Personal Wiki

Sec. 9 — Trustworthy AI

7 min read

Section 9 of Generative AI LLM Exam Study Guide

Abstract

This section establishes the architectural and methodological foundations required to ensure Trustworthy AI within enterprise deployment environments, focusing on the integration of security, privacy, and transparency principles. It outlines specific NVIDIA technologies and methodologies, such as NeMo Guardrails and SteerLM, designed to mitigate risks like bias, hallucination, and prompt injection. Furthermore, the section details the infrastructure necessary for robust data curation and evaluation, emphasizing GPU-accelerated pipelines and statistical benchmarks to validate model behavior before production. This content is critical for graduate-level understanding as it synthesizes the transition from theoretical security principles to concrete implementation strategies using modern deep learning frameworks.

Key Concepts

  • Principles of Trustworthy AI: The framework is built upon four foundational pillars: Privacy, Safety and Security, Transparency, and Nondiscrimination. Privacy involves complying with regulations and safeguarding data, often utilizing federated learning projects enabled by NVIDIA DGX systems. Safety focuses on avoiding unintended harm and malicious threats, while transparency is achieved through Explainable AI (XAI) and Retrieval-Augmented Generation (RAG) to connect models with authoritative sources. Nondiscrimination requires minimizing bias through techniques like incorporating diverse variables or generating synthetic datasets using tools such as NVIDIA Omniverse Replicator.
  • Security Threat Models and Defenses: The material identifies specific attack vectors including prompt injection, information leaks, and application-related leaks. Prompt injection requires establishing trust boundaries and parameterizing plug-ins to strictly limit actions. Information leaks can occur via prompt extraction revealing model instructions or model inversion attacks recovering training data. Defenses include strict isolation of information, ensuring RAG tracks user authorization for retrieved documents, and executing authentication mechanisms outside the context of the Large Language Model (LLM).
  • NVIDIA NeMo Guardrails and Transparency: This suite of tools enforces constraints on LLM outputs through topical, safety, and security guardrails. Topical guardrails ensure chatbots adhere to specific subjects, while safety guardrails limit language and data sources. Security guardrails prevent malicious use when connected to third-party applications. RAG is integrated into this framework to help models cite sources and clear up ambiguity, thereby reducing hallucination and making the generative AI more authoritative and trustworthy for end users.
  • Model Customization via SteerLM: SteerLM offers a simplified four-step technique for customizing LLMs, addressing the complexity of Reinforcement Learning from Human Feedback (RLHF). The process involves data cleaning, training an attribute prediction model to evaluate response quality, training an attribute-conditioned Supervised Fine-Tuning (SFT) model based on human perceptions like helpfulness, and finally performing inference with specified attribute values. This allows for scalable customization without the heavy infrastructure overhead typically required by RLHF.
  • Data Curation and Cleaning Pipelines: Ensuring data quality is paramount for trustworthiness, utilizing tools like NeMo Data Curator and TAO Toolkit. NeMo Data Curator is a scalable Python-based tool using Message-Passing Interface (MPI) and Dask to create massive datasets for LLMs, including document-level deduplication and quality filtering. TAO Toolkit enables transfer learning on pretrained models, often integrated with Innotescus for curating unbiased datasets. Exploratory Data Analysis (EDA) is emphasized to investigate statistical imbalances and biases before training.
  • Evaluation and Benchmarking Frameworks: Robust evaluation is required to prevent catastrophic forgetting when evaluating LLMs on both original and newly learned tasks. Academic benchmarks such as Beyond the Imitation Game (BIG-bench) and toxic language measures provide standardized metrics. Custom datasets are evaluated using NLP metrics including Accuracy, BLEU for machine translation similarity, ROUGE for text summarization, F1 for balancing precision and recall, and Exact Match for classification performance.
  • GPU Infrastructure and Acceleration: The reliability of AI systems is supported by hardware acceleration, where GPUs employ parallel processing to scale computing height. Tensor Cores enable mixed-precision computing, dynamically adapting calculations to accelerate throughput while preserving accuracy and providing enhanced security. The NVIDIA software stack includes libraries like cuDNN for compute-bound and memory-bound operations, and cuBLAS for linear algebra, ensuring efficient and reliable model execution across various data science tasks.
  • Vector Search and Retrieval Architectures: Efficient retrieval is critical for RAG systems, supported by NVIDIA RAFT (Reusable Accelerated Functions and Tools). RAFT contains CUDA-accelerated algorithms for vector search, including IVF-Flat for speed, IVF-PQ for memory efficiency, and CAGRA for high-performance graph-based methods. NeMo Retriever complements this by offering a collection of microservices enabling semantic search, document encoding, and interaction with existing relational databases to answer business questions.

