Framework Guide

CSA AICM

Cloud Security Alliance AI Controls Matrix providing a comprehensive set of security controls specifically designed for AI systems deployed in cloud environments.

CSA AICM Overview

The Cloud Security Alliance AI Controls Matrix provides a comprehensive framework of security controls tailored for AI systems. As of v1.1 (June 2026) it defines 247 control objectives across 18 security domains, mapped to ISO/IEC 42001 and ISO/IEC 27001, and underpins the CSA STAR for AI assurance program.

Key Provisions

Key provisions and requirements of CSA AICM.

A&A-02

Independent Assessments

Conduct independent audit and assurance assessments at least annually, according to relevant standards.

A&A-04

Requirements Compliance

Verify compliance with all relevant standards, regulations, legal, contractual and statutory requirements applicable to the audit.

A&A-05

Audit Management Process

Define and implement an audit management process aligned with global audit standards to support audit planning, risk analysis, security control assessment, conclusions, remediation schedules, report generation and review of past reports.

AIS-02

Application Security Baseline Requirements

Establish, document and maintain baseline requirements for application security.

AIS-04

Secure Application Development Lifecycle

Define and implement a software development lifecycle (SDLC) process for application requirements analysis, planning, design, development, testing, deployment and operation according to organizationally defined security requirements.

GRC-01

Governance Program

Establish and maintain a program for the governance of AI systems.

GRC-02

Risk Management Program

Establish a risk management program to identify, assess and manage risks in AI systems.

GRC-04

Policies and Procedures

Establish, document and maintain policies and procedures for AI system operations.

IAM-02

User Access Management

Manage and control user access to AI systems.

IAM-04

Privilege Management

Manage privileges for AI systems according to the principle of least privilege.

LOG-01

Logging and Monitoring

Implement logging and monitoring for AI system activity.

LOG-02

Log Retention

Retain logs in accordance with security and compliance requirements.

TVM-01

Vulnerability Management

Establish a program to identify and manage vulnerabilities in AI systems.

TVM-02

Vulnerability Assessment

Conduct vulnerability assessments of AI systems on a regular basis.

DSP-02

Data Classification

Classify data processed by AI systems and protect it appropriately.

DSP-04

Data Privacy

Implement controls to protect personal information in AI systems.

CSA AICM Complete Guide | Tynapse AI Regulation