Module: B0 — Legal, Ethics, and Disclosure for AI Security Testing Diagram count: 5 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.
Type: Flowchain / trust chain Purpose: The single most important visual in the module. Authorization for an AI red-team is a chain with one more link than a traditional pentest — the link splits "asset owner" into provider (built the model) and deployer (runs the agent). A break anywhere voids downstream cover. The provider-ToS break (link 1→2) is the most common and most dangerous gap. Reading the diagram: Read top-to-bottom as the chain of permission. Each arrow is a transfer of authorization. The red callouts mark the three AI-specific breaks. Note that deployer authorization does not extend to provider-controlled surfaces.
flowchart TB
PROV["MODEL PROVIDER<br/>(e.g. OpenAI, Anthropic)<br/>owns weights · sets API ToS"]
DEP["DEPLOYER / ASSET OWNER<br/>(your client)<br/>runs the agent · owns the data"]
SPON["ENGAGEMENT SPONSOR<br/>commissioned the red-team<br/>(often deployer CISO)"]
ROE["RoE / SCOPE<br/>systems, techniques, dual-use,<br/>DMCA waiver, data handling"]
SF["SCOPE FILE (machine-checkable)<br/>deployer surfaces vs provider surfaces<br/>provider_authorization per technique"]
GATE["HARNESS SCOPE GATE<br/>intercepts every outbound test action"]
ACT["INDIVIDUAL TEST ACTION<br/>prompt injection · weight read · jailbreak"]
PROV -->|ToS / waiver / preview enrollment| DEP
DEP -->|authorization| SPON
SPON --> ROE
ROE --> SF
SF --> GATE
GATE --> ACT
BREAK1["BREAK 1 — provider ToS forbids it<br/>deployer cannot authorize<br/>provider-surface violation"]:::danger
BREAK2["BREAK 2 — no dual-use clause<br/>RoE fails at the moment<br/>a serious finding appears"]:::danger
BREAK3["BREAK 3 — scope drift<br/>stale model version / scope<br/>no valid_until re-check"]:::danger
PROV -. breaks .-> BREAK1
ROE -. breaks .-> BREAK2
SF -. breaks .-> BREAK3
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style PROV fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style DEP fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style SPON fill:#14141f,stroke:#5eead4,color:#e4e4e8
style ROE fill:#14141f,stroke:#5eead4,color:#e4e4e8
style SF fill:#14141f,stroke:#5eead4,color:#e4e4e8
style GATE fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
style ACT fill:#14141f,stroke:#f08080,color:#f08080
Note: The provider link at the top is what makes AI red-teaming legally distinct from a traditional pentest. A deployer can authorize you to test their agent, but not to violate the provider's terms. The scope file must carry a
provider_authorizationfield per technique and the harness gate must enforce it — this is the engineering realization of the legal control.
Type: Comparison / overlay Purpose: AI red-teaming is governed by two stacked legal layers. The traditional computer-crime layer (CFAA, CMA, EU 2013/40) governs the infrastructure around the model. The AI-specific layer (EU AI Act, EO/OMB, state bot/deepfake laws, DMCA § 1201) governs the model and its outputs. A complete engagement must address both. Reading the diagram: Two horizontal bands stacked. The top band (traditional) is the law from 2A S00 — it applies to the server, the database, the API gateway. The bottom band (AI-specific) applies to the weights, the system prompt, the outputs, the jailbreak. A finding often implicates both layers.
flowchart LR
subgraph TRAD["TRADITIONAL LAYER — governs the infrastructure"]
direction TB
T1["CFAA § 1030(a)(2)<br/>access without authorization"]
T2["CFAA § 1030(a)(5)<br/>damage (scanner-as-DoS)"]
T3["UK CMA ss. 1, 3<br/>unauthorised access / acts"]
T4["EU Dir 2013/40 + GDPR<br/>access + personal data"]
end
subgraph AISPEC["AI-SPECIFIC LAYER — governs the model & outputs"]
direction TB
A1["EU AI Act 2024/1689<br/>prohibited uses · GPAI duties<br/>finding may = legal non-compliance"]
A2["DTSA + EU Trade Secrets Dir<br/>weight exfiltration = misappropriation"]
A3["DMCA § 1201<br/>bypassing a model access control<br/>= separate crime from CFAA"]
A4["US EO 14110 / OMB M-24-10<br/>finding may be a reportable incident"]
end
TRAD ---|"same server<br/>same database"| AISPEC
style TRAD fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style AISPEC fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#e4e4e8
style T1 fill:#101018,stroke:#5eead4,color:#e4e4e8
style T2 fill:#101018,stroke:#5eead4,color:#e4e4e8
style T3 fill:#101018,stroke:#5eead4,color:#e4e4e8
style T4 fill:#101018,stroke:#5eead4,color:#e4e4e8
style A1 fill:#101018,stroke:#f08080,color:#e4e4e8
style A2 fill:#101018,stroke:#f08080,color:#e4e4e8
style A3 fill:#101018,stroke:#f08080,color:#e4e4e8
style A4 fill:#101018,stroke:#f08080,color:#e4e4e8
Note: The traditional layer is the law a pentester already knows. The AI-specific layer is new and it is where most AI red-team legal mistakes happen — a tester who is meticulous about CFAA scope but blindsided by DMCA § 1201 has covered only half the surface.