Key Equations and Algorithms

  • Normal Distribution Properties: The Gaussian distribution describes data density where the mean, median, and mode are equal, and the total probability mass is concentrated. The text defines a fundamental property where the area under the curve is normalized: .
  • SteerLM Customization Procedure: A four-step algorithmic approach for LLM customization that replaces complex RLHF. The steps are: 1) Data cleaning and preprocessing; 2) Training attribute prediction models on human-annotated datasets; 3) Training attribute-conditioned SFT models to generate responses based on combinations of attributes; 4) Performing inference on the SteerLM model with different attribute values to control model behavior.
  • Exponential Distribution Characteristics: This distribution models the time until a specific event occurs, characterized by values where fewer large values and more small values occur. It is commonly used in reliability calculations to determine the length of time a product lasts, implying a hazard rate that is constant over time.
  • F1 Score Definition: While not explicitly formulaic in the text, the F1 score is described as a metric that combines precision and recall into a single score. This expression provides a balance between them, commonly used for evaluating classification models and question-and-answer systems where a single metric is needed to represent performance.

Key Claims and Findings

  • RLHF requires an extremely complex training infrastructure, which hinders broad adoption of advanced LLM customization techniques compared to the streamlined SteerLM approach.
  • Retrieval-Augmented Generation (RAG) advances AI transparency by connecting generative AI services to authoritative external databases, enabling models to cite their sources and provide more accurate answers.
  • Confidential computing on NVIDIA H100 and H200 Tensor Core GPUs provides hardware-based security and isolation, ensuring performance without requiring code changes for security features.
  • Application-related information leaks often occur when prompts and responses containing privileged document information are logged in a system with a different access level.
  • Synthetic datasets offer a viable solution to reduce unwanted bias in training data by generating diverse data to replicate real-world use cases.
  • CUDA-accelerated vector search methods like CAGRA provide high-performance, GPU-accelerated solutions for building high-performance retrieval applications.

Terminology

  • Trust Boundary: A security concept that must be established between trusted responses and any responses that process them, particularly when dealing with plug-ins or external inputs to prevent injection attacks.
  • Model Card++: A specific tool or document format referenced for enhancing AI transparency and ethical considerations, likely extending standard model documentation to include bias and privacy metrics.
  • NeMo Guardrails: A specific NVIDIA framework that implements safety, topical, and security guardrails to ensure chatbots stick to specific subjects and prevent malicious use.
  • Exploratory Data Analysis (EDA): The process of investigating and visualizing datasets from multiple statistical angles to get a holistic understanding of underlying patterns, anomalies, and biases.
  • Message-Passing Interface (MPI): A standard used within the NeMo Data Curator to enable scalable data curation, facilitating parallel processing across distributed systems.
  • Catastrophic Forgetting: A phenomenon in machine learning where a model forgets previously learned tasks when trained on new data, necessitating evaluation on both original and newly learned tasks.
  • Prompt Extraction Attack: A security attack where an adversary attempts to reveal information contained in the model’s prompt template, such as instructions or secrets.
  • Membership Inference: An attack technique enabling an attacker to determine whether a particular bit of information known to them was likely contained within the training data of the model.
  • Switch Transformers: A paper reference describing a method for scaling to trillion parameter models using simple and efficient sparsity mechanisms.
  • Vector-Space Models: Referenced in the context of Osgood et al. (1957), representing the first expression of vector semantics models which map words or concepts to vectors in a multi-dimensional space.

Graph View

Backlinks