Detailed Checklist for Ensuring AI Model Security in Organizations

Artificial intelligence (AI) is now driving automation, innovation, and operational efficiency across several industries. But with the growing reliance on AI systems comes an increased risk of security vulnerabilities. These models, often built on vast amounts of data and complex algorithms, are not immune to exploitation.

Adversaries targeting AI models can cause significant damage—ranging from data breaches and intellectual property theft to financial losses and operational disruptions. Securing AI models is therefore not just an option; it’s a necessity for organizations aiming to protect their assets, maintain customer trust, and avoid damaging their reputation.

The Importance of AI Model Security

As organizations integrate AI into their core functions, the security of these models becomes critical to the integrity of their operations. A compromised AI model can lead to faulty predictions, biased decision-making, and even complete system failure. In industries like healthcare, finance, and autonomous systems, the consequences of an insecure AI model can be devastating—misdiagnoses, fraudulent transactions, or even physical harm.

The complexities of AI systems, coupled with their reliance on data, present unique security challenges. Unlike traditional IT systems, which can be secured through firewalls and encryption, AI models must also be defended against sophisticated attacks that exploit their data and algorithms. This makes securing AI a multi-layered process, involving everything from protecting the data pipeline to monitoring model behavior in real-time.

Overview of Risks

Insecure AI models are vulnerable to a wide range of risks. These risks not only jeopardize the integrity of the model but can also have severe implications for the organization and its stakeholders. The main risks include:

• Data Breaches and Privacy Violations: Exposing sensitive data to adversaries.
• Loss of Intellectual Property: Competitors or malicious actors stealing proprietary models.
• Bias and Ethical Risks: Manipulated models producing harmful, biased, or unfair outcomes.
• Operational Disruptions: Leading to poor decision-making or system failures.
• Adversarial Attacks: Exploiting vulnerabilities in the model to compromise security.

Addressing these risks requires a comprehensive security strategy that covers all stages of AI development, from model training to post-deployment monitoring.

The Risks of Insecure AI Models

Data Breaches and Privacy Violations

AI models are only as good as the data they are trained on, and this data often contains sensitive or proprietary information. Whether it’s customer records, medical histories, or financial data, these datasets are valuable targets for cybercriminals. If an AI model is compromised, attackers can gain unauthorized access to this information, leading to large-scale data breaches and privacy violations.

In addition to direct data theft, adversaries can also infer sensitive information from AI models, especially if they are not properly secured. For instance, attackers can use techniques like model inversion to reconstruct input data, revealing private details about individuals. This is particularly concerning for industries like healthcare, where privacy regulations like HIPAA mandate strict data protection standards.

Loss of Intellectual Property

AI models represent significant intellectual property (IP) for organizations. The development of these models often requires substantial investment in data collection, engineering, and training. If a model is stolen, reverse-engineered, or replicated by a competitor, the organization risks losing its competitive edge.

Model stealing, a form of IP theft, occurs when attackers use queries to extract enough information from a model to replicate it. In cases where models are deployed via public APIs, this type of attack becomes even more feasible. Without proper access controls, adversaries can essentially recreate a proprietary model, bypassing the expensive and time-consuming process of developing their own.

Bias and Ethical Risks

AI models can unintentionally introduce bias into decision-making processes, particularly if the data used to train them is skewed or incomplete. However, when AI models are tampered with, these biases can be intentionally amplified. Adversaries could manipulate the data used to train the model (via data poisoning attacks), leading to biased predictions that disproportionately affect certain groups.

Biased AI models can have ethical and legal ramifications, especially in sectors like hiring, lending, and law enforcement, where decisions directly impact people’s lives. If a model is manipulated to favor or disfavor certain individuals based on attributes like race, gender, or socioeconomic status, organizations can face legal challenges and public backlash.

Operational Disruptions

AI models are often deployed in critical systems where decision-making needs to be fast and accurate. Insecure models, however, can lead to operational disruptions if their integrity is compromised. For example, a tampered AI model used in an autonomous vehicle could make dangerous driving decisions, leading to accidents. In finance, a compromised AI model might make inaccurate predictions, causing financial losses or market manipulation.

These disruptions can severely impact business continuity, customer trust, and overall operational efficiency. If an attacker manages to interfere with the way a model functions, the resulting damage can cascade through the organization, affecting various departments and systems.

