AICM AtlasCSA AI Controls Matrix
DSP · Data Security and Privacy Lifecycle Management
DSP-18Cloud & AI Related

Disclosure Notification

Specification

The providers should implement and describe to customers the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Team and expertise

Development

Design, Guardrails

Evaluation

Evaluation, Validation/Red Teaming

Deployment

Orchestration, AI Services supply chain

Delivery

Operations, Maintenance, Continuous monitoring

Retirement

Data deletion, Archiving

Ownership / SSRM

PI

Owned by the Cloud Service Provider (CSP)

The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.

Model

Owned by the Cloud Service Provider (CSP)

The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.

Orchestrated

Owned by the Cloud Service Provider (CSP)

The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.

Application

Owned by the Cloud Service Provider (CSP)

The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.

Implementation guidelines

[Applicable to all providers]
1. Define a policy and process in accordance with applicable laws and regulations that specifies requirements for responding to requests for access to confidential information from law enforcement agencies.

2. Establish processes to evaluate whether the access requests are legally required, and determine appropriate actions including any required notices or disclosures to the public, customers, affected individuals, or law enforcement authorities.

3. Address the need for transparency to the customers by informing them of requests received concerning their data.

4. Designate a legal team to maintain appropriate contacts with relevant authorities (e.g., regulators, law enforcement, government officials) and industry bodies to help with evaluation of requests and obtain guidance as required.

5. When processing personal data in AI applications ensure transparency and compliance in accordance regulations such as EU AI Act to disclose to users: when they are interacting with an AI system, labeling synthetic content, notifying about emotion recognition or biometric categorization, providing details about data processing, and informing of data subjects of their rights.

Auditing guidelines

1. Verify if infrastructure-level procedures describe how law enforcement requests for data (e.g., stored models, training sets) are processed and responded to.

2. Verify if the procedure complies with privacy and security frameworks relevant to infrastructure providers (e.g., ISO 27001, SOC 2).

3. Verify if responsibilities for legal request handling and escalation are clearly assigned among technical and legal teams.

4. Verify if a secure workflow exists for reviewing, approving, and transmitting data disclosures.

5. Verify that all legal requests and related communications are formally recorded and stored securely.

6. Verify if timeframes for disclosures are monitored and enforced in accordance with local laws.

7. Verify if legal request procedures are reviewed in conjunction with evolving cloud service obligations and international laws.

8. Verify if personnel are trained on how to handle subpoenas, warrants, and national security letters specific to infrastructure services.

9. Verify if law enforcement data requests and their outcomes are logged in an auditable tracking system.

10. Verify if a defined escalation path exists for reporting deviations or improper handling of disclosure requests.

11. Verify if AI-specific disclosure scenarios are addressed (e.g., model telemetry or training logs subject to subpoena).

12. Verify if controls exist to ensure that AI-generated data is protected from unauthorized access during disclosures.

13. Verify if audit mechanisms are in place to detect policy violations or abuse during the disclosure process for AI workloads.

Standards mappings

ISO 42001No Gap
42001: A.2.3 Alignment with other organizational policies
42001: A.8.4 Communication of incidents
42001: A.8.5 Information for interested parties
27001: A.5.34 - Privacy and protection of personal identifiable information (PII)
27002: 5.34 - Privacy and protection of personal identifiable information (PII)
Addendum

N/A

EU AI ActPartial Gap
Article 21
Article 64
Addendum

Law enforcement disclosure is covered but CSP-to-AIC notification is not detailed.

NIST AI 600-1Full Gap
No Mapping
Addendum

NIST AI 600-1 does not cover this DSP-14 topic.

BSI AIC4No Gap
INQ-01
INQ-02
INQ-03
INQ-04
BC-06
Addendum

N/A

AI-CAIQ questions (1)

DSP-18.1

Are the procedures to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations, implemented and described to the customers by the providers?