CEK · Cryptography, Encryption & Key Management

CEK-14Cloud & AI Related

Key Destruction

Specification

Define, implement, and evaluate processes, procedures, and technical measures to securely destroy cryptographic keys when they are no longer needed, which include provisions for legal and regulatory requirements.

Threat coverage

Model manipulation

Data poisoning

Sensitive data disclosure

Model theft

Model/Service Failure

Insecure supply chain

Insecure apps/plugins

Denial of Service

Loss of governance

Architectural relevance

Physical infrastructure

Network

Compute

Storage

Application

Data

Lifecycle

Preparation

Data storage

Development

Not applicable

Evaluation

Not applicable

Deployment

Orchestration, AI Services supply chain, AI applications

Delivery

Operations, Maintenance, Continuous monitoring

Retirement

Archiving, Data deletion, Model disposal

Ownership / SSRM

Shared across the supply chain

Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.

Model

Owned by the Model Provider (MP)

The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.

Orchestrated

Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)

The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Shared Application Provider-AI Customer (Shared AP-AIC)

The AP and AIC both share responsibility and accountability for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they offer and consume.

Implementation guidelines

[All Actors]
Applies to all Roles (Baseline) before application of role context.
1. Establish and document policies and procedures for Cryptography, Encryption, and Key Management.

2. Approve the policies and procedures through formal governance processes (e.g., security committee, CISO).

3. Communicate the policies and procedures to all relevant stakeholders.

4. Apply the approved policies and procedures to all systems, services, and processes under the role’s control.

5. Evaluate the effectiveness of policy and procedure implementation using internal audits, technical reviews, 
and encryption control validations.

6. Review and update the policies and procedures at least annually, or when significant system, model, or 
regulatory changes occur.

Auditing guidelines

1. Verify that the CSP defines, implements, and evaluates processes, procedures, and technical measures to destroy cryptographic keys stored outside a secure environment and to revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, including those supporting tenant-specific encryption services, multi-tenant key storage, and cloud-native secrets management.

2. Verify that the CSP has a documented policy and process for the secure deletion of cryptographic keys and associated data once they are no longer needed, ensuring compliance with relevant legal, regulatory, and contractual requirements for data and key destruction.

3. Confirm that the CSP defines conditions for key destruction or revocation, including service termination, tenant offboarding, algorithm deprecation, cryptoperiod expiration, or customer request.

4. Verify that cryptographic keys stored outside secure environments (e.g., in configuration backups, unprotected volumes, ephemeral cache) are destroyed using industry-approved techniques (e.g., cryptographic erasure, zeroization), and that destruction is traceable and logged.

5. Review the CSP’s systems and platforms to confirm that ephemeral or deprecated keys are removed from memory, virtual instances, container layers, or local storage as part of shutdown or reallocation workflows.

6. Confirm that keys managed in HSMs or KMS are revoked using controlled interfaces that render the key permanently unusable and record revocation metadata (e.g., reason, timestamp, initiator).

7. Validate that CSP-managed keys used to support AI infrastructure (e.g., for encrypted prompt logs, inference cache, model backups) are destroyed or revoked when the services or storage components they protect are no longer in use.

8. Review destruction and revocation event logs to verify completeness and confirm that metadata includes the key ID, affected service, initiating entity, and destruction method.

9. Confirm that key destruction is a required step in CSP resource decommissioning procedures and is enforced through automation, infrastructure as code (IaC), or security orchestration.

10. Verify that CSP key destruction practices comply with relevant jurisdictional laws, industry standards (e.g., NIST, ISO), and contractual commitments to customers.

11. Confirm that the CSP notifies affected customers or partners (e.g., APs, AICs) when shared or customer-scoped keys are revoked or destroyed, ensuring continuity and avoiding unplanned disruption.

From CCM:
1. Confirm the existence of key destruction processes and procedures.
2. Review the access permissions for the destruction and restoration of keys and confirm that only appropriate individuals have access to these capabilities.
3. Review keys that have been destroyed and ascertain the appropriate process and procedure have been followed.
4. Establish documented criteria that determine when it is appropriate for a cryptographic key to be stored outside a secure environment.

Standards mappings

ISO 42001Partial Gap

No Mapping for ISO 42001
ISO 27001: A.8.24
ISO 27002: 8.24

Addendum

Add a control mandating AI systems to define, implement, and evaluate processes, procedures, and technical measures to destroy keys stored outside secure environments and revoke keys in HSMs when no longer needed, including legal and regulatory provisions, addressing ISO 42001:2023’s gap in specific key destruction/revocation requirements, enhancing ISO 27001 (A.8.24) and ISO 27002 (8.24).

EU AI ActFull Gap

No Mapping

Addendum

Cover the AICM control.

NIST AI 600-1Full Gap

No Mapping

Addendum

No (implicit/explicit) reference to cryptography, encryption, or key management is made in the NIST AI 600-1 standard, let alone to the specific requirement of key destruction.

BSI AIC4No Gap

CRY-04
AM-04

Addendum

N/A

AI-CAIQ questions (1)

CEK-14.1

Are processes, procedures, and technical measures which include provisions for legal and regulatory requirements, defined, implemented and evaluated, to securely destroy cryptographic keys when they are no longer needed?