Adversarial ML: A Growing Threat

Adversarial machine learning (ML) is a growing area of concern in AI security. Unlike traditional cyberattacks, which target systems or networks, adversarial ML specifically targets the weaknesses in AI models. Attackers craft malicious inputs, known as adversarial examples, that can deceive the model into making incorrect predictions or decisions.

Adversarial ML is particularly dangerous because the attacker doesn’t need full access to the AI system. By simply interacting with the model through queries or data manipulation, adversaries can compromise its behavior. This poses a significant challenge for security teams, as traditional defenses like encryption and firewalls are insufficient to protect against these types of attacks.

Common Attack Vectors

Evasion Attacks

Evasion attacks are designed to exploit vulnerabilities in an AI model’s decision-making process. In this type of attack, adversaries craft input data specifically designed to “trick” the model into making incorrect predictions. For instance, an evasion attack on a facial recognition system might involve altering the input image just enough that the system fails to recognize a known individual. This type of attack is common in security systems like biometric authentication or spam detection.

Poisoning Attacks

In poisoning attacks, the adversary corrupts the training data used to build the AI model. By introducing malicious or misleading data into the training set, the attacker can influence the model’s predictions. Poisoning attacks can be particularly damaging because they undermine the integrity of the model at its core, causing it to make flawed decisions even after deployment. This can be difficult to detect, as the model’s compromised behavior may not be immediately obvious.

Inference Attacks

Inference attacks allow adversaries to extract sensitive information from the AI model. These attacks aim to deduce details about the data that was used to train the model or about the model itself. For example, through model inversion, an attacker can reconstruct the input data (such as images or personal details) that the model processed. This presents a privacy risk, as confidential data can be inferred even without direct access to the original dataset.

Model Stealing

Model stealing involves replicating a proprietary AI model by using its publicly available outputs. By repeatedly querying the model with different inputs, attackers can reverse-engineer its behavior and recreate it. This can be a significant threat to organizations that have invested time and resources into developing their AI models, as it allows competitors to access proprietary technology without investing in development.

Impacts of Adversarial ML

The consequences of adversarial ML attacks are wide-ranging and can severely disrupt an organization’s operations. Some of the key impacts include:

• Reputational Damage: Organizations that fall victim to adversarial ML attacks may suffer reputational damage, especially if sensitive customer data is compromised or if biased or unethical decisions are made by the AI model.
• Financial Loss: A manipulated AI model can lead to incorrect decisions, resulting in financial losses. This is particularly true in industries like finance or insurance, where models are used to predict risks or assess investments.
• Compromised Security: Adversarial attacks can bypass security systems that rely on AI, such as fraud detection or intrusion prevention systems, leading to breaches that would otherwise have been stopped.

The rise of adversarial ML attacks highlights the need for a comprehensive security strategy that addresses not just traditional cyber threats but also the unique challenges posed by AI. Protecting AI models requires a combination of robust defenses, continuous monitoring, and regular updates to stay ahead of evolving threats.

Checklist for AI Model Security

Securing AI models is a comprehensive process that must cover every stage, from data preparation and training to deployment and post-deployment monitoring. This detailed checklist provides key steps organizations must take to ensure their AI models are secure and resilient against both known and emerging threats. Each stage includes specific measures that help mitigate risks, improve security, and ensure compliance with ethical standards.

a. Securing the Data Pipeline

The data pipeline forms the foundation of any AI model, and its security is paramount. If the data pipeline is compromised, the model may be trained on manipulated or malicious data, leading to incorrect outputs and vulnerabilities. Securing this pipeline involves multiple layers of protection to ensure data integrity, confidentiality, and authenticity.

Data Validation and Cleansing

One of the first steps in securing the data pipeline is ensuring that all input data is validated and cleansed. This involves rigorous data preprocessing to remove errors, inconsistencies, and potential malicious entries that may have been inserted by attackers. Data cleansing helps eliminate potential attack vectors such as poisoning attacks, where adversaries introduce tainted data to compromise the model’s decision-making process.

Best Practices:

• Use automated tools to detect and remove outliers or anomalous data points.
• Implement strict data validation rules to ensure that all input data conforms to expected formats and ranges.
• Filter data for signs of malicious tampering, such as the presence of adversarial examples or unexpected input patterns.

