Education & Guidance (EG)

Data Domain - HAIAMM v3.0


Practice Overview

Objective: Build the AI-assurance data-handler literacy every engineer and data scientist touching AI/HAI data assets needs and the practitioner skills the smaller population performing lineage verification, classification review, DPIA composition, and data-flow security review must have, with shadow-data-in-AI awareness as the primary L1 cultural outcome.

Description: EG-Data covers two audiences. The first is the entire data-handler workforce, engineers, data scientists, ML platform engineers, and analysts who touch any of the seven AI/HAI data archetypes (training corpora, inference input streams, retrieval stores, prompt/completion log corpora, embedding stores, fine-tuning datasets, evaluation/test sets), they need data-assurance literacy: what the AI data lifecycle is, how the seven HAI TTPs manifest in data (training-data poisoning, training-data leakage, retrieval-poisoning, embedding inversion, prompt injection via retrieved documents), what the AI Data Use Policy requires, and what a correct Data Intake / Sanction Gate submission looks like. The second is the practitioner population, data stewards, DPOs and their delegates, AppSec/AI safety reviewers performing data-flow security reviews, who need deep skills covering lineage verification, classification scanning, consent-basis verification (GDPR Arts. 6/9), DPIA composition (Art. 35), opt-out enforcement, training-data canary insertion, embedding-store retention and inversion defense, and retrieval-source classification propagation.

Context: AI-specific data vulnerabilities are not covered by classic data-governance curricula. A data engineer who has taken a GDPR awareness course knows about lawful basis for classical database processing but will not recognize that fine-tuning a model on customer support transcripts requires an Art. 6 compatibility assessment, a DPIA, and a no-train confirmation with the inference provider. An ML engineer pulling records from a production database into a training corpus does not know that they may be creating an embedding store where user data is invertible, exposing it to GDPR Art. 15/16/17 subject-access obligations the org is not prepared to meet. A retrieval store populated from unclassified SharePoint content can be the injection vector for an AGH attack against a production RAG pipeline. These risks are not in classic data-governance training, they require AI-data-specific education targeted at the people who handle the seven archetypes. Without it, shadow data in AI accumulates through routine engineering decisions, regulated data flows into training without consent review, and retrieval stores introduce data-class exposure that nobody intended. L1 EG-Data ships the minimum viable literacy for everyone who touches AI data and the minimum viable practitioner track for those who review it. L2 extends into scenario-based reviewer training and product-line-specific tracks. L3 externalizes the curriculum.


Maturity Level 1

Objective: Deliver foundational data-assurance literacy to ≥95% of the data-handler workforce and role-based practitioner training to 100% of the reviewer population, with an active shadow-data-in-AI awareness campaign

At this level, the organization ensures that every person who touches AI/HAI data assets can identify AI-specific data risks, navigate the program's policies and sanction gate, and recognize when to escalate, and that the practitioner population can perform consistent lineage verification, classification review, DPIA scoping, and data-flow security review.

Dependencies

  • PC-Data L1 (required): the three priority policies (AI Data Use Policy, Data Acceptable Use Policy (AI), Data Intake / Sanction Gate) and the priority compliance map are the primary teaching object, training without published policies is hollow. EG-Data L1 cannot precede PC-Data L1.
  • SM-Data L1 (required): the AI/HAI data inventory and archetype taxonomy define what the training is about and which archetypes the workforce will encounter.
  • Alignment (not a hard dependency): enterprise LMS and existing data-governance or privacy-awareness program, extend rather than duplicate; engineering and data-science all-hands cadence for the shadow-data-in-AI campaign launch.
  • Supports / unblocks: every downstream Data-domain practice, reviewers who cannot distinguish a training corpus from a retrieval store will not produce useful threat models (TA), requirements (SR), design reviews (DR), implementation reviews (IR), or security tests (ST).

Desired Outcomes

  • Any engineer or data scientist handling AI data can name the seven archetypes, cite the two or three AI Data Use Policy rules most relevant to their work, describe one data-specific HAI TTP relevant to their archetype (e.g., retrieval-poisoning for retrieval-store owners, training-data leakage for fine-tuning dataset owners), and submit a sanction-gate intake or disclose prior unsanctioned use in under 5 minutes.
  • The practitioner population (data stewards, DPOs, AppSec/AI safety reviewers) produces consistent, evidence-backed reviews, two practitioners independently reviewing the same training-corpus intake arrive at the same classification label, the same DPIA trigger determination, and the same SR gap list.
  • Shadow-data-in-AI disclosures increase in the first two quarters after the campaign launches (awareness working), then decrease as the sanctioned-archetype program grows (adoption working).
  • GDPR and EU AI Act Art. 10 obligations for AI data are not abstract, every reviewer can map a training corpus to the legal-basis requirement, the DPIA trigger assessment, and the retention obligation it creates.
  • Training content is owned, dated, and updated within 30 days of any change to the AI Data Use Policy, Data AUP, sanction-gate checklist, archetype list, or priority compliance map.

