HRS-14AI-Specific

AI Competency Training

Specification

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures defining the AI training program for all relevant personnel of the organization based on their roles and provide regular training updates.

Threat coverage

Model manipulation

Data poisoning

Sensitive data disclosure

Model theft

Model/Service Failure

Insecure supply chain

Insecure apps/plugins

Denial of Service

Loss of governance

Architectural relevance

Physical infrastructure

Network

Compute

Storage

Application

Data

Lifecycle

Preparation

Team and expertise

Development

Supply Chain

Evaluation

Not applicable

Deployment

AI Services supply chain

Delivery

Not applicable

Retirement

Not applicable

Ownership / SSRM

Owned by the Customer (AIC)

The Customer (AIC) is responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies services or products they consume.

Model

Owned by the Model Provider (MP)

The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.

Orchestrated

Shared Cloud Service Provider-Model Provider (Shared CSP-MP)

The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Shared across the supply chain

Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.

Implementation guidelines

[All Actors]
1. Evaluate existing AI skills and resources.

2. Set clear objectives, outcomes, and goals for the AI competency program.

3. Determine the specific AI skills and knowledge needed by performing a skill gap analysis.

4. Develop a structured framework outlining AI proficiency levels.

5. Create training programs using online courses, workshops, and mentorship, focusing on AI basics, ethics of AI, data privacy and security, model development, human-centered mindset, AI techniques and applications, and AI system design. Implement an approval process for training materials and procedures to ensure they meet industry standards and regulatory requirements.

6. Administer training according to plan.

7. Monitor employee progress by conducting periodic evaluations and quizzes to measure comprehension of AI principles.

8. Encourage external industry certifications in core AI competencies and academic programs. Foster a learning culture where subject matter experts host workshops and share experiences on AI failures, successes, risks, and best practices.

9. Maintain training records, completion rates and achievement scores. 

10. Conduct annual or on-demand reviews to ensure skill set relevancy.

11. Evaluate the training program's effectiveness through feedback and performance metrics.

Auditing guidelines

1. Verify the cloud service provider has an approved AI training policy aligned with its infrastructure, platform services, and AI offerings (e.g., covering responsible use of hosted models and compute resources).

2. Verify that the training program defines role-specific paths (e.g., cloud engineers on secure AI deployment, support teams on identifying misuse, sales teams on responsible customer onboarding).

3. Ensure training is accessible and delivered through onboarding, internal portals, or team-based sessions across technical and customer-facing roles.

4. Review participation records to confirm staff receive training relevant to their responsibilities in managing and supporting AI services.

5. Evaluate effectiveness through assessments or feedback, and confirm updates are made following incidents, customer misuse, or audits.

6. Confirm training content is regularly updated to reflect new AI services, regulatory changes, or evolving customer use cases.

Standards mappings

ISO 42001No Gap

42001: 5.3 Roles
responsibilities and authorities
42001: 7.2 Competence
42001: 7.3 Awareness
42001: A.3.2 AI Roles and responsibilities
42001: A.4.6 Human Resource

Addendum

N/A

EU AI ActPartial Gap

Recital 91
Article 4

Addendum

The EU AI Act does not mandate organizations to establish, document, or update formal training programs. It applies only to high-risk AI system personnel, not all relevant personnel. It does not include requirements to establish or maintain a formal AI training program. No documentation, communication, or evaluation of training programs is required. No cadence (e.g., regular updates) is prescribed.

NIST AI 600-1No Gap

GV-2.1-003
MP-1.2-001
MP-3.4-003
MP-4.1-003

Addendum

N/A

BSI AIC4Partial Gap

C5 HR-03

Addendum

No C4 control speaks to HRS-14 topic of AI Training for personnel.

AI-CAIQ questions (2)

HRS-14.1

Are the policies and procedures defining the AI training program for all relevant personnel of the organization established, documented, approved, communicated, applied, evaluated, and maintained?

HRS-14.2

Are regular training updates given to personnel based on their roles?