HITRUST AI Security Assessment and Certification Specification

Monitor AI system inputs and outputs

HITRUST CSF requirement statement [?] (12.09abAISecSystem.4)

The organization performs monitoring, on at least a monthly basis, of the
(1) inputs (prompts, queries, inference requests) to and 
(2) outputs (inferences, responses, conclusions) from 
the AI model for anomalies indicative of attacks or compromise and to ensure that filters
and other guardrails are operating as expected.

Evaluative elements in this requirement statement [?]
1. The organization performs monitoring, on at least a monthly basis, of the inputs
(prompts, queries, inference requests) to AI model for anomalies indicative of attacks or 
compromise and to ensure that input filters are operating as expected.
2. The organization performs monitoring, on at least a monthly basis, of the outputs 
(inferences, responses, conclusions) from the AI model for anomalies indicative of attacks 
or compromise and to ensure that output filters are operating as expected.


Illustrative procedures for use during assessments [?]

  • Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.

  • Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.

  • Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
    • For example, review the AI system to ensure the organization performs monitoring, on at least a monthly basis, of the inputs (prompts, queries, inference requests) to and outputs (inferences, responses, conclusions) from the AI model for anomalies indicative of attacks or compromise and to ensure that filters and other guardrails are operating as expected.

  • Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
    • For example, measures indicate if the organization performs monitoring, on at least a monthly basis, of the inputs (prompts, queries, inference requests) to and outputs (inferences, responses, conclusions) from the AI model for anomalies indicative of attacks or compromise and to ensure that filters and other guardrails are operating as expected.

  • Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.

Placement of this requirement in the HITRUST CSF [?]

  • Assessment domain: 12 Audit Logging & Monitoring
  • Control category: 09.0 – Communications and Operations Management
  • Control reference: 09.ab – Monitoring System Use

Specific to which parts of the overall AI system? [?]
AI application layer:
  • Application AI safety and security systems
AI platform layer
  • Model safety and security systems


Discussed in which authoritative AI security sources? [?]
  • Guidelines for Secure AI System Development
    Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
    • Where:
      • 3. Secure deployment > Protect your model continuously
      • 4. Secure operation and maintenance > Monitor your system’s behavior

  • Securing Machine Learning Algorithms
    2021, © European Union Agency for Cybersecurity (ENISA)
    • Where:
      • 4.1- Security Controls > Technical > Define and monitor indicators for proper functioning of the model

Discussed in which commercial AI security sources? [?]
  • Databricks AI Security Framework
    Sept. 2024, © Databricks
    • Where:
      • Control DASF 21: Monitor data and AI system from a single pane of glass
      • Control DASF 36: Set up monitoring alerts
      • Control DASF 55: Monitor audit logs

  • Google Secure AI Framework
    June 2023, © Google
    • Where:
      • Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Prepare to store and track supply chain assets, code, and training data

  • HiddenLayer’s 2024 AI Threat Landscape Report
    2024, © HiddenLayer
    • Where:
      • Part 4: Predictions and recommendations > 6. Continuous monitoring and incident response > Bullet #1

  • Snowflake AI Security Framework
    2024, © Snowflake Inc.
    • Where:
      • Backdooring models (insider attacks) > Mitigations > Access control and monitoring
      • Model stealing > Mitigations > Access control measures
      • Model inversion > Mitigations > Bullet 7
      • Self-hosted OSS LLMs Security > Mitigations > Secure deployment and monitoring

Control functions against which AI security threats? [?]
Additional information
  • Q: When will this requirement included in an assessment? [?]
    • This requirement will always be added to HITRUST assessments which include the
      Security for AI systems regulatory factor.
    • No other assessment tailoring factors affect this requirement.

  • Q: Will this requirement be externally inheritable? [?] [?]
    • Yes, partially. This may be a responsibility shared between an AI application provider and their AI platform provider (if used), performed independently on separate layers/components of the overall AI system.