Data Encryption

Encrypting data both in transit and at rest is critical to ensuring that it remains secure throughout the AI lifecycle. Data in transit between systems and storage locations is vulnerable to interception, while data at rest is susceptible to theft if unauthorized access is gained.

Best Practices:

• Use strong encryption algorithms (e.g., AES-256) to encrypt sensitive data.
• Ensure data is encrypted during transfers between systems (e.g., from the data source to the model training environment).
• Store encryption keys securely and restrict access to only those who need it.

Access Control

Limiting access to data is another critical component of securing the data pipeline. Implementing role-based access control (RBAC) and least-privilege policies ensures that only authorized personnel can access or modify the data used for model training.

Best Practices:

• Assign data access based on roles and responsibilities to minimize exposure.
• Apply the principle of least privilege, granting the minimum level of access necessary to perform tasks.
• Regularly audit access logs to detect any unauthorized data access.

b. Model Development and Training

Once the data is secure, the next critical step is to ensure that the environment and methods used to develop and train the AI model are also secure. This step focuses on creating a secure and controlled environment for model development and incorporating techniques to strengthen the model against potential attacks.

Secure Training Environments

To prevent unauthorized access or tampering during model training, organizations must use isolated and secure environments for training AI models. These environments should be protected against external interference and monitored for any suspicious activity.

Best Practices:

• Conduct training in secure, isolated environments with limited network access.
• Ensure that development environments are regularly updated with the latest security patches and monitored for vulnerabilities.
• Use virtual machines or cloud-based environments with hardened security configurations.

Robust Training Techniques

Incorporating adversarial training into the model development process is essential for strengthening the model against adversarial attacks. Adversarial training involves exposing the model to adversarial examples during the training phase, teaching it how to recognize and mitigate such inputs in the future.

Best Practices:

• Implement adversarial training methods that introduce adversarial examples into the training set.
• Regularly assess the model’s ability to defend against adversarial inputs by evaluating its performance against a variety of attack scenarios.

Bias Audits

It is crucial to assess the model for biases regularly, ensuring that it makes fair and ethical decisions. Left unchecked, bias in the training data can lead to unfair or harmful outcomes. Regular bias audits help ensure that the AI model’s decisions align with ethical standards.

Best Practices:

• Use tools to regularly audit the model for biases, focusing on demographic attributes such as race, gender, and socioeconomic status.
• Adjust training datasets and algorithms to minimize bias and ensure that the model is making fair, ethical decisions.
• Implement fairness metrics and monitor them throughout the lifecycle of the model.

c. Model Deployment

Once the model is developed and trained, securing its deployment is the next step. AI models deployed in real-world environments face different security challenges, including potential manipulation of inputs and unauthorized access to their outputs.

Input Validation and Sanitization

During deployment, it’s essential to ensure that all inputs to the model are validated and sanitized. Attackers may attempt to manipulate input data to force the model into making incorrect predictions or expose vulnerabilities.

Best Practices:

• Apply strict input validation measures to verify that all inputs meet expected criteria before being processed by the model.
• Use input sanitization techniques to remove potentially harmful data that could be used to exploit model vulnerabilities.

Containerization and Sandboxing

To limit the model’s interaction with other systems and prevent unauthorized access, AI models should be deployed within containers or sandboxes. This approach provides isolation and reduces the attack surface by restricting the model’s access to critical system resources.

Best Practices:

• Deploy models in containerized environments to ensure isolation and prevent unauthorized access.
• Use sandboxing techniques to test new models or updates in a secure environment before full deployment.

Monitoring and Logging

Continuous monitoring and logging are essential for detecting abnormal behavior or signs of a potential attack. AI models should be closely monitored for output anomalies, and logs should be reviewed regularly to identify any signs of compromise.

Best Practices:

• Use automated monitoring tools to detect unusual model outputs or predictions that deviate from normal patterns.
• Maintain detailed logs of all inputs, outputs, and system interactions to aid in forensic analysis in the event of an attack.

d. Post-Deployment Security Measures

Even after a model is deployed, security must be continuously maintained. Post-deployment measures ensure that models remain secure over time, particularly as new vulnerabilities are discovered.

Continuous Model Auditing

Regular auditing of AI models is essential to ensure they remain accurate, fair, and secure over time. As models are exposed to new data, they may drift from their original performance metrics, introducing vulnerabilities or biases.

