BLOG

by Brandon Weidemann, CCSFP, CHQP

The HITRUST Artificial Intelligence (AI) Security Assessment represents a significant advancement in AI security certification, offering organizations a robust framework to validate the security controls of their deployed AI systems. Available in two versions—ai1 (paired with e1 or i1 assessments) and ai2 (paired with r2 assessments)— this certification provides a structured framework for securing deployed AI systems.

Key Features of the HITRUST AI Security Assessment

• AI-Specific Security Controls: A curated set of security measures addressing AI platform risks, drawn from multiple authoritative sources, and aligned with HITRUST’s standards.
• Customizable Compliance: Easily integrate the Security for AI Systems compliance factor into any e1, i1, or r2 assessment.
• Third-Party Control Inheritance: Leverage existing security controls from AI solution providers to streamline AI security certification.
• Adaptable for Any AI Deployment: Select the appropriate assessment version based on your platform and security needs, ensuring a tailored approach.

Eligibility and Assessment Process for AI Security Certification

• Who Can Perform the Assessment: AI solution providers (platform/product providers) can conduct the ai1 or ai2 assessments. However, AI developers, users, and partners cannot obtain certification directly.
• Integration with HITRUST Assessment Portfolio: Organizations undergoing e1, i1, or r2 assessments can easily add the ai1 or ai2 compliance factor and achieve AI security certification upon meeting criteria.
• Certification Criteria: Certification is awarded when the average control maturity score meets the threshold (83 for ai1 and 62 for ai2), alongside successful certification of the underlying assessment.
• System Status: The in-scope system must be in production deployment, not just in development or testing.

Why It Matters and Business Value

• Security Validation: Demonstrates that AI systems meet the highest security standards, addressing current and emerging threats.
• Customer Confidence: Show customers that your AI-powered products are secure, fostering trust and enabling adoption.
• Vendor Assurance: Ensure third-party AI solutions are compliant, reducing vendor risk.
• Regulatory Compliance: Proactively address regulatory concerns about AI security and risk, particularly in critical industries.

Additional Considerations

• Third-Party Service Providers: For platforms involving third-party services, ensure compliance through existing carve-out rules.
• Report Credits and QA: Additional credits and QA reservations are required for the ai1 or ai2 assessment.
• Interim and Bridge Assessments: The ai2 certification includes options for interim and bridge assessments to maintain certification over time.

Ready to Start Your HITRUST AI Security Assessment?

Here’s a basic outline of what to do:

1. Ensure your organization meets eligibility requirements.
2. Verify your organization is using CSF library version 11.4.0 or later.
3. Select the ‘Security for AI Systems’ compliance factor in your base assessment.
4. Complete the required tailoring questions.
5. Identify in-scope platforms with AI capabilities.

While the AI Security Assessment and Certification is limited to AI solutions providers, HITRUST has also introduced the HITRUST AI Risk Management Assessment, delivered in a similar way as a scoping factor but available to all organizations as opposed to only AI solution providers.

The HITRUST AI Risk Management Assessment provides a streamlined framework of 51 essential controls for evaluating AI risk. By aligning with both ISO 23894 and NIST AI RMF standards, it enables organizations to assess their AI risk management practices through a single, unified lens that maps directly to these leading frameworks.

Contact us to start your HITRUST AI Security Assessment and Certification journey and secure your AI systems with the highest industry standard.

About the Author

Brandon Weidemann, CCSFP, CHQP | Senior Manager, IT Risk Management

Brandon has an extensive background spanning over 9 years in IT and Cybersecurity risk management. His multifaceted experience encompasses a wide array of roles, from conducting internal and external audits for Fortune 500 companies to delivering expert consulting services to small start-ups. At present, Brandon serves as the leader of Meditology's HITRUST and Incident Response Tabletop Exercise service lines, where he plays a pivotal role in maturing internal processes in order to improve the customer experience. In addition to these responsibilities, Brandon assumes leadership roles in various engagements, including HITRUST, SRA, SOC2, and more.