CCC · Change Control and Configuration Management

CCC-06Cloud & AI Related

Change Management Baseline

Specification

Establish change management baselines for all relevant authorized changes on organization assets. Review and update the change management baseline at least annually or upon significant changes.

Threat coverage

Model manipulation

Data poisoning

Sensitive data disclosure

Model theft

Model/Service Failure

Insecure supply chain

Insecure apps/plugins

Denial of Service

Loss of governance

Architectural relevance

Physical infrastructure

Network

Compute

Storage

Application

Data

Lifecycle

Preparation

Data storage, Resource provisioning

Development

Design, Training, Guardrails, Supply Chain

Evaluation

Validation/Red Teaming, Evaluation, Re-evaluation

Deployment

Orchestration, AI Services supply chain, AI applications

Delivery

Operations, Maintenance, Continuous monitoring, Continuous improvement

Retirement

Archiving, Data deletion, Model disposal

Ownership / SSRM

Shared across the supply chain

Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.

Model

Owned by the Model Provider (MP)

The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.

Orchestrated

Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)

The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Owned by the Application Provider (AP)

The Application Provider (AP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer. The AP is responsible and accountable for the implementation of the control within its own infrastructure/environment. If the control has downstream implications on the users/customers, the AP is responsible for enabling the customer and/or upstream partner in the implementation/configuration of the control within their risk management approach. The AP is accountable for carrying out the due diligence on its upstream providers (e.g MPs, Orchestrated Services) to verify that they implement the control as it relates to the service/product develop and offered by the AP. These providers build and offer end-user applications that leverage generative AI models for specific tasks such as content creation, chatbots, code generation, and enterprise automation. These applications are often delivered as software-as-a-service (SaaS) solutions. These providers focus on user interfaces, application logic, domain-specific functionality, and overall user experience rather than underlying model development. Example: OpenAI (GPTs,Assistants), Zapier, CustomGPT, Microsoft Copilot (integrated into Office products), Jasper (AI-driven content generation), Notion AI (AI-enhanced productivity tools), Adobe Firefly (AI-generated media), and AI-powered customer service solutions like Amazon Rufus, as well as any organization that develops its AI-based application internally.

Implementation guidelines

[All Actors]
1. Identify and define critical baseline elements that must be monitored for deviation, including system configurations, AI model versions, training datasets, hyperparameters, infrastructure specifications, and access control settings.

2. Maintain version-controlled records of all approved baselines, ensuring traceability and auditability of original configuration states.

3. Implement automated tools to detect configuration drift or unauthorized deviations from the approved baselines in real-time or near real-time.

4. Establish materiality threshold criteria for what constitutes a material deviation that warrants investigation, rollback or emergency change.

5. Document procedures for responding to baseline deviations, including root cause analysis, corrective actions, and optional incident escalation.

6. Ensure deviation detection mechanisms are tested periodically and integrated with the organization’s broader change control and security operations workflows.

Auditing guidelines

1. Inquiring with Control Owners
 
1.1 Interview key personnel to understand if the AI Infrastructure Provider has established and maintains effective change management baselines for all relevant authorized changes to computational resources, storage systems, and network capabilities used for training, fine-tuning, and deploying AI models.

2. Obtaining and Verifying the Population of Infrastructure Records

2.1 Infrastructure Component Population Definition: Define the complete population of records for testing, including: inventory of AI accelerator hardware (GPUs, TPUs, specialized accelerators), compute server configurations and specifications, hardware driver and firmware versions, AI framework optimizations and libraries, storage system configurations and performance profiles, network topology and interconnect specifications, resource management and scheduling policies, container images and virtualization configurations, infrastructure-as-code templates, cluster management software versions, and performance tuning parameters and configurations.

