Deployed applications leveraging any or all of the following (very) broad types of AI can be included in the scope of the HITRUST AI Security Certification:

AI type Also known as Description
Rule-based AI heuristic models, traditional AI, expert systems, symbolic AI, classical AI Rule-based AI systems rely on expert software written using rules. These systems employ human expertise in solving complex problems by reasoning with knowledge. Instead of procedural code, knowledge is expressed using If-Then/Else rules.
Predictive AI PredAI, non-generative machine learning models These are traditional, structured data machine learning models used to make inferences such as predictions or classifications, typically trained on an organization’s enterprise tabular data. These models extract insights from historical data to make accurate predictions about the most likely upcoming event, result or trend. In this context, a prediction does not necessarily refer to predicting something in the future. Predictions can refer to various kinds of data analysis applied to new data or historical data.
Generative AI GenAI, GAI Generative AI (gen AI) is artificial intelligence that responds to a user’s prompt or request with generated original content, such as audio, images, software code, text or video. Most generative AI models start with a foundation model, a type of deep learning model that “learns” to generate statistically probable outputs when prompted. Large language models (LLMs) and small language models (SLMs) are common foundation models for text generation, but other foundation models exist for different types of content generation.

The table above is intentionally broad so as to encompass a wide variety of AI solutions. For the purposes of this certification, examples of AI systems include anything from an LLM, to a linear regression function, to a carefully curated rule-based inference engine.

Further, the assessment considers security issues brought about by implementing popular generative AI development patterns, including the use of:

  • embeddings
  • language model tools such as agents and plugins
  • retrieval augmented generation (RAG)

NOTE: HITRUST will not award the HITRUST AI Security Certification to any AI deployments categorized as unacceptable or are otherwise banned by applicable AI regulation in the jurisdiction of the assessed entity.