Restrict access to AI models

HITRUST CSF requirement statement [?] (11.01cAISecSystem.7)

The organization 
(1) restricts the ability to access and modify deployed AI models following the least privilege principle. 
This access is controlled in accordance with the organization’s policies regarding 
(2) access management (including approvals, revocations, periodic access reviews), and 
(3) authentication (which calls for multi-factor authentication or a similar level of protection).

Evaluative elements in this requirement statement [?]

1. The organization restricts the ability to access and modify deployed AI models following the 
least privilege principle.

2. This access is controlled in accordance with the organization’s policies regarding 
access management (including approvals, revocations, periodic access reviews).

3. This access is controlled in accordance with the organization’s policies regarding 
authentication (which calls for multi-factor authentication or a similar level of protection).

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, review the AI system to ensure the organization restricts the ability to access and modify deployed AI models (e.g., residing in file formats such as .pkl, .pth, .hdf5, .gguf, .llamafile) following the least privilege principle. Further, confirm this access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate if the organization restricts the ability to access and modify deployed AI models (e.g., residing in file formats such as .pkl, .pth, .hdf5, .gguf, .llamafile) following the least privilege principle. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 11 Access Control
• Control category: 01.0 – Access Control
• Control reference: 01.c – Privilege Management
  
  

Specific to which parts of the overall AI system? [?]

AI platform layer:

• Model safety and security systems
• The deployed AI model
  
  

Discussed in which authoritative AI security sources? [?]

• OWASP 2023 Top 10 for LLM Applications
  Oct. 2023, © The OWASP Foundation
  • Where:
    • LLM10: Model theft > Prevention and mitigation strategies > Bullet #1
      
      

• OWASP Machine Learning Security Top 10
  2023, © The OWASP Foundation
  • Where:
    • ML03:2023 Model inversion attack > How to prevent > Bullet #1
    • ML05:2023 Model theft > How to prevent > Bullet #2
    • ML08:2023 Model skewing > How to prevent > Bullet #1
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #RUNTIMEMODELINTEGRITY
    • #DEVSECURITY
    • #MODELINPUTCONFIDENTIALITY
      
      

• LLM AI Cybersecurity & Governance Checklist
  Feb. 2024, © The OWASP Foundation
  • Where:
    • 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #3
    • 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #4
      
      

• MITRE ATLAS
  2024, © The MITRE Corporation
  • Where:
    • AML.M0005
    • AML.M0019
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 3. Secure deployment > Protect your model continuously
    • 3. Secure deployment > Secure your infrastructure
      
      

• Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
  Apr 2024, National Security Agency (NSA)
  • Where:
    • Secure the deployment environment > Enforce strict access controls > Bullet 1
    • Continuously protect the AI system > Validate the AI system before and during use > Bullet 3
      
      

• Securing Machine Learning Algorithms
  2021, © European Union Agency for Cybersecurity (ENISA)
  • Where:
    • 4.1- Security Controls > Organizational > Apply a RBAC model, respecting the least privilege principle
      
      

Discussed in which commercial AI security sources? [?]

• Databricks AI Security Framework
  Sept. 2024, © Databricks
  • Where:
    • Control DASF 1: SSO with IdP and MFA
    • Control DASF 2: Sync users and groups
    • Control DASF 24: Control access to models and model assets
    • Control DASF 34: Run models in multiple layers of isolation
    • Control DASF 43: Use access control lists
      
      
• Google Secure AI Framework
  June 2023, © Google
  • Where: Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Prepare to store and track supply chain assets, code, and training data
    
    
• Snowflake AI Security Framework
  2024, © Snowflake Inc.
  • Where:
    • Backdooring models (insider attacks) > Mitigations > Access control and monitoring
    • Model stealing > Mitigations > Secure model deployment
    • Model stealing > Mitigations > Access control measures
      
      

Control functions against which AI security threats? [?]

• Control function: Preventative
  • Denial of AI service
  • Model extraction and theft
  • Model poisoning
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement is included when the assessment’s in-scope AI system(s) leverage data-driven AI models (e.g., non-generative machine learning models, generative AI models).
  • The Security for AI systems regulatory factor must also be present in the assessment.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • Yes, fully. This requirement may be the sole responsibility of the AI platform provider. Or, depending on the AI system’s architecture, only evaluative elements that are the sole responsibility of the AI platform provider apply.