Inspection of AI software assets

HITRUST CSF requirement statement [?] (07.10mAISecOrganizational.6)

To find potentially exploitable vulnerabilities, the organization inspects downloaded AI software assets 
before use—including 
(1) models (e.g., such as those sourced from online model zoos); 
(2) software packages used to create, train, and/or deploy models (e.g., python packages); and
(3) language model tools such as agents and plugins (if used). 
The organization 
(4) acts upon the results, as necessary.

Evaluative elements in this requirement statement [?]

1. To find potentially exploitable vulnerabilities, the organization inspects downloaded AI models 
before use (e.g., such as those sourced from online model zoos).

2. To find potentially exploitable vulnerabilities, the organization inspects downloaded software 
packages (e.g., python packages) used to create, train, and/or deploy models before use.

3. To find potentially exploitable vulnerabilities, the organization inspects downloaded 
language model tools such as agents and plugins before use (if used).

4. The organization acts upon the results, as necessary.

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, select a sample of downloaded AI software assets and confirm they were inspected before use. Further, confirm that the organization acts upon the inspection results, as necessary.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate percentage of the organization’s downloaded AI software assets that were not inspected before use. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that all AI software assets are inspected before use.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 07 Vulnerability Management
• Control category: 10.0 – Information Systems Acquisition, Development, and Maintenance
• Control reference: 10.m – Control of Technical Vulnerabilities
  
  

Specific to which parts of the overall AI system? [?]

AI application layer:

• The deployed AI application (Considered in the associated HITRUST e1, i1, or r2 assessment)

AI platform layer:

• The deployed AI model
• Model engineering environment and model pipeline
  
  

Discussed in which authoritative AI security sources? [?]

• Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
  Apr 2024, National Security Agency (NSA)
  • Where:
    • Continuously protect the AI system > Validate the AI system before and during use > Bullet 7
      
      

• LLM AI Cybersecurity & Governance Checklist
  Feb. 2024, © The OWASP Foundation
  • Where:
    • 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #8
      
      

• MITRE ATLAS
  2024, © The MITRE Corporation
  • Where: AML.M0016
    
    

• NIST AI 100-2 E2023: Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations
  Jan. 2024, National Institute of Standards and Technology (NIST)
  • Where:
    • 2. Predictive AI taxonomy > 2.3. Poisoning attacks and mitigations > 2.3.3. Backdoor poisoning
    • 3. Generative AI taxonomy > 3.2. AI supply chain attacks and mitigations > 3.2.2. Poisoning attacks
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #SECDEVPROGRAM
      
      

• OWASP 2023 Top 10 for LLM Applications
  Oct. 2023, © The OWASP Foundation
  • Where:
    • LLM05: Supply chain vulnerabilities > Prevention and mitigation strategies > Bullet #8
    • LLM07: Insecure plugin design > Prevention and mitigation strategies > Bullet #3
      
      

• OWASP 2025 Top 10 for LLM Applications
  2025, © The OWASP Foundation
  • Where:
    • LLM03: Supply Chain > Prevention and Mitigation Strategies > Bullet #2
    • LLM03: Supply Chain > Prevention and Mitigation Strategies > Bullet #7
    • LLM03: Supply Chain > Prevention and Mitigation Strategies > Bullet #8
      
      

• OWASP Machine Learning Security Top 10
  2023, © The OWASP Foundation
  • Where:
    • ML06:2023 AI supply chain attacks > How to prevent > Bullet #5
      
      
• Securing Machine Learning Algorithms
  2021, © European Union Agency for Cybersecurity (ENISA)
  • Where:
    • 4.1- Security Controls > Technical > Check the vulnerabilities of the components used so that they have an appropriate security level
      
      

Discussed in which commercial AI security sources? [?]

• Databricks AI Security Framework
  Sept. 2024, © Databricks
  • Where:
    • Control DASF 41: Platform security – Secure SDLC
    • Control DASF 53: Third-party library control
      
      

• Snowflake AI Security Framework
  2024, © Snowflake Inc.
  • Where:
    • Backdooring models (insider attacks) > Mitigations > Secure development practices
      
      

Control functions against which AI security threats? [?]

• Control function: Preventative
  • Compromised 3rd-party models or code
  • Model poisoning
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement will always be added to HITRUST assessments which include the
    Security for AI systems regulatory factor.
  • No other assessment tailoring factors affect this requirement.
    
    

• Q: When is this requirement applicable, and when could it be inapplicable?
  • This requirement applies regardless of the model’s provenance and regardless of the AI system architecture.
  • Element #1 is only applicable when the AI system uses an AI model sourced from an online model zoo / model hub.
  • Element #2 is only applicable when the organization uses software packages downloaded from online package repositories.
  • Element #3 is only applicable when language model tools such as agents or plugins are used.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • Yes, fully. This requirement may be the sole responsibility of the AI platform provider and/or model creator. Or, depending on the AI system’s architecture, only evaluative elements that are the sole responsibility of the AI platform provider and/or model creator provider apply.