HITRUST AI Security Assessment and Certification Specification

Restrict access to the AI engineering environment and AI code

HITRUST CSF requirement statement [?] (11.01cAISecSystem.9)

The organization restricts all access to 
(1) AI engineering environments; 
(2) code used to create, train, and/or deploy AI models; and 
(3) code of language model tools such as agents and plugins (if used)
following the least privilege principle. 
This access is controlled in accordance with the organization’s policies regarding 
(4) access management (including approvals, revocations, periodic access reviews), and 
(5) authentication (which calls for multi-factor authentication or a similar level of protection).

Evaluative elements in this requirement statement [?]
1. The organization restricts all access to AI engineering environments following the 
least privilege principle.
2. The organization restricts all access to code used to create, train, and/or deploy AI 
models following the least privilege principle.
3. The organization restricts all access to code of language model tools such as agents 
and plugins (if used) following the least privilege principle.
4. This access is controlled in accordance with the organization’s policies regarding 
access management (including approvals, revocations, periodic access reviews).
5. This access is controlled in accordance with the organization’s policies regarding 
authentication (which calls for multi-factor authentication or a similar level of protection).


Illustrative procedures for use during assessments [?]

  • Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.

  • Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.

  • Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
    • For example, review the AI system to ensure the organization restricts all access to AI engineering environments; code used to create, train, and/or deploy AI models; and code of language model tools such as agents and plugins (if used) following the least privilege principle. Further, confirm this access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.

  • Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
    • For example, measures indicate if the organization restricts all access to AI engineering environments; code used to create, train, and/or deploy AI models; and code of language model tools such as agents and plugins (if used) following the least privilege principle. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that access is controlled in accordance with the organization’s policies regarding access management (including approvals, revocations, periodic access reviews) and authentication.

  • Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.

Placement of this requirement in the HITRUST CSF [?]

  • Assessment domain: 11 Access Control
  • Control category: 01.0 – Access Control
  • Control reference: 01.c – Privilege Management

Specific to which parts of the overall AI system? [?]
AI application layer:
  • AI plugins and agents
  • The deployed AI application (Considered in the underlying HITRUST e1, i1, or r2 assessment)
AI platform layer
  • The AI platform and associated APIs (Considered in the underlying HITRUST e1, i1, or r2 assessment)
  • Model engineering environment and model pipeline


Discussed in which authoritative AI security sources? [?]

Discussed in which commercial AI security sources? [?]
  • Databricks AI Security Framework
    Sept. 2024, © Databricks
    • Where:
      • Control DASF 24: Control access to models and model assets
      • Control DASF 30: Encrypt models
      • Control DASF 33: Manage credentials securely
      • Control DASF 43: Use access control lists

  • Google Secure AI Framework
    June 2023, © Google
    • Where:
      • Step 4. Apply the six core elements of the SAIF > Expand strong security foundations to the AI ecosystem > Prepare to store and track supply chain assets, code, and training data

  • Snowflake AI Security Framework
    2024, © Snowflake Inc.
    • Where:
      • Attacks on the infrastructure hosting AI services > Mitigations > Least privilege access control

Control functions against which AI security threats? [?]
Additional information
  • Q: When will this requirement included in an assessment? [?]
    • This requirement will always be added to HITRUST assessments which include the
      Security for AI systems regulatory factor.
    • No other assessment tailoring factors affect this requirement.

  • Q: Will this requirement be externally inheritable? [?] [?]
    • Yes, partially. This may be a responsibility shared between an AI application provider and their AI platform provider (if used), performed independently on separate layers/components of the overall AI system.