No, the assessment leading to the HITRUST AI Security Certification will not be performed as a stand-alone assessment. Instead, it is combined with a HITRUST CSF e1, i1, or r2 certification.
Why?
- Meaningful assurances over AI security cannot be reached without also considering the cybersecurity of the supporting technology layers used to deliver AI capabilities (e.g., the application leveraging the AI model, the cloud services used to deliver that application, the data center that those cloud services reside in).
- Because AI-specific cybersecurity threats are additive to the traditional cybersecurity threats faced by the overall IT system, the assessment leading to AI security certification should also be additive to the cybersecurity assessment of the overall IT system.