Activities

A) Ship data-handler workforce AI-data-assurance literacy training

A single short course (≤20 minutes) every engineer, data scientist, ML platform engineer, and analyst takes on hire and refreshes annually, tied to the AI Data AUP attestation from PC-Data L1. This is not a comprehensive data-governance course, it is the minimum AI-data-assurance literacy needed to participate in the AI/HAI Data Assurance program without creating compliance exposure.

Content (minimum): - The seven AI/HAI data archetypes, training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set. Concrete examples from the org's own inventory for each. What makes each archetype distinct in terms of risk and governance requirement. - The AI data lifecycle, how data flows from source to training corpus to model to inference input to prompt/completion log to eval set; where each HAI TTP can enter; what governance gate applies at each transition. - The HAI TTPs as they apply to data, in plain language: - Training-data poisoning (TM): malicious or corrupted data injected into a training corpus or fine-tuning dataset corrupts model behavior. - Training-data leakage (TM): content from the training corpus or fine-tuning dataset surfaces in model outputs, exposing confidential or PII content. - Retrieval-poisoning (AGH): a malicious document in a retrieval store is returned as context, hijacking the model's goal. - Embedding inversion (TM): embeddings in an embedding store are invertible to recover approximately the original text, including PII. - Prompt injection via retrieved documents (AGH): an attacker embeds instructions in a document that a retrieval store returns as context, redirecting the model's response. One concrete data-handling example per TTP matched to the relevant archetype. - The AI Data Use Policy in five rules, permitted data classes per archetype, prohibited flows without named approval, consent-basis requirement before personal data enters training, cross-border-transfer restriction, disclosure obligation to the inventory. - The sanction-gate, how to submit intake, what the per-archetype artifacts checklist requires, what "provisional approval" means, and how the amnesty path works. - Before-you-use decision aid, a 10-second check: is this data source in the inventory? Is this data class permitted for this archetype? Does this use require gate approval before I connect or start a training run?

Delivery: LMS module + 1-page reference card pinned in engineering and data-science Slack/Teams channels + brief at all-hands when the program launches. No role gating, every data-handler takes the same workforce-level module.

B) Deliver role-based practitioner training for the reviewer population

A deeper module (~2.5 hours) for the practitioner population only: data stewards performing classification and lineage review, DPOs and their delegates performing DPIA composition and consent-basis verification, and AppSec/AI safety reviewers performing data-flow security reviews for DR and IR. Completion is a prerequisite to approving sanction-gate intakes, not optional.

Content (minimum): - Lineage verification in depth, how to trace a data asset from source to AI consumption; what constitutes a verifiable provenance record vs. a claimed one; how to identify gaps (undocumented transformations, unmaintained catalog entries, pipeline changes that bypass the lineage record); hands-on with data-catalog query patterns (Atlan, Collibra, DataHub, Unity Catalog, MLflow lineage APIs). - Classification scanning and label propagation, how classification scanners (Amazon Macie, BigID, Microsoft Purview) work and what they miss; how to read a scanner report and identify regulated data classes; classification-label propagation rules (Critical label on a source document propagates to the embedding, the retrieval index, and the fine-tuning dataset derived from it); hands-on with scanner output for sample datasets. - Consent-basis verification (GDPR Arts. 6 and 9), the six Art. 6 lawful bases and how each applies to AI training and inference: legitimate interests assessment for training data; processing necessity for inference; consent validity for fine-tuning on user-generated content. Art. 9 special-category data: prohibition default, the eight Art. 9(2) exceptions, practical verification that the exception applies before approving a training-corpus intake containing health, biometric, or political-opinion data. - DPIA composition (GDPR Art. 35), when a DPIA is mandatory (large-scale processing of personal data, systematic evaluation of data subjects, special-category data, all common in AI training); how to scope a DPIA for a training corpus or retrieval store; the six DPIA sections (description of processing, necessity and proportionality, risk assessment, risk controls, DPO consultation, residual-risk acceptance); how to use the org's DPIA template; how to identify when a DPIA finding requires architectural change (data minimization, de-identification) vs. when residual risk can be accepted. - Opt-out and deletion enforcement, right-to-erasure (Art. 17) for data subjects whose data is in a training corpus, retrieval store, or embedding store; how deletion propagates (or fails to propagate) from a source database to a derived embedding; how to assess a data asset's deletion capability at gate review; when re-training or re-indexing is required. - Training-data canary insertion, how to insert a unique, distinctive, fictitious record into a training corpus or fine-tuning dataset such that if it appears in model output it reveals training-data leakage; how to design canaries that are recognizable but not useful to an adversary; how to track canary status in the data asset's inventory record. - Embedding-store retention and inversion defense, why embeddings are not anonymous (semantic similarity plus inversion attacks can reconstruct approximate original text); which embedding models have documented inversion risk; retention-limit enforcement for embedding stores; when a new embedding model generation warrants re-evaluation of inversion risk; access-control patterns for embedding stores containing regulated data. - Retrieval-source classification propagation, how to assess whether a retrieval store's source documents have been classified and whether the classification labels are propagated to the retrieval index; why an unclassified retrieval store used by a Critical-tier RAG pipeline is a Critical-tier data asset regardless of how the documents were originally classified; how retrieval-poisoning (AGH) enters through an inadequately reviewed retrieval source. - Priority compliance map in practice, given a data archetype and a data class, which requirements from PC-Data's map apply; where the evidence lives in the gate record; what an auditor will ask for; how to complete the Art. 30 record entry for a training corpus. - Calibration exercise, three sample data-asset intakes (e.g., a fine-tuning dataset built from customer support transcripts, a retrieval store indexed from internal SharePoint, a prompt/completion log corpus from a customer-facing chatbot) scored independently by each practitioner; facilitated debrief on classification label, DPIA trigger determination, and SR gap list.