Best Practices:

• Conduct regular audits to assess model accuracy and detect any biases or vulnerabilities that may have emerged post-deployment.
• Use automated tools to continuously evaluate model performance and flag any issues in real-time.

Update and Patch Management

AI models, like other software systems, must be regularly updated and patched to protect against emerging threats. Keeping models and their associated infrastructure up-to-date is crucial for maintaining security.

Best Practices:

• Establish a patch management process to ensure timely updates of both the model and the underlying system infrastructure.
• Regularly review and test updates in a sandbox environment before deploying them to production.

Access Control for APIs

Restricting access to AI models, especially those available through APIs, is critical for preventing unauthorized interactions. Proper authentication and authorization mechanisms ensure that only authorized users can access or query the model.

Best Practices:

• Implement authentication protocols such as OAuth or API keys to secure access to AI models.
• Enforce strict authorization policies, allowing only specific users or systems to interact with the model.

e. Resilience Against Adversarial Attacks

AI models must be resilient against adversarial attacks that attempt to manipulate inputs or reverse-engineer the model’s behavior. Organizations should adopt techniques to detect, prevent, and mitigate these attacks to protect the integrity of their models.

Adversarial Detection Tools

Using adversarial detection tools is key to identifying potentially malicious inputs that could compromise the model’s performance. These tools can flag adversarial examples in real-time and allow for proactive defense.

Best Practices:

• Deploy adversarial detection systems that monitor inputs for signs of malicious manipulation.
• Implement countermeasures that automatically block or reject adversarial examples.

Red Teaming and Penetration Testing

Regularly conducting red teaming and penetration testing allows organizations to uncover weaknesses in their AI systems before attackers do. These exercises help identify vulnerabilities and improve the overall security of the model.

Best Practices:

• Set up a dedicated red team to simulate attacks on the AI model and uncover vulnerabilities.
• Perform regular penetration tests to evaluate the model’s resistance to adversarial threats.

Model Ensembling

Ensemble models use multiple algorithms to process the same input, increasing the robustness of the AI system. By aggregating the outputs of several models, organizations can reduce the likelihood of a single model being compromised by adversarial inputs.

Best Practices:

• Use ensemble learning techniques to combine multiple models for greater security.
• Regularly test ensemble models against adversarial attacks to ensure improved robustness.

f. Governance and Compliance

Governance and compliance are vital aspects of AI security. Organizations must ensure their AI models adhere to industry regulations, ethical standards, and best practices for accountability and transparency.

Regulatory Compliance

AI models must comply with relevant regulations such as GDPR, HIPAA, and other data protection laws. Ensuring compliance helps avoid legal penalties and protects the organization’s reputation.

Best Practices:

• Regularly review AI model processes to ensure compliance with all applicable regulations.
• Conduct periodic assessments to verify adherence to data protection and privacy laws.

Ethical AI Guidelines

Establishing an ethical AI framework ensures that models make decisions transparently and fairly. This is particularly important in sensitive industries like healthcare, finance, and law enforcement.

Best Practices:

• Develop ethical guidelines that outline the responsible use of AI in decision-making.
• Ensure transparency by documenting how models are trained, tested, and deployed.

Audit Trails

Maintaining detailed audit trails is crucial for ensuring accountability and compliance. These trails provide a record of how the AI model was developed, deployed, and updated, allowing organizations to demonstrate due diligence in security and ethical practices.

Best Practices:

• Maintain detailed records of model training, testing, and updates.
• Store logs securely to ensure they remain accessible for compliance audits.

By following these steps, organizations can ensure that their AI models are secure, resilient, and compliant with legal and ethical standards. This comprehensive checklist covers each phase of the AI lifecycle, providing a robust framework for AI security.

Risks of Adversarial Machine Learning in Different Industries

Adversarial Machine Learning (ML) represents a critical vulnerability for AI systems across various industries. By feeding manipulated data or adversarial examples into machine learning models, attackers can alter outputs or cause models to fail in unexpected ways.

These risks pose significant threats, particularly in industries where AI systems drive mission-critical processes. Below, we examine how adversarial ML can impact the healthcare, finance, and autonomous systems sectors, each presenting unique challenges and consequences.

