Log AI system inputs and outputs

HITRUST CSF requirement statement [?] (12.09abAISecSystem.6)

The AI system logs all inputs (prompts, queries, inference requests) to and outputs 
(inferences, responses, conclusions) from the AI model, including 
(1) the exact input (e.g., the prompt, the API call), 
(2) the date and time of the input,
(3) the user account making the request, 
(4) where the request originated, 
(5) the exact output provided, and 
(6) the version of the model used. 
AI system logs are 
(7) managed (i.e., retained, protected, and sanitized) in accordance with the organization’s 
policy requirements.

Evaluative elements in this requirement statement [?]

1. The AI system logs the exact input (e.g., the prompt, the API call) to the AI model.

2. The AI system logs the date and time of the input to the AI model.

3. The AI system logs the user account making the request of the AI model.

4. The AI system logs where the request originated.

5. The AI system logs the exact output provided by the AI model.

6. The AI system logs the version of the model providing the output.

7. AI system logs are managed (i.e., retained, protected, and sanitized) in accordance 
with the organization’s policy requirements.

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, review the AI system to ensure the organization logs all inputs (prompts, queries, inference requests) to and outputs (inferences, responses, conclusions) from the AI model, including the exact input, the date and time of the input, the user account making the request, where the request originated, the exact output provided, and the version of the model used. Further, confirm the AI system logs are managed (i.e., retained, protected, and sanitized) in accordance with the organization’s policy requirements.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate if the organization logs all inputs (prompts, queries, inference requests) to and outputs (inferences, responses, conclusions) from the AI model, including the exact input, the date and time of the input, the user account making the request, where the request originated, the exact output provided, and the version of the model used. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm the AI system logs are managed (i.e., retained, protected, and sanitized) in accordance with the organization’s policy requirements.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 12 Audit Logging & Monitoring
• Control category: 09.0 – Communications and Operations Management
• Control reference: 09.aa Audit Logging
  
  

Specific to which parts of the overall AI system? [?]

AI application layer:

• Application AI safety and security systems

AI platform layer

• Model safety and security systems

Discussed in which authoritative AI security sources? [?]

• ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system
  2023, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • Annex A > A.6. AI system life cycle > A.6.2.8. AI system recording of event logs
      
      

• OWASP 2025 Top 10 for LLM Applications
  2025, © The OWASP Foundation
  • Where:
    • LLM04: Data and Model Poisoning > Prevention and Mitigation Strategies > Bullet #9
    • LLM05: Improper Output Handling > Prevention and Mitigation Strategies > Bullet #7
    • LLM08: Vector and embedding weaknesses > Prevention and Mitigation Strategies > Bullet #4
    • LLM10: Unbounded consumption > Prevention and Mitigation Strategies > Bullet #7
      
      

• OWASP Machine Learning Security Top 10
  2023, © The OWASP Foundation
  • Where:
    • ML03:2023 Model inversion attack > How to prevent > Bullet #3
    • ML05:2023 Model theft > How to prevent > Bullet #7
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #MONITORUSE
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 4. Secure operation and maintenance > Monitor your system’s inputs
      
      

• Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
  Apr 2024, National Security Agency (NSA)
  • Where:
    • Continuously protect the AI system > Actively monitor model behavior > Bullet 1
      
      

• Generative AI framework for HM Government
  2023, Central Digital and Data Office, UK Government
  • Where:
    • Building generative AI solutions > Building the solution > Data Management > Bullet 3
    • Building generative AI solutions > Building the solution > Testing generative AI solutions > Bullet 3
    • Building generative AI solutions > Building the solution > Data Management > Bullet 4
      
      

Discussed in which commercial AI security sources? [?]

• Databricks AI Security Framework
  Sept. 2024, © Databricks
  • Where:
    • Control DASF 37: Set up inference tables for monitoring and debugging models
      
      

• Snowflake AI Security Framework
  2024, © Snowflake Inc.
  • Where:
    • Model inversion > Mitigations > Bullet 5
    • Attacks on the infrastructure hosting AI services > Mitigations > Continuous monitoring and logging
      
      

Control functions against which AI security threats? [?]

• Control function: Detective
  • Denial of AI service
  • Prompt injection
  • Evasion
  • Model inversion
  • Model extraction and theft
  • Data poisoning
  • Model poisoning
  • Compromised 3rd-party training datasets
  • Compromised 3rd-party models or code
  • Confabulation
  • Excessive agency
  • Sensitive information disclosed in output
  • Harmful code generation
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement will always be added to HITRUST assessments which include the
    Security for AI systems regulatory factor.
  • No other assessment tailoring factors affect this requirement.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • Yes, partially. This may be a responsibility shared between an AI application provider and their AI platform provider (if used), performed independently on separate layers/components of the overall AI system.