Delivery: instructor-led or recorded workshop + role-specific reference job aids (one per archetype: "what to look for in a [training corpus / retrieval store / fine-tuning dataset / prompt-completion log corpus] intake") + quarterly calibration session. Completion gated on sanction-gate-approval permissions.

C) Run the shadow-data-in-AI awareness campaign

An always-on communications program making it visible when data flows to AI without governance and easy to surface it for intake. L1 target is a sustainable, lightweight cadence.

Campaign elements: - Launch moment, executive sponsor message naming shadow data in AI, announcing the amnesty window, and publishing the sanctioned-archetype catalog. Explicit framing: the program is an enabler (fast-track for Low-tier public data) not a blocker. - Recurring short content, monthly one-paragraph pieces: new data source approved and available in the inventory, a fast-track win (intake to provisional approval in 3 BD for a Low-tier retrieval store), an anonymized example of a data-specific TTP caught during intake review (training-data leakage canary triggered, retrieval store containing unclassified customer data caught before RAG deployment), an external incident reframed as "what would we find if we checked our own inventory?". - "Is this AI data?" series, periodic call-outs of AI data assets silently accumulating without governance: prompt/completion log corpora growing in object storage, fine-tuning datasets assembled from ad-hoc Jupyter notebooks, retrieval store indexes built from unclassified SharePoint exports. - Amnesty visibility, the path to disclose prior ungoverned AI data assets is linked from the Data AUP, the intake form, and the engineering/data-science team channel pins. Amnesty is prominent, not buried. - Feedback channel, a visible channel for data handlers to nominate new data sources or archetype patterns for the sanctioned catalog; nomination is triaged and acknowledged within 5 BD. - DPO and data-steward micro-content, short explainers for teams creating training corpora or retrieval stores: what Art. 10 data-governance evidence the org must maintain, what the DPIA trigger assessment requires, what deletion capability the data asset must demonstrate.

Measurement: campaign channel links tagged so attribution of intake submissions and amnesty disclosures to campaign touchpoints is tracked.

Outcome Metrics (L1)

Metric Baseline L1 Target Source
% data-handler workforce with current-year AI-data-assurance literacy completion measure ≥95% LMS / HR attestation
% sanction-gate reviewers with completed practitioner training measure 100% LMS + gate-approval permissions
Reviewer calibration drift (avg classification-label and DPIA-trigger-determination delta across reviewers on shared samples) measure ≤1 classification-tier step and ≤1 DPIA trigger disagreement per sample Quarterly calibration exercise
Shadow-data-in-AI disclosures per quarter (amnesty path) measure rises Q1–Q2, then trends down Intake queue tagged "amnesty"
Intake submissions attributable to campaign channels measure ≥30% of net-new intakes Tagged campaign URLs / form referrer

Process Metrics (leading)

  • Workforce training content reviewed quarterly; updated within 30 days of any change to the AI Data Use Policy, Data AUP, archetype list, or priority compliance map.
  • New-hire coverage SLA, AI-data-assurance literacy completed within 30 days of start.
  • Reviewer calibration cadence, at least once per quarter; drift trends reported to the program sponsor.
  • Campaign content cadence, at least one piece of shadow-data-in-AI content published per month.

