UK government reveals how it security-tests AI used in public services
Key Points
- Science minister Ian Murray confirmed the government has run a programme of independent red teaming of critical government assets.
- The government's most critical systems are assessed against the NCSC's Cyber Assessment Framework through GovAssure, now in its third year.
- The UK helped create ETSI standard EN 304 223, which sets baseline security requirements for AI models and systems.
- The standard covers AI-specific threats including data poisoning, model manipulation and indirect prompt injection.
- The government is considering more proportionate assurance models aligned to supplier criticality for AI procurement.
The government has confirmed it runs independent red-team testing on its most critical systems as part of efforts to secure artificial intelligence used across the public sector.
Red teaming involves authorised specialists attempting to attack or manipulate a system to expose weaknesses before genuine attackers find them.
Science minister Ian Murray set out the government’s approach in a written parliamentary answer on Thursday (11 June), responding to Conservative MP Alison Griffiths, who asked whether the Department for Science, Innovation and Technology had assessed the use of independent security assurance and red-team testing in public sector AI procurement.
Murray said the government’s most critical systems are independently assessed against the National Cyber Security Centre’s Cyber Assessment Framework through the GovAssure scheme, which is now in its third year of operation.
“We have also conducted a programme of independent red teaming of critical government assets,” he said.
The minister added that the UK worked within the European Telecommunications Standards Institute (ETSI) to create a global standard, EN 304 223, which sets baseline security requirements for developers and deployers of AI models and systems.
“This standard will help provide a cyber resilient and ‘secure by design’ approach to utilising AI systems in government,” Murray said.
ETSI published EN 304 223 [link to ETSI announcement] as the first globally applicable European standard for AI cybersecurity. It builds on the UK government’s AI Cyber Security Code of Practice and joint guidelines from the NCSC and its US counterpart CISA.
The standard sets out 13 principles across five phases of the AI lifecycle, covering secure design, development, deployment, maintenance and end of life.
It addresses threats specific to AI systems, including data poisoning, model manipulation and indirect prompt injection, where attackers compromise an AI system’s behaviour while it appears to function normally.
Murray said the government also embeds baseline security requirements throughout procurement and supply chains, including through Modular Security Schedules in contracts.
He added that the government is considering how to facilitate more specific products-based assurance, including “more proportionate assurance models that are aligned to supplier criticality”.
The answer comes as government departments expand their use of AI in public-facing services, with tools deployed across tax, benefits and healthcare administration.
