Leveraging Databricks’ framework for AI security for banking as a service

A high-AI-adoption approach in a highly regulated industry

Coastal has set their sights in earnest on AI. “Pretty much any business challenge, we’re looking to see if there’s a fit for this kind of [AI] tool to solve it,” Barb MacLean, Coastal’s Senior Vice President and Head of Technology Operations and Implementation, said. “We’re approaching this entire space fairly open-mindedly, which may be unique inside of a highly regulated industry.” The bank’s initial AI focus areas include use cases and AI deployment models such as:

• Streamlining annual vendor reviews, which involve a 50-question vendor questionnaire and supporting documents, via a retrieval augmented generation (RAG) application to accelerate document processing and prefill forms

• Increasing coverage of detailed complaints reviews to 100% with 94% accuracy, saving the equivalent of 1 FTE of time annually, using LLMs such as Llama 3

• Handling various data types, including PDFs with text and images, for approving Coastal marketing initiatives. With a 48-hour service level agreement (SLA) for compliance feedback, they will streamline approval using an out-of-the-box LLM and a custom vision model.

To support these AI initiatives securely, Coastal has integrated the Databricks AI Security Framework, a whitepaper that simplifies AI and ML concepts by cataloging AI security risks from real-world attacks and offering practical, actionable advice for a layered defense approach.

Addressing the need for board-level involvement in AI oversight

Coastal’s core strength lies in risk and compliance, with protecting their customers and their data as a top priority. The use of AI is deliberately a board-level concern to ensure the teams get that level of feedback and support. The Coastal technology team recognized the need for a comprehensive plan to secure and govern these models as they moved forward.

Around the time Coastal started experimenting with model-based solutions, Databricks introduced the Databricks AI Security Framework. The DASF provided timely guidelines that Coastal needed to assure the board of the safety and security of their AI model rollout. Coastal quickly began to consume and implement the DASF because of its actionable recommendations, simple-to-follow mapping and documentation links to Databricks features for risk mitigation. “The reason why the platform at large is so valuable to us is because it keeps evolving so quickly…it’s like you guys live in our head,” Barb said.

Accelerating AI adoption without compromising security with the Databricks AI Security Framework

Implementing the DASF has been easy for the Coastal technology team as it aligns to other security frameworks in the market such as MITRE ATLAS, OWASP Top 10 for LLMs and NIST AML Taxonomy. The team was particularly drawn to the ease with which they can identify the ML-specific controls that would need to be present in their environment, which is instrumental in their threat modeling efforts. As the team defined their AI use cases and model types using common terminology, they found it extremely helpful that the DASF clearly indicated which controls to enable. This risk-centric approach, aligned with business needs, allowed Coastal to confidently select the appropriate controls for each use case, avoiding the compliance-centric approach of implementing all controls, which can slow AI adoption without adding value.

Take, for example, Coastal’s customer complaints categorization AI use case. Through their banking-as-a-service division CCBX, Coastal plays an oversight role for their partners. For customer complaints, this means understanding and classifying as clearly, rapidly and accurately as possible from every source. “In our AI use case of the customer complaint categorization, we’re calling an LLM and we’re not building any model, we’re not training anything. So it removes a lot of the risk categories there,” Guillaume Colley, Director of Data Science and Analytics at Coastal partner Cavallo Technologies, said. With this risk identification complete, Coastal was then able to focus on a subset of controls such as ensuring the availability of sufficient evaluation data, human-in-the-loop model lifecycle and mitigating prompt injection to satisfy the risk profile of this use case and AI deployment model.

As heavy adopters of the Databricks Data Intelligence Platform, Coastal appreciated that the exact controls available in Databricks were outlined, too. They have further implemented robust controls using Databricks’ Unity Catalog (UC) as outlined and verified in the DASF. With a 91% adoption rate of UC, Coastal uses its capabilities extensively to manage model lifecycles, leveraging features like access controls, lineage tracking and lakehouse monitoring. Enhanced security measures, including IP ACLs, network connectivity and encryption, have also been integral to their approach.

Securing a bright BaaS future with Databricks

Much of Coastal’s success with the DASF comes from implementing and outlining the risks and controls with additional Databricks resources to support them. They leaned on the linked documentation and their Databricks solution architect team, and participated in a Databricks-hosted AI Security Workshop at the Data + AI Summit. This allowed MacLean and her team to feel confident that they were implementing the controls correctly and get coaching from the DASF authors.

For Coastal, the DASF facilitated meaningful discussions with their board, ultimately strengthening their confidence in AI and ML initiatives. The DASF was reviewed and embraced by the president, the technical team and even the board. Looking ahead, they see their use of ML and AI with Databricks continuing to evolve, with security and governance remaining at the forefront of their strategy.

“In financial services, we have to consider not only the amount of data we have that can add more value to our customers, but that we also have to protect that data at the same time,” Barb added. “With the Databricks AI Security Framework, we’re able to mitigate AI risks thoughtfully and transparently, which is invaluable for building board and employee trust. It’s a game changer that allows us to bring AI into the business and be among the 15% of organizations getting AI workloads to production safely and with confidence.”

Final advice: starting strong with the DASF

For organizations considering implementing the Databricks AI Security Framework, Coastal’s advice is to view audit and compliance as allies. These frameworks and controls not only help demonstrate the integrity of a data team’s work but also build transparency and trust. Coastal advocates that the DASF and its principles are broadly applicable across the industry no matter which cloud or data platform you choose. Start small, focusing on a specific use case, and use the well-structured documentation to guide you through the process. They also recommend attending a Databricks AI Security workshop.

The Databricks AI Security Framework whitepaper is available for download on the Databricks Security and Trust Center.