b'business and enterprise level GAI tools have more formally documented AI risk management controls that reference independently and globally established baselines. (7) Security Risk ManagementAs discussed throughout this Guide, many components of a GAI tool are not unique to artificial intelligence, and are in fact traditional network storage, transmission, and processing functions. Like any other cloud-based system, a hosted GAI tool should demonstrate compliance with established data privacy and security standards. 35Providers that follow these standards help ensure that the underlying infrastructure supporting AIfunctions meetsaccepted industry benchmarks for confidentiality, integrity,andavailabilityof data. Unlike AI risk management, cloud security risk management is supported by numerous mature and well-established security frameworks. To be properly within the business or enterprise categories of Table 2, a GAItoolprovidershouldpublishformal,written,andindependentlyverifiedauditsdemonstrating compliance with the security frameworks referenced in this Guide. 36(8) Terms of UseWhen selecting a GAI tool, lawyers should obtain written contractual assurances covering the providers privacy and security obligations. These assurances should address both the underlying transformer model provider and the application itself. Written commitments are necessary to ensure that the handling of client datacomplieswithprofessionaldutiesofconfidentiality,applicableprivacylaws,andagreedsecurity practices. You may notice in Table 2 that we designated the enterprise level to provide Business-Class+ Terms of Use. Theplussymbol is meant to convey that enterprise licenses typically provide customer-specific negotiating flexibility and additional safeguards for regulated data (such as a HIPAA Business Associate Agreement or GDPR-compliant Standard Contractual Clauses). Weve also included a GAI Terms of Use Checklist at Appendix 2 for lawyers to consider when licensing third-party managed tools. In addition to these key safeguards, lawyers might also consider where their GAI tools physically store and process data (including conversations, documents, and other elements of GAI storage as discussed in more detail in the Technical Addendum). The physical location of these operations can significantly affect the protections afforded to that data, and the circumstances under which the data can be accessed or deleted. Processing location could also impact the contractual or regulatory obligations lawyers may have with respect to data provided by clients. (b) Self-Managed GAI SafeguardsLawyerswhochoosetodeployaself-managedGAItoolassumeresponsibility,notonlyforclient confidentiality, but also for the full range of security, availability, and compliance risks associated with hosting and operating the transformer model and its ancillary support structure. To assist in that process, we recommend consulting the Cybersecurity Information Sheet (CIS) titledDeploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems,authored by the U.S. National Security Agencys 35These may include, for example, SOC 2, CSA STAR, ISO 27001, GDPR, CCPA, and other globally recognized privacy and security frameworks. 36 Id .Page | 16'