2.2 Perform procedures to verify the completeness and accuracy of the obtained population.

3. Inspection of Infrastructure Evidence

3.1 Infrastructure Baseline Scope Definition: Verify that clear documentation exists defining what constitutes a baseline for infrastructure components. For Compute Components: server hardware specifications, GPU/TPU/accelerator configurations, CUDA/ROCm/driver versions and compatibility, CPU optimization settings, and memory configuration and management. For Storage Components: storage system architectures and configurations, I/O optimization parameters, data caching strategies, performance tuning configurations, and data transfer protocols and settings. For Network Components: network topology and bandwidth specifications, interconnect configurations, network protocol optimizations for AI workloads, load balancing configurations, and quality of service policies. For Platform Components: container runtime versions and configurations, orchestration platform settings, resource scheduling algorithms and weights, quota management policies, and multi-tenancy isolation controls.

3.2 Infrastructure Management Tool Assessment: Examine the implementation and usage of: version control for infrastructure-as-code templates, configuration management databases (CMDBs), hardware monitoring and telemetry systems, resource management and scheduling platforms, performance profiling and optimization tools, and automated provisioning and deployment systems.

3.3 Infrastructure Sample-Based Verification: Select a representative sample of infrastructure components and verify: baseline establishment documentation for each component, version control implementation for hardware and software configurations, compatibility testing between component versions, change history completeness across configuration changes, approval documentation for infrastructure updates, performance testing before and after changes, and 
regression testing documentation.

3.4 Infrastructure Baseline Integrity Controls: Review controls protecting infrastructure baseline integrity: access controls to infrastructure configuration repositories, approval workflows for hardware and software changes, configuration integrity verification mechanisms, prevention controls for unauthorized infrastructure modifications, detection controls for identifying unexpected configuration changes, and audit trails for infrastructure modifications.

3.5 Infrastructure Version Change Controls: Trace a sample of infrastructure changes to verify: change approval documentation, performance and compatibility evaluation reports, corresponding baseline updates in configuration management systems, documentation of dependency changes and impacts, 
customer communication regarding infrastructure updates, and backward compatibility assessments and migration paths.

3.6 Infrastructure Environment Baselines: Verify infrastructure environment baseline management through: firmware and driver version control, operating system and kernel parameter management, library and runtime environment versioning, containerization and image management, infrastructure-as-code template versioning, and configuration drift detection mechanisms.

3.7 Integration Between Infrastructure Baseline Systems: Assess how different infrastructure baseline management systems are integrated: connections between hardware inventory and configuration management, integration between infrastructure monitoring and change management, synchronization between capacity planning and deployment systems, coordination of infrastructure updates across dependent components, and management of compatibility between hardware, drivers, and frameworks.

3.8 Other Baseline Effectiveness Assessment Considerations: Consider the following other assessments: evaluate how well baselines ensure reliability of AI infrastructure, assess the completeness of baseline coverage across all infrastructure components, determine if baseline granularity is appropriate for infrastructure complexity, review instances where infrastructure baseline controls failed to prevent issues, evaluate performance impact assessment effectiveness, and assess effectiveness of infrastructure deprecation procedures.

Standards mappings

ISO 42001Partial Gap

42001: Clause 6.3 Planning of changes
42001: Clause 8.1 Operational planning and control
42001: A.6.2.2 AI system requirements and specification
42001: 6.2.3 – Risk treatment
42001: 6.2.6 – Operation & monitoring
27001: A.8.32 Change management
27001: A.8.9 Configuration Management

Addendum

Make the baseline concept explicit. Require periodic review. Extend/clarify scope to all organizational assets.

EU AI ActFull Gap

No Mapping

Addendum

The EU AI Act does not cover the CCC-06 topic, "Establish change management baselines for all relevant authorized changes on organization assets," nor times of review for any of the AI structures defined within the EU AI Act.

NIST AI 600-1Partial Gap

MS-2.9-002
MG-3.2-002
GV-1.6-001
GV-1.6-002
GV-6.1-008
MP-2.1-001
GV-6.1-008
MG-2.2-002
MG-3.2-003
GV-1.3-002
MS-2.8-003
GV-1.6-001

Addendum

The entire requirement to "establish change management baselines" is missing in NIST AI 600-1.

BSI AIC4No Gap

DEV-03

Addendum

N/A

AI-CAIQ questions (2)

CCC-06.1

Are change management baselines established for all relevant authorized changes on organization assets?

CCC-06.2

Is the change management baseline reviewed an updated at least annually or upon significant changes?