AICM AtlasCSA AI Controls Matrix
HRS · Human Resources
HRS-13Cloud & AI Related

Compliance User Responsibility

Specification

Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Team and expertise

Development

Supply Chain

Evaluation

Not applicable

Deployment

AI Services supply chain

Delivery

Not applicable

Retirement

Not applicable

Ownership / SSRM

PI

Shared Cloud Service Provider-Model Provider (Shared CSP-MP)

The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Model

Owned by the Model Provider (MP)

The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.

Orchestrated

Shared Cloud Service Provider-Model Provider (Shared CSP-MP)

The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Shared across the supply chain

Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.

Implementation guidelines

[All Actors]
1. Ensure employees know their roles and responsibilities for AI compliance.

2. Establish and maintain a training program that defines roles, departmental responsibilities, and legal obligations through campaigns, newsletters, and training sessions.

3. Conduct periodic training sessions on AI privacy and security, clarifying shared responsibilities.

4. Establish and communicate the process to report compliance issues and AI misuse.

5. Align policies and procedures with legal and regulatory requirements, best practices and industry frameworks.

6. Ensure employees, contractors and third parties understand permissible data usage and its implications.

7. Emphasize ethical AI practices, bias mitigation, transparency, and data privacy.

8. Communicate policies for handling sensitive data and clarify roles and responsibilities.

9. Provide regular updates on AI threats, risks and lessons learned.

10. Ensure all employees, contractors, interns and third parties comply with security and privacy policies by obtaining acknowledgements.

Auditing guidelines

1. Review how the Cloud Service Provider (CSP) identifies and updates applicable AI-related legal, statutory, and regulatory obligations (e.g., ISO 42001, EU AI Act, GDPR, U.S. state-level AI laws).

2. Collect evidence of documented processes, legal/compliance reviews, and involvement of relevant stakeholders (e.g., cloud governance, legal, risk teams).

3. Interview staff (e.g., cloud engineers, AI platform managers) to confirm awareness of their responsibilities under these obligations.

4. Check for role-specific training, signed acknowledgments, and ongoing compliance communications.

Standards mappings

ISO 42001No Gap
42001: A.2.3 Alignment with other organizational policies
42001: 5.3 Roles
responsibilities and authorities
42001: 7.3 Awareness
42001: A.3.2 AI Roles and responsibilities
42001: A.4.6 Human Resource
27001: 5.1 Leadership Commitment
27001: 5.3 Organization Roles
Responsibilities and Authorities
27001: 7.3 Awareness
27001: A.5.4 Management responsibilities
27001: A.6.2 Terms and conditions of employment
27001: A.6.3 Information security awareness
education and training
27002: 5.4 Management responsibilities
27002: 6.2 Terms and conditions of employment
27002: 6.3 Information security awareness
education and training
Addendum

N/A

EU AI ActPartial Gap
Article 17 (1) (m)
Addendum

Make employees aware of their roles and responsibilities for maintaining awareness and compliance.

NIST AI 600-1No Gap
GV-4.1-003
MP-4.1-003
MG-4.3-003
Addendum

N/A

BSI AIC4No Gap
HR-03
Addendum

N/A

AI-CAIQ questions (1)

HRS-13.1

Are employees notified of their roles and responsibilities to maintain awareness and compliance with established policies, procedures, and applicable legal, statutory, or regulatory compliance obligations?