Effectiveness Metrics (business value)

  • Reviewer throughput, sanction-gate intakes closed per reviewer per week should rise after practitioner training lands without sacrificing calibration quality.
  • Sanctioned-archetype adoption, % of new AI data assets using a sanctioned lineage or governance pattern vs. an ad-hoc one; rising reuse signals literacy plus catalog together reducing shadow data.
  • Avoided-incident stories, documented cases where practitioner training enabled a reviewer to catch a training-data leakage risk, a retrieval-poisoning vector, or an Art. 9 special-category-data violation at intake that would otherwise have shipped.

Success Criteria

  • Workforce AI-data-assurance literacy module launched; ≥95% current-year completion sustained.
  • Practitioner training launched, completion gated on gate-approval permissions, and calibration drift inside target for two consecutive quarters.
  • Shadow-data-in-AI awareness campaign running with at least monthly content cadence and measurable attribution of intake submissions and amnesty disclosures to campaign channels.
  • DPO and data-steward micro-content deployed for every Critical or High AI data archetype active in the inventory.
  • Training content owner named; content updated within 30 days of any change to the policies, archetype list, or compliance map.

Maturity Level 2

Objective: Deepen practitioner skill through scenario-based training from real intake cases, deliver product-line-specific data-handler tracks calibrated to SM-Data L2 risk tiers, and run seasonal shadow-data-in-AI campaigns tied to model-release and data-refresh cycles

At this level, training stops being one-size-fits-all. Reviewer skill deepens through scenario-based exercises built from anonymized real intakes from the org's own queue. Data-handler tracks align to the archetypes specific product lines actually use, clinical AI teams get a PHI-and-DPIA track, fintech AI teams get a PCI/FINRA track, developer-tool AI teams get a code-corpus track. Shadow-data-in-AI campaigns become behavior-driven and seasonal.

Dependencies

  • EG-Data L1 (required): workforce literacy and base practitioner training must be in place.
  • SM-Data L2 (required): the risk-tier rubric defines which archetypes go to which reviewer track depth and at what cadence.
  • TA-Data L2 (required for Critical-tier scenarios): per-asset deep threat models provide the scenario source material for Critical-tier reviewer exercises.
  • Supports / unblocks: PC-Data L2 (tier-calibrated reviewers enforce DPIA gates and tier-specific sign-off requirements); SA-Data L2 (data-handler track trainees learn the reference patterns they will implement and defend in DR); DR-Data L2 (scenario-trained reviewers produce faster, more consistent DR decisions).

Desired Outcomes

  • Reviewer calibration on Critical-tier intake scenarios is visibly tighter than at L1, the practitioner investment is measurable.
  • Product-line data-handler teams (clinical AI, fintech AI, developer-tool AI, consumer AI) can independently identify the data-specific HAI TTPs relevant to their archetype exposure and defend their data-sourcing decisions in a DR.
  • Shadow-data-in-AI campaigns run on a behavior-driven, seasonal cadence (model-release windows, new data-refresh cycles, post-external-incident moments) with pre-measured behavior targets and post-campaign measurement.
  • Training content refreshes monthly from program telemetry, real calibration drifts, real intake anomalies, real near-incidents, not from annual curriculum reviews.

Activities

A) Scenario-based reviewer training from real intakes

  • Scenario library built from anonymized real intakes from the org's own queue: each scenario includes the as-submitted data-asset description, the original reviewer decisions (classification label, DPIA trigger determination, SR gaps), any reviewer disagreement, and the resolved outcome after calibration or post-launch review.
  • Scenarios organized per archetype (training-corpus scenarios, retrieval-store scenarios, fine-tuning-dataset scenarios, embedding-store scenarios, prompt/completion-log-corpus scenarios) and per TTP cluster (training-data poisoning, training-data leakage, retrieval-poisoning, embedding inversion, prompt injection via retrieved documents).
  • Paired calibration exercises: two reviewers independently score the same scenario; instructor-facilitated debrief on classification-label delta, DPIA-trigger-determination delta, and SR gap list differences.
  • Tier-weighted curriculum: Critical-tier training-corpus and fine-tuning-dataset scenarios (PII-bearing, cross-border, special-category) dominate the advanced modules; Medium/Low scenarios streamlined to fast-track calibration.
  • Capstone: practitioners graduate the advanced module by running three live intakes end-to-end with a senior-reviewer shadow and producing a passing classification record, lineage review, and DPIA scoping note.