Type: Decision flowchart Purpose: The central ethical problem of AI red-teaming, made visual. A successful jailbreak is simultaneously a security finding (report it) and a misuse recipe (suppress it). The diagram shows the four disclosure principles resolving the tension into a decision. Reading the diagram: A single artifact (the jailbreak) enters and forks into two readings. The decision flow resolves what to publish vs. what to keep provider-only. Note the divergence from traditional "publish everything" CVD: pure-misuse content with no defensive lesson is withheld.
flowchart TB
JB["A SUCCESSFUL JAILBREAK<br/>copy-paste-usable prompt sequence"]
READ1["SECURITY FINDING<br/>a safety control failed<br/>→ report it (CVD)"]:::good
READ2["MISUSE RECIPE<br/>bypasses refusal training<br/>→ suppress it"]:::danger
JB --> READ1
JB --> READ2
READ1 --> P1["1. Report to provider first<br/>always, before anything else"]
P1 --> P2["2. Publish EXISTENCE + SEVERITY<br/>not the RECIPE<br/>(unless provider consents)"]
P2 --> P3{"3. Defensive lesson?"}
P3 -->|"new technique / architecture"| PUBLISH["Publish technique + residual risk<br/>time-bound embargo ≥ 180 days<br/>for model-level findings"]:::good
P3 -->|"pure misuse,<br/>no defensive value"| WITHHOLD["4. Decline to publish<br/>provider-only disclosure<br/>(diverges from publish-everything)"]:::danger
classDef good fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style JB fill:#14141f,stroke:#f0a868,stroke-width:2px,color:#f0a868
style READ1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style READ2 fill:#101018,stroke:#f08080,color:#e4e4e8
style P1 fill:#101018,stroke:#5eead4,color:#e4e4e8
style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
Note: The bottom-right outcome (WITHHOLD) is where AI red-teaming diverges from the traditional security norm of "publish everything." It is a judgment call made in the engagement RoE before testing, not in the moment.
Type: Process / control flow Purpose: How to prove model weight extractability without committing trade-secret theft. The harness must enforce that the test reaches the weight store, captures a fingerprint, and stops — never saving the file. The proof is reachability, not possession. Reading the diagram: The red FORBIDDEN path (download + save the full weights) is the harm the test was hired to prevent. The green ALLOWED path proves the same vulnerability with a hash and a byte count.
flowchart TB
START["REACH THE WEIGHT STORE<br/>read path is the finding"]
START --> Q{"Capture what?"}
Q -->|"FORBIDDEN"| DL["Download full weights<br/>Save the file"]:::danger
DL --> HARM["TRADE-SECRET MISAPPROPRIATION<br/>DTSA + EU Trade Secrets Dir<br/>the harm itself"]:::danger
Q -->|"ALLOWED"| FP["Fingerprint<br/>hash of a small shard<br/>byte count"]
FP --> LOG["Log path + byte count + hash<br/>PROOF OF REACHABILITY"]
LOG --> STOP["Stop. Do not save the shard.<br/>Report."]:::good
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef good fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
style START fill:#14141f,stroke:#5eead4,color:#e4e4e8
style Q fill:#101018,stroke:#f0a868,color:#e4e4e8
style FP fill:#101018,stroke:#82e0aa,color:#e4e4e8
style LOG fill:#101018,stroke:#82e0aa,color:#e4e4e8
Note: The asymmetry is the point: the same vulnerability (weight store is reachable) can be proven with a hash or committed as a 40GB theft. The red-team harness must enforce the green path — a test that "accidentally" exfiltrates weights has committed the harm it was hired to prevent.
