Version control of AI assets

HITRUST CSF requirement statement [?] (06.10jAISecSystem.1)

AI assets, including
(1) code to create, train, and/or deploy AI models;
(2) training datasets;
(3) fine-tuning datasets;
(4) RAG datasets (if used);
(5) configurations of pipelines used to create, train, and/or deploy AI models;
(6) code used by language model tools such as agents and plugins (if used); and 
(7) models
are versioned and tracked.

Evaluative elements in this requirement statement [?]

1. Code used to create, train, and/or deploy AI models is versioned and tracked.

2. Training datasets are versioned and tracked.

3. Fine-tuning datasets are versioned and tracked.

4. RAG datasets versioned and tracked.

5. Configurations of pipelines used to create, train, and/or deploy AI models are versioned and tracked.

6. Code used by language model tools such as agents and plugins is versioned and tracked.

7. AI models are versioned and tracked.

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, evidence that the AI assets listed in the requirement statement are each versioned and tracked (as applicable).
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate percentage of the organization’s AI assets which are versioned and tracked of total. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 06 Configuration Management
• Control category: 10.0 – Information Systems Acquisition, Development, and Maintenance
• Control reference: 10.j Access Control to Program Source Code
  
  

Specific to which parts of the overall AI system? [?]

AI application layer:

• AI plugins and agents
• The deployed AI application (Considered in the associated HITRUST e1, i1, or r2 assessment)

AI platform layer

• The AI platform and associated APIs (Considered in the associated HITRUST e1, i1, or r2 assessment)
• Model engineering environment and model pipeline
  
  

Discussed in which authoritative AI security sources? [?]

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #DEVPROGRAM
    • #DEVSECURITY
      
      

• OWASP 2025 Top 10 for LLM Applications
  2025, © The OWASP Foundation
  • Where:
    • LLM04: Data and Model Poisoning > Prevention and Mitigation Strategies > Bullet #6
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 2. Secure development > Identify, track and protect your assets
      
      

• Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
  Apr 2024, National Security Agency (NSA)
  • Where:
    • Continuously protect the AI system > Validate the AI system before and during use > Bullet 3
      
      

Discussed in which commercial AI security sources? [?]

• Databricks AI Security Framework
  Sept. 2024, © Databricks
  • Where:
    • Control DASF 10: Version data
    • Control DASF 17: Track and reproduce the training data used for ML model training
    • Control DASF 52: Source code control
      
      

Control functions against which AI security threats? [?]

• Control function: Variance reduction
  • Denial of AI service
  • Prompt injection
  • Evasion
  • Model inversion
  • Model extraction and theft
  • Data poisoning
  • Model poisoning
  • Compromised 3rd-party training datasets
  • Compromised 3rd-party models or code
  • Confabulation
  • Excessive agency
  • Sensitive information disclosed in output
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement will always be added to HITRUST assessments which include the
    Security for AI systems regulatory factor.
  • No other assessment tailoring factors affect this requirement.
    
    

• Q: When is this requirement applicable, and when could it be inapplicable?
  • This requirement applies regardless of the model’s provenance and regardless of the AI system architecture.
  • Element #2 is only applicable when language model tools such as agents or plugins are used.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • Yes, fully. This requirement may be the sole responsibility of the AI platform provider and/or model creator. Or, depending on the AI system’s architecture, only evaluative elements that are the sole responsibility of the AI platform provider and/or model creator apply.