B) Product-line-specific data-handler tracks

Distinct training tracks for data-handler teams in specific product lines, built on the SM-Data L2 tier rubric: - Clinical AI track, training corpora containing PHI; HIPAA minimum-necessary assessment; GDPR Art. 9 health-data basis (Art. 9(2)(h) or explicit consent); DPIA composition for clinical training data; BAA verification; de-identification standards and re-identification risk; retrieval stores containing clinical notes (retrieval-poisoning risk in a clinical RAG pipeline); embedding-store inversion risk for medical records. - Fintech AI track, training corpora containing PCI cardholder data; PCI-DSS 3.4 controls for model-input data; FINRA/SEC model-input retention obligations; GDPR Art. 6 lawful basis for financial data at inference; retrieval stores containing customer financial data (classification propagation and access controls); prompt/completion log retention for regulatory record-keeping. - Developer-tool AI track, training corpora containing source code (customer IP, trade secrets); fine-tuning datasets from code repositories (lineage verification, license compatibility); retrieval stores indexed from internal codebases (code-leakage risk via retrieval-poisoning AGH); embedding stores of code (inversion and IP-exposure risk); prompt/completion log corpora from coding assistant sessions (retention and secondary-use restriction). - Consumer AI track, inference input streams with end-user personal data; consent-basis verification for logged interactions; opt-out enforcement and right-to-erasure in prompt/completion log corpora; GDPR Art. 22 automated-decisioning safeguards for consumer-facing inference; cross-border transfer risk for global user bases. - Each track paired with the SA reference pattern for the relevant archetype, the training teaches the "green path" the team will implement and defend in DR. - Required for any team owning a Critical or High-tier data asset in the applicable product line; target ≥1 trained practitioner per data asset.

C) Seasonal, behavior-driven shadow-data-in-AI campaigns

  • Campaigns tied to observed shadow-data-in-AI risk windows: model-release windows (sprint-to-ship pressure leads to ad-hoc training-data pulls without gate passage), data-refresh cycles (quarterly training updates that bypass lineage review), post-external-incident moments (a public training-data leakage or retrieval-poisoning incident creates a teachable window), hiring surges (new engineers and data scientists arrive with pre-existing habits).
  • Each campaign has a pre-measured behavior target (e.g., "reduce ungated fine-tuning dataset uploads by 50% in Q3," "increase retrieval-store intake submissions before model deployment by 30%") and a post-campaign measurement.
  • Amnesty windows run alongside campaigns; disclosure volume and source attributed to campaign channels.
  • Campaign effectiveness reviewed by the program sponsor; campaigns missing behavior targets by >20% are redesigned.

Outcome Metrics (L2)

Metric Baseline L2 Target Source
Reviewer calibration drift on Critical-tier scenarios measure ≤1 classification-tier step and ≤0 DPIA trigger disagreements per sample Quarterly calibration exercise
% Critical/High-tier data assets with ≥1 team member trained on the applicable product-line track measure 100% LMS × SM-Data inventory
Shadow-data-in-AI campaign behavior-target achievement rate measure ≥70% of campaigns hit behavior target Campaign post-measurement
% training content refreshed in last 90 days measure ≥80% Content change log
% workforce literacy completion maintained measure ≥95% LMS

Process Metrics (leading)

  • Scenario library freshness, scenarios reviewed quarterly; retired when intake patterns make them obsolete.
  • Product-line training attendance tracked per data asset in the inventory monthly.
  • Campaign pipeline, always ≥1 campaign in-flight tied to a measurable behavior target.
  • Calibration debrief findings routed back to the scenario library within 30 days.

Effectiveness Metrics (business value)

  • Reduction in sanction-gate submissions missing classification labels or DPIA trigger assessments at first submission (caught earlier as reviewer skill rises).
  • Product-line-trained teams' data assets require fewer gate re-submissions vs. untrained teams.
  • Sanctioned-archetype data-source reuse rate for trained product lines rises vs. control group.

Success Criteria

  • Scenario library of ≥30 real-sourced scenarios across archetypes in use; reviewer calibration drift inside target for two consecutive quarters.
  • Product-line training tracks delivered; ≥1 trained practitioner per Critical/High-tier data asset.
  • ≥2 behavior-driven campaigns run in the last 12 months with measured outcomes.
  • Training content refresh cadence met; ≥80% of content updated in last 90 days.

Maturity Level 3

Objective: Operate continuous calibration at scale, externalize the AI-data-assurance curriculum and reviewer rubric as industry-shared artifacts, and contribute to emerging AI-data-handler certification pathways

At this level, the organization's training posture is visible outside its own walls. The practitioner curriculum, scenario library, and reviewer rubric are published externally through CSA AI Safety Initiative, IAPP AI data-governance track, OpenSSF AI, DAMA, or sector ISACs. The program contributes to emerging AI-data-handler and AI-assurance certification pathways as they solidify. Internally, calibration is continuous and live rather than quarterly.

