Due diligence review of AI providers - HITRUST AI Security Assessment and Certification Specification

Review the model card of models used by the AI system

HITRUST CSF requirement statement [?] (14.09fAISecSystem.1)

The organization performs an evaluation of the security posture of any external 
commercial providers of AI system components, including AI
(1) models; 
(2) datasets; 
(3) software packages (e.g., those for model creation, training, and/or deployment); 
(4) platforms and computing infrastructure; and 
(5) language model tools such as agents and plugins, as applicable. 
This evaluation is performed 
(6) during onboarding of the provider and 
(7) on a routine basis thereafter
in accordance with the organization’s supplier oversight processes.

Evaluative elements in this requirement statement [?]

1. The organization performs an evaluation of the security posture of any external 
commercial providers of AI models, if applicable.

2. The organization performs an evaluation of the security posture of any external 
commercial providers of AI datasets, if applicable.

3. The organization performs an evaluation of the security posture of any external 
commercial providers of AI software packages (e.g., those for model creation, training, 
and/or deployment), if applicable.

4. The organization performs an evaluation of the security posture of any external 
commercial providers of AI platforms and computing infrastructure, if applicable.

5. The organization performs an evaluation of the security posture of any external 
commercial providers of language model tools such as agents and plugins, if applicable.

6. This evaluation is performed during onboarding of the provider.

7. This evaluation is performed on a routine basis thereafter in accordance with the organization’s supplier oversight processes.

Illustrative procedures for use during assessments [?]

Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
- For example, review documentation associated with a sample of external commercial providers of AI system components to ensure the organization performed an evaluation of their security posture. Further, confirm that this evaluation is conducted during the provider’s onboarding and on a routine basis thereafter, in accordance with the organization’s supplier oversight processes.
Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
- For example, measures indicate if the organization performs an evaluation of the security posture of any external commercial providers of AI system components, including AI models, datasets, software packages (e.g., those for model creation, training, and/or deployment), platforms and computing infrastructure, and language model tools such as agents and plugins, as applicable. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that all external commercial providers of AI system components are evaluated.
Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.

Placement of this requirement in the HITRUST CSF [?]

Assessment domain: 14 Third-party Assurance
Control category: 05.0 – Organization of Information Security
Control reference: 09.f – Monitoring and Review of Third Party Services

Specific to which parts of the overall AI system? [?]

AI application layer:

AI plugins and agents
The AI application’s supporting IT infrastructure (Considered in the associated HITRUST e1, i1, or r2 assessment)

AI platform layer:

The AI platform and associated APIs (Considered in the associated HITRUST e1, i1, or r2 assessment)
The deployed AI model
Model engineering environment and model pipeline
AI datasets and data pipelines
AI compute infrastructure (Considered in the associated HITRUST e1, i1, or r2 assessment)

Discussed in which authoritative AI security sources? [?]

OWASP 2023 Top 10 for LLM Applications
Oct. 2023, © The OWASP Foundation
- Where:
  - LLM05: Supply chain vulnerabilities > Prevention and mitigation strategies > Bullet #1
  - LLM05: Supply chain vulnerabilities > Prevention and mitigation strategies > Bullet #10

OWASP 2025 Top 10 for LLM Applications
2025, © The OWASP Foundation
- Where:
  - LLM03: Supply Chain > Prevention and Mitigation Strategies > Bullet #1
  - LLM04: Data and Model Poisoning > Prevention and Mitigation Strategies > Bullet #2

OWASP AI Exchange
2024, © The OWASP Foundation
- Where:
  - #SUPPLYCHAINMANAGE

LLM AI Cybersecurity & Governance Checklist
Feb. 2024, © The OWASP Foundation
- Where:
  - 3. Checklist > 3.8. Regulatory > Bullet #5
  - 3. Checklist > 3.8. Regulatory > Bullet #7
  - 3. Checklist > 3.8. Regulatory > Bullet #8
  - 3. Checklist > 3.8. Regulatory > Bullet #9
  - 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #11
  - 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #12

Guidelines for Secure AI System Development
Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
- Where:
  - 1. Secure design > Design your system for security as well as functionality and performance
  - 2. Secure development > Secure your supply chain

Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
Apr 2024, National Security Agency (NSA)
- Where:
  - Continuously protect the AI system > Validate the AI system before and during use > Bullet 6

Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector
March 2024, U.S. Department of the Treasury
- Where:
  - 5. Best practices for managing AI-specific security risks > 5.5. Asking the right questions of vendors

Discussed in which commercial AI security sources? [?]

HiddenLayer’s 2024 AI Threat Landscape Report
2024, © HiddenLayer
- Where:
  - Part 4: Predictions and recommendations > 3. Data security and privacy > Bullet 2
Snowflake AI Security Framework
2024, © Snowflake Inc.
- Where:
  - Model poisoning > Mitigations > Bullet 1
  - Self-hosted OSS LLMs Security > Mitigations > Supply chain security

Control functions against which AI security threats? [?]

Control function: Variance reduction

Additional information

Q: When will this requirement included in an assessment? [?]
- This requirement will always be added to HITRUST assessments which include the
  Security for AI systems regulatory factor.
- No other assessment tailoring factors affect this requirement.

Q: Will this requirement be externally inheritable? [?] [?]
- No (dual responsibility). The AI application provider and its AI service providers are responsible for independently performing this requirement outside of the AI system’s technology stack.

TOPIC: AI supply chain

Review the model card of models used by the AI system