Information System Regulatory Mapping
Specification
Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which are applicable to your organization. Review at least annually or when a substantial change occurs within the organization.
Threat coverage
Architectural relevance
Lifecycle
Team and expertise
Guardrails
Evaluation, Validation/Red Teaming
Orchestration, AI Services supply chain
Operations, Maintenance, Continuous monitoring, Continuous improvement
Archiving, Data deletion
Ownership / SSRM
PI
Shared Cloud Service Provider-Model Provider (Shared CSP-MP)
The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Model
Owned by the Model Provider (MP)
The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.
Orchestrated
Owned by the Orchestrated Service Provider (OSP)
The Orchestrated Service Provider (OSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer. The OSP is responsible and accountable for the implementation of the control within its own infrastructure/environment. If the control has downstream implications on the users/customers, the OSP is responsible for enabling the customer and/or upstream partner in the implementation/configuration of the control within their risk management approach. The OSP is accountable for ensuring that its providers upstream (e.g MPs) implement the control as it relates to the service/product the develop and offered by the OSP. This refers to entities that create the technical building blocks and management tools that enable AI implementation. This can include platforms, frameworks, and tools that facilitate the integration, deployment, and management of AI models within enterprise workflows. These providers focus on model orchestration and offer services like API access, automated scaling, prompt management, workflow automation, monitoring, and governance rather than end-user functionality or raw infrastructure. They help businesses implement AI in a structured and efficient manner. Examples: AWS, Azure, GCP, OpenAI, Anthropic, LangChain (for AI workflow orchestration), Anyscale (Ray for distributed AI workloads), Databricks (MLflow), IBM Watson Orchestrate, and developer platforms like Google AI Studio.
Application
Owned by the Customer (AIC)
The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.
Implementation guidelines
Auditing guidelines
1. Policy Examination a. Verify that the organization maintains a documented inventory of applicable standards, regulations, legal obligations, and contractual commitments relevant to the provision of cloud-based AI services. b. Confirm that the organization considers various sources when compiling its inventory (e.g., global privacy laws, data residency requirements, cloud service agreements, customer-specific contractual terms, and industry frameworks). 2. Policy Assessment a. Assess whether the inventory is reviewed and updated at least annually or when significant business or regulatory changes occur, and that ownership for maintaining the inventory is clearly assigned (e.g., compliance, legal, or regulatory affairs). b. Confirm that the documented requirements reflect the organization’s AI service offerings, regions of operation, and customer base, including sector-specific mandates (e.g., financial services, healthcare). 3. Program Evaluation a. Determine whether regulatory and contractual requirements are integrated into organization's service design, operational controls, and customer-facing policies (e.g., data transfer safeguards, audit support provisions, breach notification protocols). b. Confirm that relevant governance stakeholders (e.g., compliance, engineering, customer success) reference the requirements inventory in risk assessments, contract negotiations, or platform configuration decisions. 4. Implementation Validation a. Review records such as compliance mapping matrices, internal control assessments, and policy update logs to confirm that documented requirements are reflected in operational processes. b. Select a sample of obligations (e.g., GDPR data processing, cross-border transfer clauses) and verify that documentation or audit trails show these were incorporated into the organization's service delivery and oversight. From CCM: 1. Confirm that policy and procedures include provisions to identify and document all relevant standards, regulations, legal/contractual, and statutory requirements. 2. Establish that the organization maintains an inventory of CCM controls and relevant regulatory information is mapped across to the CCM inventory. 3. Identify and examine any metrics and supporting evidence to provide assurance that the information system regulatory mapping is reviewed on a periodic basis, and that any gaps in the mapping are appropriately actioned.
Standards mappings
42001: 4.1 Note 2 (Understanding the organization and its context) 42001: B.6.2.6 (AI system operation and monitoring) 42001: B.7.3 (Acquisition of data) 42001: B.8.5 (Information for interested parties) 42001: B.9.2 (Processes for responsible use of AI systems) 27001: A.5.31 (Legal statutory regulatory and contractual requirements)
Addendum
N/A
Article 11 Annex IV Article 16
Addendum
Implement an internal compliance register. Include: - All relevant regulations, contracts, and standards - An annual and event-based review policy (upon substantial change) - Assigned ownership for keeping the register current.
MP-4.1-003
Addendum
N/A
COM-01
Addendum
N/A
AI-CAIQ questions (2)
Are all relevant standards, regulations, legal/contractual, and statutory requirements, applicable to your organization, identified and documented?
Are all relevant standards,regulations, legal/contractual and statutory requirements reviewed and updated at least annually or when a substantial change occurs within the organization?