Dependencies

  • EG-Data L2 (required): scenario library, product-line tracks, and behavior-driven campaigns must be in place.
  • PC-Data L3 (required for regulatory-track content): continuous attestation and policy-refresh infrastructure provides the real compliance scenarios the external curriculum demonstrates.
  • SM-Data L3 (required): automated inventory and tier data feed the continuous calibration exercises with current data-asset examples.

Desired Outcomes

  • External practitioners recognize and use the program's curriculum and rubric; citations and adoption are tracked.
  • Reviewer certification exists (internally aligned with external credentials where they have emerged) and is held by a majority of the org's Critical-tier data reviewers.
  • Monthly live calibration, reviewers re-calibrated against anonymized real intakes from the live queue each month; drift trends are a managed metric.
  • Training content evolution is auditable and evidence-driven (telemetry from IM-Data, ML-Data, and DR-Data feeds the curriculum rather than annual scheduled reviews).
  • AI-data-specific TTP observations (training-data poisoning incidents, embedding-inversion events, retrieval-poisoning detections) are contributed back to MITRE ATLAS, CSA AI Safety Initiative, and sector ISACs where novel.

Activities

A) Externalize the curriculum, scenario library, and reviewer rubric

  • Publish the following under a permissive license or as a consortium deliverable through CSA AI Safety Initiative, IAPP AI data-governance track, OpenSSF AI, DAMA, or applicable sector ISAC:
  • Workforce AI-data-assurance literacy module (learning objectives, assessment questions, reference-card template covering the seven archetypes and five data-specific TTPs).
  • Practitioner role-based training curriculum (module outlines, per-archetype reviewer job aids, DPIA composition guide for AI training data, lineage-verification checklist, embedding-inversion risk assessment guide).
  • Anonymized scenario library (scenario format, per-archetype examples including Clinical AI / Fintech AI / Developer-Tool AI / Consumer AI tracks, calibration debrief format).
  • Reviewer rubric (classification-label criteria, DPIA-trigger determination scoring, lineage-verification scoring, SR-gap-list completeness scoring).
  • Community contributions accepted; changes to the external artifact flow back into the internal content within 30 days.
  • Adoption tracked: citations in external publications, forks, downloads, direct adoption acknowledgment from other organizations.

B) Continuous live calibration

  • Monthly calibration round: a current anonymized intake sampled from the program's live queue is shared with the reviewer cohort; each reviewer independently scores classification label, DPIA trigger determination, top 3 SR gaps, and primary TTP; drift reported to the program sponsor.
  • Individual reviewer drift is a development signal, not a performance metric; reviewers with persistent drift on specific archetype types receive targeted coaching and additional scenario exposure.
  • Calibration results feed the scenario library directly, new scenarios drawn from intakes where calibration revealed drift are added within 30 days.

C) AI-data-handler certification contribution

  • Contribute to AI-data-handler and AI-assurance certification pathways as they emerge: CSA AI Safety, ISACA AI Audit / AI Risk certificates, IAPP AI data-governance certification, sector-specific ISAC credentials, DAMA AI data-management practitioner path, CIPP/E extensions for AI data processing.
  • Align the org's practitioner capstone with certification-grade rubrics where credentials exist; support reviewers pursuing external credentials.
  • Contribute MITRE ATLAS new-technique candidates and confirmed-technique instances for data-domain observations (training-data poisoning, retrieval-poisoning, embedding inversion), minimum 1 per year where novel observations exist.
  • Target: ≥2 substantive contributions per year to industry curriculum or certification working groups on AI data-handler competency.

Outcome Metrics (L3)

Metric Baseline L3 Target Source
External adoption, citations, forks, downloads of curriculum / scenario library / rubric artifacts 0 tracked, trending up External telemetry
% Critical-tier data reviewers holding an external AI-assurance or AI-data-governance credential 0 ≥50% by year 2 of L3 (where credential exists) HR / credential registry
Monthly live calibration cadence met measure monthly, on calendar Calibration log
ATLAS TTP contributions or confirmations per year (data-domain: training-data poisoning, retrieval-poisoning, embedding inversion) 0 ≥1 where novel observations exist ATLAS contribution log
Contributions to industry certification / curriculum working groups per year 0 ≥2 substantive Contribution log

Process Metrics (leading)

  • Curriculum refresh pipeline: ≥1 change per quarter driven by IM-Data/ML-Data telemetry or external regulatory update.
  • Reviewer certification pathway participation tracked per reviewer.
  • External outreach: ≥2 conference or working-group engagements per year on AI-data-assurance education topics.
  • Calibration debrief findings fed to scenario library within 30 days.

