Independent Assessments
Conduct independent audit and assurance assessments at least annually, according to relevant standards.
Cloud Security Alliance AI Controls Matrix providing a comprehensive set of security controls specifically designed for AI systems deployed in cloud environments.
The Cloud Security Alliance AI Controls Matrix provides a comprehensive framework of security controls tailored for AI systems. As of v1.1 (June 2026) it defines 247 control objectives across 18 security domains, mapped to ISO/IEC 42001 and ISO/IEC 27001, and underpins the CSA STAR for AI assurance program.
Key provisions and requirements of CSA AICM.
Conduct independent audit and assurance assessments at least annually, according to relevant standards.
Verify compliance with all relevant standards, regulations, legal, contractual and statutory requirements applicable to the audit.
Define and implement an audit management process aligned with global audit standards to support audit planning, risk analysis, security control assessment, conclusions, remediation schedules, report generation and review of past reports.
Establish, document and maintain baseline requirements for application security.
Define and implement a software development lifecycle (SDLC) process for application requirements analysis, planning, design, development, testing, deployment and operation according to organizationally defined security requirements.
Establish and maintain a program for the governance of AI systems.
Establish a risk management program to identify, assess and manage risks in AI systems.
Establish, document and maintain policies and procedures for AI system operations.
Manage and control user access to AI systems.
Manage privileges for AI systems according to the principle of least privilege.
Implement logging and monitoring for AI system activity.
Retain logs in accordance with security and compliance requirements.
Establish a program to identify and manage vulnerabilities in AI systems.
Conduct vulnerability assessments of AI systems on a regular basis.
Classify data processed by AI systems and protect it appropriately.
Implement controls to protect personal information in AI systems.