HITRUST CSF requirement statement [?] (11.01cAISecSystem.5)
The organization restricts the
(1) data (e.g., databases, document repositories, embeddings) access and
(2) capabilities (e.g., messaging) granted to generative AI models (including through
language model tools such as agents and plugins) following the least privilege principle.
This access is controlled in accordance with the organization’s policies regarding
(3) access management (including approvals, revocations, periodic access reviews), and
(4) authentication.- Evaluative elements in this requirement statement [?]
-
1. The organization restricts the data (e.g., databases, document repositories, embeddings) access granted to generative AI models (including through language model tools such as agents and plugins) following the least privilege principle.2. The organization restricts the capabilities (e.g., messaging) granted to generative AI models (including through language model tools such as agents and plugins) following the least privilege principle.3. This access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews).4. This access is controlled in accordance with the organization’s policies regarding authentication.
- Illustrative procedures for use during assessments [?]
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
- Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
- For example, review the AI model to ensure the organization restricts the data (e.g., databases, document repositories, embeddings) access and capabilities (e.g., messaging) granted to generative AI models (including through language model tools such as agents and plugins) following the least privilege principle. Further, confirm this access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.
- For example, review the AI model to ensure the organization restricts the data (e.g., databases, document repositories, embeddings) access and capabilities (e.g., messaging) granted to generative AI models (including through language model tools such as agents and plugins) following the least privilege principle. Further, confirm this access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.
- Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
- For example, measures indicate if the organization restricts the data (e.g., databases, document repositories, embeddings) access and capabilities (e.g., messaging) granted to generative AI models (including through language model tools such as agents and plugins) following the least privilege principle. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that all access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.
- For example, measures indicate if the organization restricts the data (e.g., databases, document repositories, embeddings) access and capabilities (e.g., messaging) granted to generative AI models (including through language model tools such as agents and plugins) following the least privilege principle. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that all access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.
- Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Placement of this requirement in the HITRUST CSF [?]
- Assessment domain: 11 Access Control
- Control category: 01.0 – Access Control
- Control reference: 01.c – Privilege Management
- Specific to which parts of the overall AI system? [?]
-
AI application layer:
- AI plugins and agents
- The deployed AI application (Considered in the underlying HITRUST e1, i1, or r2 assessment)
- Discussed in which authoritative AI security sources? [?]
-
- OWASP 2023 Top 10 for LLM Applications
Oct. 2023, © The OWASP Foundation- Where:
- LLM01: Prompt injection > Prevention and mitigation strategies > Bullet #1
- LLM07: Insecure plugin design > Prevention and mitigation strategies > Bullet #4
- LLM08: Excessive agency > Prevention and mitigation strategies > Bullet #1
- LLM08: Excessive agency > Prevention and mitigation strategies > Bullet #2
- LLM08: Excessive agency > Prevention and mitigation strategies > Bullet #4
- LLM10: Model theft > Prevention and mitigation strategies > Bullet #2
- Where:
- OWASP 2025 Top 10 for LLM Applications
2025, © The OWASP Foundation- Where:
- LLM01: Prompt Injection > Prevention and Mitigation Strategies > Bullet #4
- LLM02: Sensitive Information Disclosure > Prevention and Mitigation Strategies > Access Controls > Bullet #1
- LLM02: Sensitive Information Disclosure > Prevention and Mitigation Strategies > Access Controls > Bullet #2
- LLM04: Data and Model Poisoning > Prevention and Mitigation Strategies > Bullet #5
- LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #1
- LLM06: Excessive Agency > Prevention and Mitigation Strategies > Bullet #1
- LLM06: Excessive Agency > Prevention and Mitigation Strategies > Bullet #2
- LLM06: Excessive Agency > Prevention and Mitigation Strategies > Bullet #4
- Where:
- OWASP AI Exchange
2024, © The OWASP Foundation- Where:
- Guidelines for Secure AI System Development
Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)- Where:
- 2. Secure development > Identify, track and protect your assets
- 2. Secure development > Identify, track and protect your assets
- Where:
- Generative AI framework for HM Government
2023, Central Digital and Data Office, UK Government- Where:
- Building generative AI solutions > Building the solution > Patterns > Practical recommendations > Bullet #5
- Building generative AI solutions > Building the solution > Patterns > Practical recommendations > Bullet #5
- Where:
- OWASP 2023 Top 10 for LLM Applications
- Discussed in which commercial AI security sources? [?]
-
- Databricks AI Security Framework
Sept. 2024, © Databricks- Where:
- DASF 24: Control access to models and model assets
- DASF 31: Secure model serving endpoints
- DASF 46: Store and retrieve embeddings securely
- Where:
- Databricks AI Security Framework
- Control functions against which AI security threats? [?]
-
- Control function: Preventative
- Additional information
-
- Q: When will this requirement included in an assessment? [?]
- This requirement is included when the assessment’s in-scope AI system leverages a generative AI model.
- The
Security for AI systemsregulatory factor must also be present in the assessment.
- Q: When will this requirement included in an assessment? [?]