Inventory deployed AI systems

HITRUST CSF requirement statement [?] (07.07aAISecOrganizational.3)

The organization maintains a documented inventory of its deployed AI systems 
which at minimum identifies the 
(1) associated AI platforms used by the AI system (if any); 
(2) AI model(s) used (with name and version); 
(3) AI system owner, 
(4) AI system sensitivity / risk categorization, and 
(5) associated AI service provider(s) (if any).
This inventory is 
(6) periodically (at least semiannually) reviewed and updated.

Evaluative elements in this requirement statement [?]

1. The organization maintains a documented inventory of its deployed AI systems which
at minimum identifies the associated AI platforms used by the AI system (if any).

2. The organization maintains a documented inventory of its deployed AI systems which
at minimum identifies the AI model(s) used (with name and version).

3. The organization maintains a documented inventory of its deployed AI systems which
at minimum identifies the AI system owner.

4. The organization maintains a documented inventory of its deployed AI systems which
at minimum identifies the AI system sensitivity / risk categorization.

5. The organization maintains a documented inventory of its deployed AI systems which
at minimum identifies the associated AI service provider(s) (if any).

6. The organization’s inventory of deployed AI systems is periodically (at least semiannually)
reviewed and updated.

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample-based test where possible for each evaluative element. Example test(s):
  • For example, review the AI system to ensure the organization maintains a documented inventory of its deployed AI systems which at minimum identifies the associated AI platforms used by the AI system (if any); AI model(s) used (with name and version); AI system owner, AI system sensitivity / risk categorization, and associated AI service provider(s) (if any). Further, confirm that this inventory is periodically (at least annually) reviewed and updated.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate if the organization maintains a documented inventory of its deployed AI systems which at minimum identifies the associated AI platforms used by the AI system (if any); AI model(s) used (with name and version); AI system owner, AI system sensitivity / risk categorization, and associated AI service provider(s) (if any). Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm the inventory is periodically (at least annually) reviewed and updated.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 07 Vulnerability Management
• Control category: 07.0 – Asset Management
• Control reference: 07.a – Inventory of Assets
  
  

Specific to which parts of the overall AI system? [?]

AI application layer:

• The deployed AI application (Considered in the underlying HITRUST e1, i1, or r2 assessment)

AI platform layer

• The AI platform and associated APIs (Considered in the underlying HITRUST e1, i1, or r2 assessment)
• The deployed AI model

Discussed in which authoritative AI security sources? [?]

• ISO/IEC 23894:2023 Information technology — Artificial intelligence — Guidance on risk management
  2023, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • Part 6. Risk management process > 6.4 Risk assessment > 6.4.2 Risk identification > 6.4.2.2 Identification of assets and their value
      
      

• ISO/IEC 38507:2022- Governance implications of the use of artificial intelligence by organizations
  2022, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • 6. Policies to address the use of AI > 6.6. Compliance > 6.6.1. Compliance obligations
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #AIPROGRAM
      
      

• LLM AI Cybersecurity & Governance Checklist
  Feb. 2024, © The OWASP Foundation
  • Where:
    • 3. Checklist > 3.3. AI Asset Inventory > Bullet #1
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 2. Secure development > Identify, track and protect your assets
      
      

• Generative AI framework for HM Government
  2023, Central Digital and Data Office, UK Government
  • Where:
    • Using generative AI safely and responsibly > Governance > Creating an AI/ML systems inventory
      
      

Discussed in which commercial AI security sources? [?]

• Databricks AI Security Framework
  Sept. 2024, © Databricks
  • Where:
    • DASF 18: Govern model assets
    • DASF 23: Register, version, approve, promote and deploy models
      
      
• Google Secure AI Framework
  June 2023, © Google
  • Where:
    • Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Prepare to store and track supply chain assets, code, and training data
    • Step 4. Apply the six core elements of the SAIF > Harmonize platform-level controls to ensure consistent security across the organization > Review usage of AI and lifecycle of AI-based apps
    • Step 4. Apply the six core elements of the SAIF > Contextualize AI system risks in surrounding business processes > Build an inventory of AI models and their risk profile based on the specific use cases and shared responsibility when leveraging third-party solutions and services
      
      
• HiddenLayer’s 2024 AI Threat Landscape Report
  2024, © HiddenLayer
  • Where:
    • Part 4: Predictions and recommendations > 1. Discovery and asset management
      
      

Control functions against which AI security threats? [?]

• Control function: Decision support
  • Denial of AI service
  • Prompt injection
  • Evasion
  • Model inversion
  • Model extraction and theft
  • Data poisoning
  • Model poisoning
  • Compromised 3rd-party training datasets
  • Compromised 3rd-party models or code
  • Confabulation
  • Excessive agency
  • Sensitive information disclosed in output
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement will always be added to HITRUST assessments which include the
    Security for AI systems regulatory factor.
  • No other assessment tailoring factors affect this requirement.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • No (dual responsibility). The AI application provider and its AI service providers (if used) are responsible for independently performing this requirement outside of the AI system’s technology stack.