Type: Classification matrix Purpose: The AI extension of 2A's evidence retention policy. Four classes, each with a retention rule. Two are AI-specific (Provider-Only, the recipe; Destroy-on-Report, the jailbreak). The policy is enforced automatically by the evidence store, not documented in a wiki. Reading the diagram: Left column = the class; right = the rule. Restricted (PII/weights) and Destroy-on-Report (jailbreaks) are the classes where AI-specific law bites hardest.
flowchart LR
subgraph CLASSES["EVIDENCE CLASS"]
direction TB
C1["PUBLIC<br/>technique description<br/>no recipe"]
C2["PROVIDER-ONLY<br/>the recipe<br/>shared under NDA w/ provider"]
C3["RESTRICTED<br/>PII / weights / system prompt<br/>in retrieved context"]
C4["DESTROY-ON-REPORT<br/>working jailbreak prompts"]
end
subgraph RULES["RETENTION RULE"]
direction TB
R1["Retain indefinitely<br/>portfolio artifact"]
R2["Retain for engagement<br/>+ provider coordination tail"]
R3["Destroy on report submission<br/>or per contract — sooner"]
R4["Destroy on report<br/>never carry cross-client"]
end
C1 --> R1
C2 --> R2
C3 --> R3
C4 --> R4
style C1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style C2 fill:#101018,stroke:#f0a868,color:#e4e4e8
style C3 fill:#101018,stroke:#f08080,color:#e4e4e8
style C4 fill:#101018,stroke:#f08080,color:#e4e4e8
style R1 fill:#101018,stroke:#82e0aa,color:#9494a0
style R2 fill:#101018,stroke:#f0a868,color:#9494a0
style R3 fill:#101018,stroke:#f08080,color:#9494a0
style R4 fill:#101018,stroke:#f08080,color:#9494a0
Note: The evidence store is not a data lake. An AI red-team logger that writes jailbreak prompts and retrieved PII to a permanent directory with no classification is building a compliance violation and a misuse-enabling dataset at the same time. Classification must be automatic — at capture time, per the scope file's data-class rules.
# Diagrams — Module B0: Legal, Ethics, and Disclosure for AI Security Testing
**Module**: B0 — Legal, Ethics, and Disclosure for AI Security Testing
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).
---
## Diagram 1 — The AI Red-Team Authorization Chain
**Type**: Flowchain / trust chain
**Purpose**: The single most important visual in the module. Authorization for an AI red-team is a *chain* with one more link than a traditional pentest — the link splits "asset owner" into **provider** (built the model) and **deployer** (runs the agent). A break anywhere voids downstream cover. The provider-ToS break (link 1→2) is the most common and most dangerous gap.
**Reading the diagram**: Read top-to-bottom as the chain of permission. Each arrow is a transfer of authorization. The red callouts mark the three AI-specific breaks. Note that deployer authorization does *not* extend to provider-controlled surfaces.
```mermaid
flowchart TB
PROV["MODEL PROVIDER<br/>(e.g. OpenAI, Anthropic)<br/>owns weights · sets API ToS"]
DEP["DEPLOYER / ASSET OWNER<br/>(your client)<br/>runs the agent · owns the data"]
SPON["ENGAGEMENT SPONSOR<br/>commissioned the red-team<br/>(often deployer CISO)"]
ROE["RoE / SCOPE<br/>systems, techniques, dual-use,<br/>DMCA waiver, data handling"]
SF["SCOPE FILE (machine-checkable)<br/>deployer surfaces vs provider surfaces<br/>provider_authorization per technique"]
GATE["HARNESS SCOPE GATE<br/>intercepts every outbound test action"]
ACT["INDIVIDUAL TEST ACTION<br/>prompt injection · weight read · jailbreak"]
PROV -->|ToS / waiver / preview enrollment| DEP
DEP -->|authorization| SPON
SPON --> ROE
ROE --> SF
SF --> GATE
GATE --> ACT
BREAK1["BREAK 1 — provider ToS forbids it<br/>deployer cannot authorize<br/>provider-surface violation"]:::danger
BREAK2["BREAK 2 — no dual-use clause<br/>RoE fails at the moment<br/>a serious finding appears"]:::danger
BREAK3["BREAK 3 — scope drift<br/>stale model version / scope<br/>no valid_until re-check"]:::danger
PROV -. breaks .-> BREAK1
ROE -. breaks .-> BREAK2
SF -. breaks .-> BREAK3
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style PROV fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style DEP fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style SPON fill:#14141f,stroke:#5eead4,color:#e4e4e8
style ROE fill:#14141f,stroke:#5eead4,color:#e4e4e8
style SF fill:#14141f,stroke:#5eead4,color:#e4e4e8
style GATE fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
style ACT fill:#14141f,stroke:#f08080,color:#f08080
```
> **Note**: The provider link at the top is what makes AI red-teaming legally distinct from a traditional pentest. A deployer can authorize you to test *their* agent, but not to violate *the provider's* terms. The scope file must carry a `provider_authorization` field per technique and the harness gate must enforce it — this is the engineering realization of the legal control.
