Information Security Program
Specification
Develop and implement an Information Security Program, which includes programs for all the relevant domains of the AICM.
Threat coverage
Architectural relevance
Lifecycle
Team and expertise
Guardrails, Design
Evaluation, Validation/Red Teaming
Orchestration, AI Services supply chain
Operations, Maintenance, Continuous monitoring, Continuous improvement
Archiving, Data deletion
Ownership / SSRM
PI
Shared Cloud Service Provider-Model Provider (Shared CSP-MP)
The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Model
Owned by the Model Provider (MP)
The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.
Orchestrated
Owned by the Orchestrated Service Provider (OSP)
The Orchestrated Service Provider (OSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer. The OSP is responsible and accountable for the implementation of the control within its own infrastructure/environment. If the control has downstream implications on the users/customers, the OSP is responsible for enabling the customer and/or upstream partner in the implementation/configuration of the control within their risk management approach. The OSP is accountable for ensuring that its providers upstream (e.g MPs) implement the control as it relates to the service/product the develop and offered by the OSP. This refers to entities that create the technical building blocks and management tools that enable AI implementation. This can include platforms, frameworks, and tools that facilitate the integration, deployment, and management of AI models within enterprise workflows. These providers focus on model orchestration and offer services like API access, automated scaling, prompt management, workflow automation, monitoring, and governance rather than end-user functionality or raw infrastructure. They help businesses implement AI in a structured and efficient manner. Examples: AWS, Azure, GCP, OpenAI, Anthropic, LangChain (for AI workflow orchestration), Anyscale (Ray for distributed AI workloads), Databricks (MLflow), IBM Watson Orchestrate, and developer platforms like Google AI Studio.
Application
Owned by the Customer (AIC)
The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.
Implementation guidelines
Auditing guidelines
1. Program Documentation and Scope: Verify that the organization maintains a formal, documented Information Security Program covering the full scope of its cloud infrastructure, platforms, and services. Where the CSP supports AI workloads (e.g., model hosting, data pipelines, inference infrastructure), confirm that the program includes or references controls aligned to relevant AICM domains (e.g., Infrastructure, Data Protection, Third-Party Risk). 2. Security Policy and Governance Assessment: Assess whether the program defines and governs key control areas relevant to secure multi-tenant cloud operations and AI workload support, such as data isolation, identity and access management, infrastructure hardening, logging and monitoring, and shared responsibility models. Confirm that clear ownership is assigned (e.g., CISO, cloud platform leads), that oversight mechanisms (e.g., security committees, governance boards) are in place, and that the program aligns with relevant security frameworks (e.g., ISO/IEC 27001, SOC 2, CSA STAR, NIST). 3. AICM Domain Coverage and Organizational Integration: Determine whether the CSP has evaluated its responsibilities under applicable AICM domains and mapped them to its policies, procedures, and controls. Confirm that implementation spans relevant business and technical units such as platform engineering, operations, compliance, support, and product security, not limited to a single function or silo. 4. Implementation and Effectiveness Validation: Review supporting documentation (e.g., internal audit reports, risk assessments, compliance reviews, or security control monitoring evidence) to validate that the Information Security Program is effectively implemented across domains relevant to AI workload hosting. Select a sample of relevant AICM domains (e.g., Infrastructure, Access Management, Service Continuity) and verify that associated program elements are in place and functioning. From CCM: 1. Examine the policy and/or procedures related to the Information Security Program to determine whether the organization has developed and implemented a comprehensive strategy to manage Information Security across the organization. 2. Review the details of the information security program and establish if this covers the CCMv4 relevant domains. 3. Confirm that identified gaps/issues are being tracked, monitored, and remediated with appropriate escalation where required.
Standards mappings
42001: B.6.1.2 (Objectives for responsible development of AI system) 42001: B.9.3 (Objectives for responsible use of AI system) 42001: D.2 (Integration of AI management system with other management system standards) 42001: C.2.10 (Security) 42001: B.8.4 (Communication of incidents)
Addendum
N/A
Article 15
Addendum
Programs for all the relevant domains of the AI-CM and comprehensive security program structure.
GV-1.1-001 GV-1.2-001 GV-3.1-001 GV-5.1-001 GV-6.1-004
Addendum
Although there are NIST AI 600-1 controls that provide actions towards having information security, it does not have controls that support the GRC-05 topic of "establishing an information security program." NIST misses the requirement or definition of a centralized, overarching information security program or guarantee inclusion of all relevant domains of a control matrix (e.g., access control, data integrity, incident response).
C4 PC-02 C5 OIS-01
Addendum
Create a ISMS with having the AICM back in your mind.
AI-CAIQ questions (1)
Is an Information Security Program that includes programs for all the relevant domains of the AICM developed and implemented?