration testing by internal security teams, should be performed, depending on security level.

In terms of security measures in operations, cyber security measures, physical security measures, and risk hunting, appropriate security measures and secure development are implemented according to the critical level of the system based on various internal evaluation standards. 

g-iii. It is mandated/recommended that action items from developers' self-diagnose using vulnerability diagnostics to penetration testing by internal security teams should be performed and identify and respond to vulnerabilities in the system. In addition, the system for collecting vulnerability information on the company's products and the customer-delivered items, and deploying patch information is internally developed and operated to perform vulnerability management

Actions are taken against the identified risks and vulnerabilities through the security incidents escalation process .

(Cooperation with other parties concerned is on a case-by-case basis)

g-iv. Internal: Vulnerability diagnostics are performed quarterly (four times/year) on servers exposed to the internet. In addition, the company's security measures are reviewed at the Information Security Strategy Meeting, which is held twice a year.

External: Penetration tests are performed at the environment construction phase and thereafter it will be performed when necessary. 

g-v. The company has a mechanism for detecting insider risks and monitoring information leakage channel. Through the mechanism, risky behavior including internal improprieties can be detected and visualized in order to check and prevent information leakage. Alerts are issued in case external leakage of critical information or unusual behavior.

Monitorings are implemented based on the internal quality guidelines.

As for the part related to general IT systems, vulnerability measures are taken on a case-by-case basis during system construction.

The company has a process for obtaining explanations and agreements with customers, and has agreed with them on this. The company also has a program for monitoring logs in the maintenance and operation support, and takes measures according to risks.

a. Corporate Policies

- NEC Group AI and Human Rights Principles

https://www.nec.com/en/press/201904/images/0201-01-01.pdf

- ESG

https://www.nec.com/en/global/sustainability/report/index.html

-Digital Trust Advisory Council

https://www.nec.com/en/global/sustainability/social/ai.html#anc-03

-AI Governance

https://www.nec.com/en/global/techrep/journal/g23/n02/230221.html

a-i. The documents are reviewed and updated when necessary. The type of annual reports, e.g., the ESG reports, are published regularly. See:

https://www.nec.com/en/global/sustainability/report/index.html  

a-ii. Update is considered when necessary or appropriate, for example, when any new significant release is needed, incorporation and/or update is considered. 

a-iii. Currently, the company publishes the corporate principles on AI and human rights and this is applicable to the company-wide including group companies. 

https://www.nec.com/en/global/sustainability/social/ai.html

The rules/guidelines for governances including AI governance and procedures are equipped, operated and updated regularly. Those documents are for internal use with confidential (Undisclosed).

It is customary for each customer providing the AI system to report and explain, and if there are any problems, to implement improvements. The content, scope and frequency of information sharing for each customer are not disclosed.

General information is shared through activities with external stakeholders including governments, industrial associations, experts communities and academia; the company actively contributes to such initiatives, e.g., member of government research institutions for the creation of machine learning quality management guideline, members of government committee by ministries, activities at the Governance Association, researching with various universities and research institutes, and participants various academic conferences. 

The company discloses and shares information regarding the use of personal data, prompts and other privacy policies with relevant parties. The information is confidential and not disclosed outside the parties.

Basically, the company does not disclose or provide the data itself, but if requested by a customer or other party, the company will provide the information appropriately in response to the request.

The company has a mechanism to report and explain to each customer that we provide, and if there is a problem, it will be improved. It is not specifically focusing on transparency related AI systems, but also include other elements. Regarding the AI system specific part, collaborations with external parties are being considered.

AI risks are managed based on the following AI governance principles in addition to the internal rules/guidelines (nondisclosure: confidential) :

https://www.nec.com/en/global/techrep/journal/g23/n02/230221.html

AI and human rights principles

https://www.nec.com/en/global/sustainability/social/ai.html

The company currently reviews and updates AI risks and AI governance accordingly to support generative AI and the latest AI business environment. 

The company reviews and considers update policies/principles and related rules/guidelines regularly and at necessary timing, e.g., when new threats are recognized due to the evolution of technologies or changes by social environments.

As an example, the policies on image generation services was updated due to getting possible higher risks of piracy and other copyright infringement than traditional text generation.

Various web-based and individual training programs exist for internal and company-wide personnel including all employees.

Same as "Section 3.a".