---
## Diagram 2 — Two Legal Layers: Traditional Statutes + AI-Specific Layer
**Type**: Comparison / overlay
**Purpose**: AI red-teaming is governed by *two stacked legal layers*. The traditional computer-crime layer (CFAA, CMA, EU 2013/40) governs the *infrastructure* around the model. The AI-specific layer (EU AI Act, EO/OMB, state bot/deepfake laws, DMCA § 1201) governs the *model and its outputs*. A complete engagement must address both.
**Reading the diagram**: Two horizontal bands stacked. The top band (traditional) is the law from 2A S00 — it applies to the server, the database, the API gateway. The bottom band (AI-specific) applies to the weights, the system prompt, the outputs, the jailbreak. A finding often implicates *both* layers.
```mermaid
flowchart LR
subgraph TRAD["TRADITIONAL LAYER — governs the infrastructure"]
direction TB
T1["CFAA § 1030(a)(2)<br/>access without authorization"]
T2["CFAA § 1030(a)(5)<br/>damage (scanner-as-DoS)"]
T3["UK CMA ss. 1, 3<br/>unauthorised access / acts"]
T4["EU Dir 2013/40 + GDPR<br/>access + personal data"]
end
subgraph AISPEC["AI-SPECIFIC LAYER — governs the model & outputs"]
direction TB
A1["EU AI Act 2024/1689<br/>prohibited uses · GPAI duties<br/>finding may = legal non-compliance"]
A2["DTSA + EU Trade Secrets Dir<br/>weight exfiltration = misappropriation"]
A3["DMCA § 1201<br/>bypassing a model access control<br/>= separate crime from CFAA"]
A4["US EO 14110 / OMB M-24-10<br/>finding may be a reportable incident"]
end
TRAD ---|"same server<br/>same database"| AISPEC
style TRAD fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
style AISPEC fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#e4e4e8
style T1 fill:#101018,stroke:#5eead4,color:#e4e4e8
style T2 fill:#101018,stroke:#5eead4,color:#e4e4e8
style T3 fill:#101018,stroke:#5eead4,color:#e4e4e8
style T4 fill:#101018,stroke:#5eead4,color:#e4e4e8
style A1 fill:#101018,stroke:#f08080,color:#e4e4e8
style A2 fill:#101018,stroke:#f08080,color:#e4e4e8
style A3 fill:#101018,stroke:#f08080,color:#e4e4e8
style A4 fill:#101018,stroke:#f08080,color:#e4e4e8
```
> **Note**: The traditional layer is the law a pentester already knows. The AI-specific layer is new and it is where most AI red-team legal mistakes happen — a tester who is meticulous about CFAA scope but blindsided by DMCA § 1201 has covered only half the surface.
---
## Diagram 3 — The Dual-Use Dilemma of a Jailbreak Finding
**Type**: Decision flowchart
**Purpose**: The central ethical problem of AI red-teaming, made visual. A successful jailbreak is simultaneously a security finding (report it) and a misuse recipe (suppress it). The diagram shows the four disclosure principles resolving the tension into a decision.
**Reading the diagram**: A single artifact (the jailbreak) enters and forks into two readings. The decision flow resolves what to publish vs. what to keep provider-only. Note the divergence from traditional "publish everything" CVD: pure-misuse content with no defensive lesson is withheld.
```mermaid
flowchart TB
JB["A SUCCESSFUL JAILBREAK<br/>copy-paste-usable prompt sequence"]
READ1["SECURITY FINDING<br/>a safety control failed<br/>→ report it (CVD)"]:::good
READ2["MISUSE RECIPE<br/>bypasses refusal training<br/>→ suppress it"]:::danger
JB --> READ1
JB --> READ2
READ1 --> P1["1. Report to provider first<br/>always, before anything else"]
P1 --> P2["2. Publish EXISTENCE + SEVERITY<br/>not the RECIPE<br/>(unless provider consents)"]
P2 --> P3{"3. Defensive lesson?"}
P3 -->|"new technique / architecture"| PUBLISH["Publish technique + residual risk<br/>time-bound embargo ≥ 180 days<br/>for model-level findings"]:::good
P3 -->|"pure misuse,<br/>no defensive value"| WITHHOLD["4. Decline to publish<br/>provider-only disclosure<br/>(diverges from publish-everything)"]:::danger
classDef good fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
style JB fill:#14141f,stroke:#f0a868,stroke-width:2px,color:#f0a868
style READ1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style READ2 fill:#101018,stroke:#f08080,color:#e4e4e8
style P1 fill:#101018,stroke:#5eead4,color:#e4e4e8
style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
```
> **Note**: The bottom-right outcome (WITHHOLD) is where AI red-teaming diverges from the traditional security norm of "publish everything." It is a judgment call made in the engagement RoE *before* testing, not in the moment.
