HITRUST CSF requirement statement [?] (11.01cAISecSystem.8)
The organization restricts the ability to interact with the production AI model through
(1) APIs,
(2) the AI application, and
(3) language model tools such as agents and plugins (if used).
This access is controlled in accordance with the organization’s policies regarding
(4) access management (including approvals, revocations, periodic access reviews), and
(5) authentication.- Evaluative elements in this requirement statement [?]
-
1. The organization restricts the ability to interact with the production AI model through APIs following the least privilege principle.2. The organization restricts the ability to interact with the production AI model through the AI application following the least privilege principle.3. The organization restricts the ability to interact with the production AI model through language model tools such as agents and plugins following the least privilege principle (if used).4. This access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews).5. This access is controlled in accordance with the organization’s policies regarding authentication.
- Illustrative procedures for use during assessments [?]
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
- Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
- For example, review the production AI model security configurations and confirm interaction abilities are restricted as defined in the requirement statement.
- For example, review the production AI model security configurations and confirm interaction abilities are restricted as defined in the requirement statement.
- Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
- For example, measures indicate if the production AI model interaction abilities are restricted. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that all interaction abilities are restricted as defined in the requirement statement.
- For example, measures indicate if the production AI model interaction abilities are restricted. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that all interaction abilities are restricted as defined in the requirement statement.
- Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
- Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
- Placement of this requirement in the HITRUST CSF [?]
- Assessment domain: 11 Access Control
- Control category: 01.0 – Access Control
- Control reference: 01.c – Privilege Management
- Specific to which parts of the overall AI system? [?]
-
AI application layer:
- AI plugins and agents
- Application AI safety and security systems
- The deployed AI application (Considered in the underlying HITRUST e1, i1, or r2 assessment)
- The AI platform and associated APIs (Considered in the underlying HITRUST e1, i1, or r2 assessment)
- Model safety and security systems
- Discussed in which authoritative AI security sources? [?]
-
- OWASP 2023 Top 10 for LLM Applications
Oct. 2023, © The OWASP Foundation- Where:
- LLM07: Insecure plugin design > Prevention and mitigation strategies > Bullet #5
- LLM10: Model theft > Prevention and mitigation strategies > Bullet #1
- Where:
- OWASP 2025 Top 10 for LLM Applications
2025, © The OWASP Foundation- Where:
- LLM10: Unbounded consumption > Prevention and Mitigation Strategies > Bullet #13
- LLM10: Unbounded consumption > Prevention and Mitigation Strategies > Bullet #13
- Where:
- OWASP Machine Learning Security Top 10
2023, © The OWASP Foundation- Where:
- ML03:2023 Model inversion attack > How to prevent > Bullet #1
- ML05:2023 Model theft > How to prevent > Bullet #2
- Where:
- OWASP AI Exchange
2024, © The OWASP Foundation- Where
- LLM AI Cybersecurity & Governance Checklist
Feb. 2024, © The OWASP Foundation- Where:
- 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #3
- 3. Checklist > 3.9. Using or implementing large language model solutions > Bullet #3
- Where:
- MITRE ATLAS
2024, © The MITRE Corporation- Where:
- Guidelines for Secure AI System Development
Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)- Where:
- 1. Secure design > Design your system for security as well as functionality and performance
- 3. Secure deployment > Protect your model continuously
- Where:
- Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
Apr 2024, National Security Agency (NSA)- Where:
- Secure the deployment environment > Enforce strict access controls > Bullet #1
- Secure the deployment environment > Enforce strict access controls > Bullet #1
- Where:
- Securing Machine Learning Algorithms
2021, © European Union Agency for Cybersecurity (ENISA)- Where:
- 4.1- Security Controls > Organizational > Apply a RBAC model, respecting the least privilege principle
- 4.1- Security Controls > Organizational > Apply a RBAC model, respecting the least privilege principle
- Where:
- OWASP 2023 Top 10 for LLM Applications
- Discussed in which commercial AI security sources? [?]
-
- Databricks AI Security Framework
Sept. 2024, © Databricks- Where:
- Control DASF 31: Secure model serving endpoints
- Control DASF 31: Secure model serving endpoints
- Where:
- Google Secure AI Framework
June 2023, © Google- Where:
- Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Prepare to store and track supply chain assets, code, and training data
- Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Prepare to store and track supply chain assets, code, and training data
- Where:
- Snowflake AI Security Framework
2024, © Snowflake Inc.- Where:
- Backdooring models (insider attacks) > Mitigations > Access control and monitoring
- Model inversion > Mitigations > Bullets 1 & 2
- Exposure of sensitive inferential inputs > Mitigations > Implementing authentication mechanisms
- Where:
- Databricks AI Security Framework
- Control functions against which AI security threats? [?]
-
- Control function: Avoidance
- Additional information
-
- Q: When will this requirement included in an assessment? [?]
- This requirement will always be added to HITRUST assessment which include the
Security for AI systemsregulatory factor. - No other assessment tailoring factors affect this requirement.
- This requirement will always be added to HITRUST assessment which include the
- Q: When will this requirement included in an assessment? [?]