Capacity and Resource Planning
Specification
Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required system performance as determined by the business.
Threat coverage
Architectural relevance
Lifecycle
Data storage, Resource provisioning
Training
Re-evaluation, Evaluation
Orchestration, AI Services supply chain, AI applications
Operations, Continuous monitoring, Continuous improvement
Not applicable
Ownership / SSRM
PI
Shared Cloud Service Provider-Model Provider (Shared CSP-MP)
The CSP and MP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Model
Owned by the Model Provider (MP)
The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.
Orchestrated
Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)
The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Application
Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)
The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Implementation guidelines
Auditing guidelines
1. Examine the Cloud Service Provider's business requirements for system performance are available. 2. Verify capacity plans, performance forecasts, and scaling procedures are review and approve by senior management or governance authorities. 3. Verify performance metrics regularly, proactively identify potential capacity constraints, and verify compliance with agreed-upon service levels. 4. Verify performance planning procedures regularly review, at least annually and align with changing business demands, system performance metrics, emerging technologies, and evolving threats.
Standards mappings
ISO/IEC 42001:2023 - B.4.2
Addendum
N/A
No Mapping
Addendum
Full control would have to be added because the EU AI Act does not address these concerns. Add, "Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required system performance as determined by the business."
No Mapping
Addendum
NIST AI 600-1 is missing the operational, performance, and resource planning focus required by I&S-02.
C4 RE-01 C4 BC-03 C4 PF-01 C5 OPS-01 C5 OPS-02
Addendum
N/A
AI-CAIQ questions (1)
Are availability, quality and the adequate capacity of resources, being planned and monitored in order to deliver the required system performance as determined by the business?