---
## Diagram 4 — Weight Extraction: Minimum-Proof Discipline
**Type**: Process / control flow
**Purpose**: How to prove model weight extractability without committing trade-secret theft. The harness must enforce that the test reaches the weight store, captures a fingerprint, and stops — never saving the file. The proof is reachability, not possession.
**Reading the diagram**: The red FORBIDDEN path (download + save the full weights) is the harm the test was hired to prevent. The green ALLOWED path proves the same vulnerability with a hash and a byte count.
```mermaid
flowchart TB
START["REACH THE WEIGHT STORE<br/>read path is the finding"]
START --> Q{"Capture what?"}
Q -->|"FORBIDDEN"| DL["Download full weights<br/>Save the file"]:::danger
DL --> HARM["TRADE-SECRET MISAPPROPRIATION<br/>DTSA + EU Trade Secrets Dir<br/>the harm itself"]:::danger
Q -->|"ALLOWED"| FP["Fingerprint<br/>hash of a small shard<br/>byte count"]
FP --> LOG["Log path + byte count + hash<br/>PROOF OF REACHABILITY"]
LOG --> STOP["Stop. Do not save the shard.<br/>Report."]:::good
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef good fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
style START fill:#14141f,stroke:#5eead4,color:#e4e4e8
style Q fill:#101018,stroke:#f0a868,color:#e4e4e8
style FP fill:#101018,stroke:#82e0aa,color:#e4e4e8
style LOG fill:#101018,stroke:#82e0aa,color:#e4e4e8
```
> **Note**: The asymmetry is the point: the same vulnerability (weight store is reachable) can be proven with a hash or committed as a 40GB theft. The red-team harness must enforce the green path — a test that "accidentally" exfiltrates weights has committed the harm it was hired to prevent.
---
## Diagram 5 — Evidence Retention: AI-Specific Classes
**Type**: Classification matrix
**Purpose**: The AI extension of 2A's evidence retention policy. Four classes, each with a retention rule. Two are AI-specific (Provider-Only, the recipe; Destroy-on-Report, the jailbreak). The policy is enforced automatically by the evidence store, not documented in a wiki.
**Reading the diagram**: Left column = the class; right = the rule. Restricted (PII/weights) and Destroy-on-Report (jailbreaks) are the classes where AI-specific law bites hardest.
```mermaid
flowchart LR
subgraph CLASSES["EVIDENCE CLASS"]
direction TB
C1["PUBLIC<br/>technique description<br/>no recipe"]
C2["PROVIDER-ONLY<br/>the recipe<br/>shared under NDA w/ provider"]
C3["RESTRICTED<br/>PII / weights / system prompt<br/>in retrieved context"]
C4["DESTROY-ON-REPORT<br/>working jailbreak prompts"]
end
subgraph RULES["RETENTION RULE"]
direction TB
R1["Retain indefinitely<br/>portfolio artifact"]
R2["Retain for engagement<br/>+ provider coordination tail"]
R3["Destroy on report submission<br/>or per contract — sooner"]
R4["Destroy on report<br/>never carry cross-client"]
end
C1 --> R1
C2 --> R2
C3 --> R3
C4 --> R4
style C1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style C2 fill:#101018,stroke:#f0a868,color:#e4e4e8
style C3 fill:#101018,stroke:#f08080,color:#e4e4e8
style C4 fill:#101018,stroke:#f08080,color:#e4e4e8
style R1 fill:#101018,stroke:#82e0aa,color:#9494a0
style R2 fill:#101018,stroke:#f0a868,color:#9494a0
style R3 fill:#101018,stroke:#f08080,color:#9494a0
style R4 fill:#101018,stroke:#f08080,color:#9494a0
```
> **Note**: The evidence store is not a data lake. An AI red-team logger that writes jailbreak prompts and retrieved PII to a permanent directory with no classification is building a compliance violation and a misuse-enabling dataset at the same time. Classification must be automatic — at capture time, per the scope file's data-class rules.