Healthcare: The Risk of Misdiagnoses or Incorrect Treatment Recommendations Due to Tampered Models

In healthcare, machine learning models are increasingly utilized for diagnosing diseases, recommending treatment plans, and predicting patient outcomes. Adversarial attacks in this field could have dire consequences. If attackers succeed in manipulating the model’s inputs or underlying structure, the system could generate misdiagnoses or inappropriate treatment recommendations.

Key Risks:

1. Manipulation of Diagnostic Models: Adversarial ML attacks can tamper with diagnostic algorithms, altering medical images or lab results to mislead the model into providing a false diagnosis. This can cause patients to receive the wrong treatment, potentially worsening their condition or causing unnecessary harm. For example, adversarial inputs in a radiology model might trick the system into classifying a benign tumor as malignant, leading to invasive and unwarranted procedures.
2. Pharmaceutical Dosage Errors: In pharmacology, machine learning models are employed to calculate appropriate drug dosages based on patient data. Adversarial interference could modify these predictions, resulting in dangerous overdoses or underdoses that jeopardize patient safety.
3. Privacy Breaches: Healthcare systems are built on sensitive personal data. Adversarial ML attacks could expose this data or alter anonymization processes, leading to privacy violations. This would not only harm patients but could also lead to legal repercussions for healthcare organizations under regulations such as the Health Insurance Portability and Accountability Act (HIPAA).

Example Attack:

In one scenario, an adversary could craft specific medical images that, when analyzed by AI-powered diagnostic tools, trigger incorrect diagnoses of cancer. This could overwhelm healthcare systems with false positives, straining resources and leading to diminished quality of care for actual patients.

Finance: Adversarial Attacks Leading to Inaccurate Risk Assessments or Fraudulent Financial Predictions

The financial sector depends heavily on machine learning models for risk assessments, fraud detection, credit scoring, and trading algorithms. An adversarial attack in this domain could manipulate financial predictions, leading to significant economic losses or facilitating fraudulent activities.

Key Risks:

1. Inaccurate Risk Assessments: Financial institutions use AI to assess creditworthiness, market risks, and investment opportunities. An adversarial attack could influence the model to incorrectly evaluate a high-risk loan as low-risk, causing financial institutions to approve loans that are likely to default. Conversely, a low-risk client might be flagged as high-risk, denying them credit or investment opportunities.
2. Trading Algorithm Manipulation: AI models drive many stock trading algorithms, analyzing market data and executing trades based on predictions. Adversarial attacks could disrupt these models by injecting fake signals, causing the system to make poor trades that result in financial losses. For instance, an attacker could manipulate stock prices by causing a trading model to buy or sell stocks at inappropriate times.
3. Fraudulent Transactions: Machine learning is also used to detect fraudulent transactions by analyzing transaction patterns. Adversarial ML could bypass these fraud detection systems by altering patterns just enough to avoid detection. As a result, financial institutions may become more vulnerable to large-scale fraud.

Example Attack:

An attacker could subtly alter transaction data in a way that confuses a fraud detection model. By exploiting weak points in the model, the attacker could execute a series of fraudulent transactions that go unnoticed, leading to substantial monetary loss.

Autonomous Systems: Life-Threatening Decisions in Autonomous Vehicles and Robotics

In sectors that rely on autonomous systems, such as transportation and defense, adversarial ML poses life-threatening risks. Autonomous vehicles, drones, and robots rely on machine learning models to make split-second decisions that directly impact safety. Manipulating these models through adversarial inputs could result in catastrophic outcomes.

Key Risks:

1. Traffic Accidents: Autonomous vehicles use machine learning to interpret sensor data and make decisions about navigation, speed, and object detection. An adversarial attack could alter the perception of the vehicle, causing it to misinterpret road signs or fail to detect obstacles. This could lead to collisions, endangering passengers and pedestrians.
2. Malfunctioning Robotics: In industrial and military applications, robots equipped with AI systems perform critical tasks, including hazardous material handling and surveillance. An adversarial attack could compromise the machine’s ability to distinguish between safe and unsafe actions, leading to accidents or unintended damage.
3. Defense Vulnerabilities: Autonomous defense systems, including drones and weapons systems, rely on machine learning to identify and neutralize threats. Adversarial attacks on these systems could lead to the misidentification of friendly targets as hostile, resulting in accidental strikes or compromised missions.

