1.9. Security, Privacy, and Governance

AI System Design Interview Guide (2025)

6 min read 1074 words

🪄 Step 1: Intuition & Motivation

Let’s start with a story.

You walk into a hospital that uses an ML system to predict diseases. It’s brilliant — but if the model accidentally reveals even a hint of someone’s private data, that brilliance turns into a lawsuit.

Or imagine a recommender system that predicts what users like — but one curious engineer can peek at those predictions and identify who’s watching what.

In the real world, machine learning isn’t just about intelligence — it’s about trust.

That’s where security, privacy, and governance come in. They ensure ML systems are not only smart but also safe, ethical, and auditable.

🌱 Step 2: Core Concept

ML systems handle some of the most sensitive data imaginable — health records, financial transactions, personal habits. So, protecting that data (and the models that learn from it) is non-negotiable.

Let’s unpack this through three pillars: Security, Privacy, and Governance.

🔒 Security — Protecting the System Itself

Security focuses on preventing unauthorized access, data leaks, and malicious tampering.

1️⃣ Data Encryption

At rest: Encrypt stored data using AES-256 or similar.
In transit: Use HTTPS/TLS to protect data moving between services.

This ensures that even if attackers access raw files, they can’t read them.

2️⃣ PII Redaction

PII = Personally Identifiable Information (e.g., names, emails, addresses). Before training, remove or obfuscate such data using tokenization, masking, or hashing.

Example: Replace “Alice” with a random ID like user_34af1.

3️⃣ Model Access Control

Not everyone should be able to query or retrain a model. Use role-based access control (RBAC):

Data scientists: Can deploy new models.
Analysts: Can view metrics only.
Auditors: Can inspect logs.

4️⃣ Audit Trails

Every prediction, training job, and deployment should leave a digital footprint. Audit trails allow investigators to trace “who did what, when, and with which data.”

Think of security as the lock, key, and camera system of your ML factory — it doesn’t make the products, but it keeps everything safe.

🕵️ Privacy — Protecting the Data and the People Behind It

Even if your data is encrypted, privacy attacks can still extract sensitive info from the model itself. Let’s look at the two main threats — and how we defend against them.

⚠️ Model Inversion Attacks

Attackers query a trained model to reconstruct the training data.

Example: By probing a facial recognition model repeatedly, they can recreate an image resembling a person from the training set.

Defense:

Apply Differential Privacy (DP) during training — add small random noise so individual data points can’t be inferred.

Conceptually:

$$ \text{DP ensures: } P(M(D)) \approx P(M(D')) $$

Where $M(D)$ is model output for dataset $D$, and $M(D’)$ is the output for $D$ with one record removed. In short, removing one person’s data doesn’t significantly change the model’s behavior.

⚠️ Membership Inference Attacks

An attacker tries to determine if a particular person’s data was used in training.

Defense:

Regularize models to reduce overfitting (less memorization).
Use DP or output clipping (limit confidence scores).

🧠 Federated Learning & Secure Aggregation

In Federated Learning (FL), data never leaves the user’s device. Instead of sending data to a central server, each device trains a local model and sends only updates (gradients) back.

But gradients can still leak info! Hence, we use Secure Aggregation — a cryptographic protocol ensuring the central server only sees summed updates, not individual ones.

Your smartphone keyboard learns your typing habits locally. It shares only encrypted weight updates with Google’s or Apple’s central model — that’s federated learning in action.

📜 Governance — Keeping Systems Accountable

Governance ensures your ML system is not a mysterious black box but a transparent, traceable process.

🧾 Model Cards

A Model Card documents:

Model purpose and intended use
Training data summary
Evaluation metrics
Ethical considerations
Known biases and limitations

Think of it as a nutrition label for ML models — users can see what’s inside before trusting it.

🧬 Lineage Tracking

Tracks the “ancestry” of a model — which datasets, versions, and pipelines produced it.

Allows you to answer:

“If this prediction is wrong, which data or code caused it?”

Common tools: MLflow, Kubeflow Metadata, and DataHub.

🪶 Explainability Reports

Explainability ensures stakeholders understand why a model made a decision. Use techniques like:

LIME / SHAP: Approximate feature importance.
Counterfactual explanations: “If X changed, the decision would be Y.”

This is especially vital in regulated industries (finance, healthcare).

Governance is the rulebook and paper trail — ensuring ML isn’t just powerful, but responsible.

📐 Step 3: Mathematical Foundation (Conceptual)

Let’s peek into Differential Privacy (DP) formally:

$$ M \text{ is } (\varepsilon, \delta)\text{-DP if } \forall D, D', S: $$

$$ P(M(D) \in S) \leq e^{\varepsilon} P(M(D') \in S) + \delta $$

Where:

$M$ = randomized algorithm (e.g., training process)
$D, D’$ = datasets differing by one record
$\varepsilon$ = privacy budget (smaller = stronger privacy)
$\delta$ = small probability of failure

Differential Privacy adds controlled noise — enough to hide individuals but not distort the overall pattern. It’s like blurring a group photo just enough so no one’s face is recognizable, but you can still see the crowd’s shape.

🧠 Step 4: Key Assumptions

Data pipelines follow least-privilege access (only what’s needed).
Models log all training sources for auditability.
Privacy-preserving techniques (DP, FL) are embedded from design, not added later.
Explainability reports are mandatory for high-impact models.

⚖️ Step 5: Strengths, Limitations & Trade-offs

Builds user trust and regulatory compliance.
Prevents data leaks and unauthorized access.
Enables transparent model governance and accountability.

Privacy techniques (DP, FL) can reduce model accuracy.
Heavy encryption adds computational overhead.
Governance processes slow down experimentation.

Trade-off between privacy and utility: More privacy → less precision. Less privacy → more risk. The art lies in tuning $\varepsilon$ (privacy budget) to balance ethics and performance.

🚧 Step 6: Common Misunderstandings

🚨 Common Misunderstandings (Click to Expand)

“Encrypting data = privacy.” → No. Encryption protects data storage, but not what the model learns.
“Federated learning means total anonymity.” → Not always; gradients can leak info if not aggregated securely.
“Governance is for compliance only.” → It’s also a foundation for model trust and debugging.

🧩 Step 7: Mini Summary

🧠 What You Learned: Security, privacy, and governance make ML systems ethical, safe, and auditable.

⚙️ How It Works: Through encryption, access control, privacy-preserving training (DP, FL), and transparent governance tools.

🎯 Why It Matters: The future of AI depends not just on intelligence — but on trustworthiness.

ML System Architecture Fundamentals - Roadma 1.8. Multi-Tenancy and Resource Management