(Corporate Policies

- NEC Group AI and Human Rights Principles

 https://www.nec.com/en/press/201904/images/0201-01-01.pdf

- ESG

 https://www.nec.com/en/global/sustainability/report/index.html

-Digital Trust Advisory Council

 https://www.nec.com/en/global/sustainability/social/ai.html#anc-03

-AI Governance

 https://www.nec.com/en/global/techrep/journal/g23/n02/230221.html)

In addition, the explanatory leaflets for customers on "the NEC Group AI and Human Rights Principle" are prepared and provided to each related project so that the principles and practices can be shared with customers. 

Procedures are documented and maintained internally with regard to the security incident escalation rules as answered in Section 1.e.

It is customary for each customer providing AI systems to report and explain problems and make improvements if there are any.

It is customary for each customer providing AI systems to report and explain problems and make improvements if there are any. Not publicly shared.

The company collaborate with domestic and global NEC Group research institutes including R&D division, Labs around the world, to address and mitigate AI related risks. The research details and best practices are shared and published as internal and technical reports. 

Adopted examples are (not limited to): 

best practices in collaboration with third parties of international standards and the perspective of globally recognised standards such as OWASP.

EULA (End User License Agreement) is prepared for each AI model and AI system.

For the business perspective, the company's business are basically B2B. It is assumed that the generated contents are explained to the company's customers in advance. 

Adopted examples are (not limited to): 

best practices in collaboration with third parties of international standards and the perspective of globally recognised standards such as OWASP.

In R&D, researches are on-going at the areas of, but not limited to:  

-test data and experimental programs for bias detection and fairness, 

-false information detection systems, and

-the systems to ensure explainability and interpretability based on the identification of hallucination points by checking with the original text are being carried out.

The company invests technologies on misinformation output detection, fact checking, AI output content detection, etc. at in-house global laboratories has been researching by laboratories at the global scale and level . 

Yes.

Examples are:

i.　Support for democratic values and respect for human rights

Ethical/Bias Risk Assessment Dataset Development

ii.　Protection of children and vulnerable groups

Ethical/Bias Risk Assessment Dataset Development

iii.　protection of intellectual property rights

AI output content detection

iv.　protection of privacy

Personal information secrecy and privacy protection technology

v.　Avoidance of harmful bias

Development of Ethical/Bias Risk Assessment Data Sets

vi.　Avoiding false alarms, disinformation, and information manipulation

Fact-checking support and misinformation output detection

Yes.

Examples are:

i.　Support for democratic values and respect for human rights

Ethical/Bias Risk Assessment Dataset Development

ii.　Protection of children and vulnerable groups

Ethical/Bias Risk Assessment Dataset Development

iii.　protection of intellectual property rights

AI output content detection

iv.　protection of privacy

Personal information secrecy and privacy protection technology

v.　Avoidance of harmful bias

Development of Ethical/Bias Risk Assessment Data Sets

vi.　Avoiding false alarms, disinformation, and information manipulation

Fact-checking support and misinformation output detection

Yes.

Examples are:

i.　Support for democratic values and respect for human rights

Ethical/Bias Risk Assessment Dataset Development

ii.　Protection of children and vulnerable groups

Ethical/Bias Risk Assessment Dataset Development

iii.　protection of intellectual property rights

AI output content detection

iv.　protection of privacy

Personal information secrecy and privacy protection technology

v.　Avoidance of harmful bias

Development of Ethical/Bias Risk Assessment Data Sets

vi.　Avoiding false alarms, disinformation, and information manipulation

Fact-checking support and misinformation output detection

Yes.

The company provide various corporate-wide education programs for AI and LLM to raise literacy levels. 

"NEC Academy" provides training service externally in specialized areas including highly professional areas. Measures for literacy improvement are also provided and implemented in the industry-academia collaboration program.  

The company takes actions and contributes to achieve SDGs. Please see:

https://www.nec.com/en/global/sdgs/index.html

In generative AI, the company has developed and provides models with lightweight configurations that take environmental impacts into account considering decarbonization.

The company promotes collaboration with internal and external stakeholders, such as the Japan Data Scientist Society, the AI Governance Association, public-private dialogues led by Ministries (the government) , Universities, and taking leadership position for those initiatives.

Advisory board meetings with external multi-stakeholders professionals are also arranged, e.g., Digital Trust Advisory Council.

https://www.nec.com/en/global/sustainability/social/ai.html