Example Attack:

An attacker could introduce adversarial noise into the image recognition system of an autonomous vehicle, causing it to misclassify a stop sign as a speed limit sign. This simple manipulation could have deadly consequences if the vehicle fails to stop at an intersection.

Best Practices to Mitigate Risks of Adversarial ML

Given the wide-ranging impact of adversarial ML attacks, it is essential for organizations to adopt robust security practices tailored to mitigate these risks. Below are key strategies that help strengthen the defenses of AI systems.

Regular Threat Modeling

To mitigate the risks of adversarial attacks, organizations should engage in regular threat modeling to evaluate the potential threats their AI systems may face. Threat modeling allows for the proactive identification of vulnerabilities and the development of tailored countermeasures before adversaries can exploit them.

Key Actions:

• Conduct threat modeling exercises regularly to identify new attack vectors as the AI system evolves.
• Assess the threat landscape for each specific industry and AI use case, focusing on the potential impact of adversarial inputs.
• Develop mitigation strategies that align with the identified risks, prioritizing areas where the impact of attacks would be most severe.

Benefits:

By continuously evaluating threats, organizations can stay ahead of adversarial tactics, adapting their defenses as new vulnerabilities are identified. This proactive approach is vital for staying resilient in the face of rapidly advancing attack techniques.

Collaboration Between Security and Data Science Teams

Security teams and data scientists often operate in silos, but to effectively combat adversarial ML, collaboration between these groups is crucial. Data science teams develop the models, while security teams have expertise in identifying and mitigating risks. Bringing these skill sets together fosters a more holistic approach to securing AI systems.

Key Actions:

• Establish cross-functional teams that include both data scientists and security professionals to collaborate on AI projects from the outset.
• Ensure security teams have insight into the design and implementation of AI models, enabling them to apply security principles early in the development process.
• Encourage continuous communication and knowledge sharing between teams to keep everyone informed about emerging adversarial threats.

Benefits:

Collaboration ensures that AI models are built with security in mind from the start. It also enables faster response times when vulnerabilities are detected, as both teams can work together to implement fixes or deploy mitigations.

AI Security Training for Teams

As adversarial machine learning is a relatively new field, teams involved in AI development may not be familiar with the security risks specific to their models. Providing targeted training on adversarial ML attacks and defense mechanisms is crucial for equipping teams with the knowledge they need to build secure AI systems.

Key Actions:

• Provide specialized training on adversarial ML for all members of AI development and deployment teams, including data scientists, engineers, and security professionals.
• Regularly update training materials to reflect the latest attack techniques and defense strategies, ensuring that teams stay current with industry best practices.
• Conduct hands-on workshops where teams can simulate adversarial attacks and practice implementing defenses in a controlled environment.

Benefits:

Proper training empowers teams to recognize potential vulnerabilities and implement countermeasures effectively. It also promotes a security-first mindset within the organization, where securing AI systems becomes a shared responsibility.

Adversarial machine learning presents a significant threat across a wide range of industries, from healthcare and finance to autonomous systems. The risks include potentially life-threatening consequences, such as misdiagnoses in healthcare and traffic accidents in autonomous vehicles, as well as substantial financial losses in the banking sector.

To mitigate these risks, organizations must adopt best practices that include regular threat modeling, fostering collaboration between security and data science teams, and providing ongoing AI security training. These strategies help ensure that AI systems remain secure, resilient, and reliable in the face of evolving adversarial threats.

Conclusion

While many view AI as a tool for efficiency, its potential vulnerabilities demand a proactive approach to security that cannot be overlooked. As adversarial machine learning continues to evolve, organizations must recognize that the stakes are higher than ever, going beyond mere compliance to embrace a culture of security that cuts across every aspect of AI development. This means integrating security practices from the very beginning, ensuring that AI models are not only innovative but also resilient against emerging threats.

Looking ahead, advancements in AI security techniques—such as robust adversarial training and enhanced threat detection tools—will be crucial in countering increasingly sophisticated attacks. Moreover, as regulatory landscapes shift and ethical considerations gain prominence, organizations will need to align their security strategies with these broader societal expectations. Embracing collaboration between data scientists and security professionals will foster a holistic understanding of risks and bolster defenses. By prioritizing AI security now, organizations can navigate the complexities of this rapidly changing landscape and safeguard their innovations for years to come.