Effectiveness Metrics (business value)

  • Talent acquisition, the program is a named draw for data-steward and DPO practitioner-track hires who want to work in AI-data governance.
  • Reduced on-boarding time for new reviewers who arrive with external AI-data credentials.
  • Industry recognition, program cited by regulators, standards bodies, or peer organizations as reference for AI-data-handler education.
  • Internal gate re-submission rate continues to decline as external curriculum adoption provides pre-trained practitioners from outside the org.

Success Criteria

  • Curriculum, scenario library, and reviewer rubric published externally with documented adoption.
  • Monthly live calibration operating; drift inside target for two consecutive quarters.
  • ≥50% of Critical-tier data reviewers credentialed (where credentials exist).
  • ≥2 substantive contributions to industry certification / curriculum per year.
  • ≥1 MITRE ATLAS data-domain TTP contribution or confirmation per year where novel observations exist.

Key Success Indicators

Level 1: - Workforce AI-data-assurance literacy module launched; ≥95% current-year completion across engineers, data scientists, ML platform engineers, and analysts handling AI/HAI data; content tied to the AI Data AUP attestation. - Practitioner role-based training launched, gated on gate-approval permissions, covering lineage verification, classification scanning and label propagation, consent-basis verification (GDPR Arts. 6/9), DPIA composition (Art. 35), opt-out and deletion enforcement, training-data canary insertion, embedding-store retention and inversion defense, and retrieval-source classification propagation. - Reviewer calibration drift inside target (≤1 classification-tier step and ≤1 DPIA trigger disagreement per sample) for two consecutive quarters. - Shadow-data-in-AI awareness campaign running with monthly content cadence; amnesty disclosures attributable to campaign channels rising in Q1–Q2 then declining as the sanctioned-archetype catalog grows. - Training content owner named; content updated within 30 days of any change to policies, archetypes, or compliance map.

Level 2: - Scenario library of ≥30 anonymized real-sourced intakes powering reviewer training across archetypes; Critical-tier calibration drift inside target. - Product-line-specific data-handler tracks (clinical AI, fintech AI, developer-tool AI, consumer AI) delivered; ≥1 trained practitioner per Critical/High-tier data asset. - ≥2 behavior-driven shadow-data-in-AI campaigns run in the last 12 months with measured outcomes; ≥70% of campaigns hit pre-set behavior target. - Training content refreshed in last 90 days for ≥80% of modules.

Level 3: - Curriculum, scenario library, and reviewer rubric published externally (CSA / IAPP AI / OpenSSF AI / DAMA / sector ISAC) with documented adoption or citation. - ≥50% of Critical-tier data reviewers hold an external AI-assurance or AI-data-governance credential (where one exists). - Monthly live calibration operating with drift inside target; calibration results feeding the scenario library continuously. - ≥2 substantive contributions to industry AI-data-handler certification or curriculum working groups per year; ≥1 MITRE ATLAS data-domain TTP contribution or confirmation per year where novel observations exist.


Common Pitfalls

Level 1: - ❌ Workforce training covers classic GDPR data-protection awareness but not the data-specific HAI TTPs (training-data poisoning, training-data leakage, retrieval-poisoning, embedding inversion, prompt injection via retrieved documents), data handlers know about lawful basis but not about how retrieval-poisoning enters through an unclassified document in a RAG index. - ❌ Practitioner training is a one-hour "intro to data governance for AI" rather than a hands-on module covering lineage verification, DPIA composition for training data, and TTP-recognition exercises against real archetype examples. - ❌ Reviewer training is optional, gate-approval permissions granted without training completion; calibration drift is never measured; two reviewers regularly arrive at different classification labels for the same training corpus. - ❌ Shadow-data-in-AI campaign launches once with an exec message, then goes silent, no monthly content, no amnesty attribution, no feedback channel. - ❌ Training is archetype-agnostic, "AI data security" without distinguishing between a training corpus (training-data leakage risk, Art. 6 lawful-basis requirement, DPIA trigger) and a retrieval store (retrieval-poisoning risk, classification-label propagation, deletion-capability requirement); practitioners apply the wrong review lens. - ❌ DPO and data-steward micro-content never ships, data handlers creating Critical-tier training corpora have no mental model for what Art. 10 data-governance evidence the org must maintain or when a DPIA is triggered. - ❌ Training content owner is unnamed, content goes stale within a quarter; data handlers find outdated policy references and stop trusting the module.

