The primary consideration for managing liabilities from agentic AI's unforeseen behavior is establishing a robust accountability model. This model defines and assigns responsibility for the AI's decisions and outcomes throughout its lifecycle. When an autonomous system acts in an unexpected way, a clear accountability framework is essential for determining legal and ethical responsibility, guiding incident response, and addressing potential harm. It provides the foundational governance structure for managing the specific risk of liability.

A. Model dependencies are a technical aspect of an AI system's architecture; while important for operational risk, they do not primarily address the legal framework for liability.

B. Using approved base models is a risk mitigation control, but it does not eliminate the possibility of unforeseen behavior or define who is liable when it occurs.

D. An acceptable risk level is a strategic business decision that sets the threshold for risk tolerance, but it is not the mechanism for managing liability when that threshold is breached.

1. ISACA

Auditing Artificial Intelligence

2023: Chapter 2

"AI Governance

" emphasizes that a key principle of AI governance is accountability. It states

"Accountability for AI systems should be established

with clear roles and responsibilities for the development

deployment

and ongoing monitoring of AI systems." This directly links accountability models to the management of AI systems and their outcomes.

2. National Institute of Standards and Technology (NIST)

AI Risk Management Framework (AI RMF 1.0)

January 2023: The "Govern" function is foundational to the framework. Section 3.1

GOVERN-1

highlights the need to establish "policies

processes

procedures

and practices for AI risk management

including roles

responsibilities

authorities

and lines of communication." This establishes an accountability structure as a primary step in managing AI risk

including liabilities.

3. Stanford University Human-Centered AI (HAI)

An Action Plan for Advancing Trustworthy AI

2023: The report repeatedly stresses the importance of accountability mechanisms. On page 10

it calls for "clear accountability mechanisms to ensure that there is recourse and redress when AI systems cause harm

" identifying this as a critical component for building trustworthy AI and managing its societal impact

including liability.

The most effective and proactive strategy to mitigate the risk of deepfake attacks is to validate the provenance of the data source. Data provenance involves establishing and verifying the origin, history, and chain of custody of a digital asset (e.g., video, audio, image). By using techniques like cryptographic signatures, digital watermarking, or blockchain-based ledgers, an organization can confirm that the media has not been tampered with and originates from a trusted source. This approach addresses the core issue of authenticity, making it a more fundamental and reliable control than reactive detection methods or fallible human judgment.

A. Relying on human judgment for oversight: Humans are notoriously unreliable at detecting sophisticated deepfakes, as these are specifically designed to deceive human perception. This makes human judgment a weak primary control.

B. Limiting employee access to AI tools: This is an internal control that does not prevent externally generated deepfake attacks, which are a common threat vector (e.g., a phishing email with a deepfaked video).

D. Using a general-purpose large language model (LLM) to detect fraud: General-purpose LLMs are designed for text-based tasks and are not the appropriate tool for analyzing the complex visual or audio artifacts characteristic of deepfakes.

1. ISACA

Artificial Intelligence Audit Toolkit

2023. The toolkit emphasizes the importance of data integrity and governance as foundational controls for AI systems. In the section on AI-specific risks

it discusses the need for controls that ensure the authenticity and integrity of data inputs

which directly relates to validating provenance to counter threats like deepfakes. (Reference to Data Integrity and Input Validation controls).

2. Guera

D.

& Delp

E. J. (2018). "Deepfake Video Detection Using Recurrent Neural Networks." 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS). While focusing on detection

the paper's context highlights the challenges and the "arms race" between generation and detection

implicitly supporting the need for more fundamental solutions like provenance. The limitations of detection underscore the superiority of proactive authentication. (DOI: 10.1109/AVSS.2018.8639163).

3. MIT Computer Science and Artificial Intelligence Laboratory (CSAIL)

"Detecting Photoshopped and Fake Images." Research from MIT and other institutions consistently points to the difficulty of detection and the value of source verification. Course materials on media forensics often present provenance as a more robust solution than post-facto detection. (Reference to general principles taught in courses like MIT's 6.869 Advances in Computer Vision).

The primary goal of a red-teaming exercise for generative AI, particularly during penetration testing, is to proactively identify and understand potential failures and vulnerabilities. This is achieved by simulating adversarial attacks. Testers craft specific adversarial inputs designed to bypass safety filters or exploit weaknesses in the model's logic, thereby causing it to generate unexpected, harmful, biased, or otherwise unintended outputs. This process directly evaluates the model's resilience against malicious use and helps developers implement more robust safeguards.

B. Stress test the model’s decision-making process: Stress testing primarily evaluates system performance and stability under high load or resource constraints, which is distinct from a security-focused red-teaming goal of finding behavioral exploits.

C. Degrade the model’s performance for existing use cases: While an attack might result in performance degradation, the red team's objective is to discover the vulnerability that enables such an attack, not simply to cause the degradation itself.

D. Replace the model’s outputs with entirely random content: This is too specific and narrow. The goal is to elicit a wide range of unintended behaviors, including harmful, biased, or private information, not just to generate random outputs.

1. National Institute of Standards and Technology (NIST). (2023). AI Risk Management Framework (AI RMF 1.0).

Reference: Page 31

Section 4.3.3

"Test

Evaluation

Verification

and Validation (TEVV)." The framework states that TEVV includes "red-teaming to search for vulnerabilities and to discover whether the system can be used in unintended ways." This aligns with generating unexpected outputs from adversarial inputs.