Level 2: - ❌ Scenario library is built from invented examples rather than anonymized real intakes, reviewers learn the shape of a "good" intake but not the actual edge cases that surface in the org's queue (an embedding store with no retention policy, a fine-tuning dataset with an unchecked Art. 9 special-category field). - ❌ Product-line tracks are optional, clinical AI teams skip the PHI/DPIA track and then produce training-corpus designs in DR that do not account for Art. 35 triggers; DR catches the gap late and at high cost. - ❌ Campaigns are launched without a pre-measured behavior target, "shadow data in AI awareness" claimed as a success without data on whether ungated fine-tuning uploads decreased or amnesty disclosures increased. - ❌ Content "refreshes" are cosmetic, module covers get updated, scenario descriptions get wordsmithed, but the TTP library and calibration rubric go stale while real intake patterns change. - ❌ Calibration drift is measured but not acted on, reviewers with persistent drift on DPIA trigger determination never receive coaching; the calibration exercise becomes a box-check.

Level 3: - ❌ External publication without ongoing maintenance, other organizations find a stale DPIA template or outdated lineage-verification checklist and stop trusting the program; citations dry up. - ❌ Credentialing becomes performative, reviewers pursue credentials that do not map to the org's actual tier-treatment rubric; credential acquisition is celebrated but calibration drift stays unchanged. - ❌ Live calibration becomes a gotcha rather than a development signal, reviewers learn to game the monthly exercise and improve their calibration scores without improving their actual gate review quality. - ❌ Contributions to industry working groups do not loop back, what is published externally drifts from what reviewers use internally; practitioners cite the external artifact and contradict the internal rubric. - ❌ ATLAS contributions are aspirational but never submitted, the org observes novel training-data poisoning or retrieval-poisoning patterns in production but does not complete the ATLAS submission process.


Practice Maturity Questions

Level 1: 1. Have all engineers, data scientists, ML platform engineers, and analysts handling AI/HAI data completed a current-year AI-data-assurance literacy course covering the seven data archetypes, the five data-specific HAI TTPs (training-data poisoning, training-data leakage, retrieval-poisoning, embedding inversion, prompt injection via retrieved documents), the AI Data Use Policy rules, and the sanction-gate intake process, with ≥95% completion and content updated within 30 days of any policy or archetype change? 2. Has the practitioner population (data stewards, DPOs/delegates, AppSec/AI safety reviewers) completed role-based training covering lineage verification, classification scanning and label propagation, consent-basis verification (GDPR Arts. 6/9), DPIA composition (Art. 35), opt-out and deletion enforcement, training-data canary insertion, embedding-store retention and inversion defense, and retrieval-source classification propagation, with completion gated on gate-approval permissions and calibration drift ≤1 classification-tier step and ≤1 DPIA trigger disagreement per sample for two consecutive quarters? 3. Is a shadow-data-in-AI awareness campaign running with at least monthly content, a visible amnesty path linked from the Data AUP and intake form, and measurable attribution of intake submissions and amnesty disclosures to campaign channels, with disclosures rising in Q1–Q2 after launch then declining as the sanctioned-archetype catalog grows?

Level 2: 1. Is there a scenario library of ≥30 anonymized real intake cases powering practitioner training across the org's in-scope data archetypes, with paired calibration exercises showing Critical-tier drift ≤1 classification-tier step and ≤0 DPIA trigger disagreements per sample for two consecutive quarters? 2. Have product-line-specific data-handler tracks (clinical AI / fintech AI / developer-tool AI / consumer AI, or equivalent for the org's product mix) been delivered to ≥1 practitioner per Critical/High-tier data asset, with team-level training coverage tracked in the SM-Data inventory? 3. Are shadow-data-in-AI campaigns running on a seasonal, behavior-driven cadence with pre-set behavior targets (not just "awareness") and post-campaign measurement, and is ≥70% of campaigns hitting their target, and is ≥80% of training content updated in the last 90 days?

Level 3: 1. Has the practitioner curriculum, anonymized scenario library, and reviewer rubric been published externally (CSA AI Safety Initiative, IAPP AI data-governance track, OpenSSF AI, DAMA, or sector ISAC) with documented adoption, citations, forks, or direct acknowledgment, and do contributions loop back into internal content within 30 days? 2. Is a monthly live calibration cadence operating (anonymized intake from the live queue, independent reviewer scoring, drift reported to sponsor), with calibration results feeding the scenario library within 30 days, and do ≥50% of Critical-tier data reviewers hold an external AI-assurance or AI-data-governance credential where one exists? 3. Does the program contribute ≥2 substantive artifacts per year to industry AI-data-handler certification or curriculum working groups, and ≥1 MITRE ATLAS data-domain TTP contribution or confirmation per year (training-data poisoning, retrieval-poisoning, or embedding inversion) where novel observations exist?


Document Version: HAIAMM v3.0 Practice: Education & Guidance (EG) Domain: Data Last Updated: 2026-05-13 Author: Verifhai

☑ Interactive Self-Assessment

Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.