2. Perez

E.

et al. (2022). Red Teaming Language Models to Reduce Harms: Methods

Scaling Behaviors

and Lessons Learned. arXiv preprint arXiv:2209.07858.

Reference: Section 2

"Red Teaming Methods." The paper

authored by researchers from Google

DeepMind

and affiliated universities

explicitly defines red teaming as "the practice of adversarially testing a model to find inputs that elicit harmful or otherwise undesirable outputs." This directly supports option A. (DOI not available for this version

but it is a foundational academic paper in the field).

3. MITRE. (2023). MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems).

Reference: Technique: ML04-T1059

"Prompt Injection." The ATLAS framework details how adversaries "craft malicious inputs to manipulate a language model into generating unintended outputs." This is a core tactic used in red-teaming and penetration testing of generative AI.

In high-stakes applications like credit risk assessment, ensuring ethical decision-making is paramount. The "human-in-the-loop" (HITL) approach, where the AI system provides advisory outputs and a human expert makes the final decision, is the highest priority. This design embeds accountability and allows for contextual judgment that an AI model cannot replicate. A human expert can override potentially biased or unfair automated recommendations, providing a critical safeguard against algorithmic discrimination and ensuring that decisions are both explainable and ethically sound. This approach directly addresses the core requirement of preventing bias at the point of decision.

A. Regularly updating the model is a standard practice for maintaining performance, but it does not inherently address ethical concerns or bias. New data can perpetuate or even introduce new biases.

B. An appeal mechanism is a crucial reactive control for redress after a decision is made, but it is not a preventative measure integrated into the initial decision-making process itself.

D. Restricting the model to "objective" financial metrics is a flawed strategy, as these metrics can act as proxies for protected characteristics (e.g., zip code correlating with race), leading to systemic bias.

1. ISACA

Artificial Intelligence Audit Framework

2023. In the section on AI Governance and Risk Management

the framework emphasizes the need for human oversight

especially for high-risk AI systems. It states

"For high-risk AI systems

human oversight should be in place to allow for human intervention to prevent or minimize harm... The final decision is made by a human." (Domain 1: AI Governance

Section 1.3 Human Oversight and Involvement).

2. High-Level Expert Group on Artificial Intelligence

Ethics Guidelines for Trustworthy AI

European Commission

2019. This foundational document lists "Human agency and oversight" as one of the seven key requirements for trustworthy AI. It specifies that for critical decisions

the system should support human autonomy

with the final determination left to a human. It recommends "human-in-the-loop (HITL)" approaches for high-stakes domains. (Chapter II

Page 14).

3. Barocas

S.

& Selbst

A. D.

"Big Data's Disparate Impact

" California Law Review

Vol. 104

2016. This academic paper explains how seemingly neutral or "objective" criteria can function as proxies for protected classes

leading to discriminatory outcomes. It demonstrates why simply restricting data inputs (as suggested in option D) is insufficient to prevent bias. (Section II.A. The Problem of Proxies

pp. 679-685). DOI: https://doi.org/10.15779/Z38G655.

Fine-tuning is a process that adapts a pre-trained foundational model to a specific, narrower domain by continuing the training process on a smaller, curated, and high-quality dataset relevant to the organization. This technique "grounds" the model in the organization's specific context and factual data. By constraining the model's knowledge to this trusted information, it directly reduces the likelihood of it generating fabricated or nonsensical information (hallucinations) when answering user queries. It is the most direct technical control listed for mitigating this specific risk.

A. Performing model testing and validation is a detective control that identifies the presence and frequency of hallucinations but does not, by itself, mitigate or prevent them.

B. Training the foundational model on large data sets is what creates the base model. This broad, uncurated training is often a source of hallucinations, not a specific mitigation for a deployed application.

C. Ensuring model developers have been trained in AI risk is a procedural and preventative control. While important for governance, it does not directly alter the model's output or reduce hallucinations.

1. ISACA

Generative AI: A Practical Audit Approach

2023: In the section "Key Risks and Controls for Generative AI

" the risk of "Inaccurate or Fabricated Information (Hallucinations)" is discussed. A key control mentioned is to "Fine-tune with domain-specific data...to help ground the model in a specific context

reducing the likelihood of generating irrelevant or fabricated information." (Page 11

Table 1).

2. Stanford University

Center for Research on Foundation Models (CRFM)

On the Opportunities and Risks of Foundation Models

2021: The report explains that fine-tuning (referred to as adaptation) is a primary method for specializing a foundation model for downstream tasks. This specialization improves performance and alignment with desired behaviors

such as factuality. (Section 4.2

"Adaptation

" pp. 85-87).

3. Zhang

Y.

et al.

A Survey on Hallucination in Large Language Models: Principles

Taxonomy

and Mitigation

ACM Computing Surveys

2024: This peer-reviewed academic survey categorizes mitigation strategies. It places fine-tuning under "Model-based" mitigation techniques

describing it as a method to align the model's knowledge with factual data sources

thereby directly reducing knowledge-based hallucinations. (Section 5.2.2

"Supervised Fine-tuning"). DOI: https://doi.org/10.1145/3626428