Identity and Access Management Policy and Procedures

[All Actors]
Responsible for establishing and maintaining IAM policies and procedures that cover the following:
1. Identity Inventory: Establish and maintain an inventory of identities having access to the cloud environment. Address cross-platform permission inheritance by implementing centralized policy management that maintains consistent access levels across AI environments.

2. Separation of Duties/Segregation of Privileged Access Roles: Prevent any identity from having excessive access that could be used to compromise the AI environment. Separate roles for AI data ingestion, model development, and model deployment. 

3. Principle of Least Privilege (PoLP):  Grant identities only the minimum level of access necessary to perform their job functions. Access permissions should be regularly reviewed and updated to ensure that they are still aligned with job roles.

4. Access Provisioning: Outline the process, timeframe and responsibilities for authorizing, recording, and communicating access provisions.

5. Access Changes and Revocation: Outline the process, timeframe, and responsibilities involved in removing access for movers, leavers, or identity changes.

6. Access Review: Procedures to review and revalidate identity access to ensure adherence to the principle of least privilege and separation of duties. Regularly validate AI user accounts and permissions, especially for data scientists and model developers who may need elevated privileges in AI environments.

7. Machine Identity Management: Implement comprehensive lifecycle management for service accounts, API keys, and machine identities used in AI workflows. Include automated rotation, monitoring for usage patterns, and integration with secrets management systems.

8. Management of Privileged Access Roles: Establish requirements for the lifecycle management of access privileges (provisioning, usage, monitoring, and revocation) and scheduled regular reviews to ensure alignment of access privileges with evolving business requirements and identities roles.

9. Safeguard Logs Integrity: Requirements for log files protection from unauthorized modifications or deletion to ensure the integrity of the audit trail. Break-glass procedures should be defined for accessing and modifying log files in emergency situations.

10. Uniquely Identifiable Users: Requirements for the establishment of unique identifiers that are assigned to all identities within the cloud environment. Unique IDs should be used consistently throughout the cloud environment to track and manage access.

11. Strong Authentication and Credentials: Authentication requirements of security measures for accessing systems, applications, and data assets should be defined and established (e.g., authentication frequency and scope, mechanisms, secure credentials, authentication in relation to data sensitivity).

12. Authorization Mechanisms: Authorization requirements that access privileges granted to different user groups and other identities are based on their roles and responsibilities, data sensitivity and business requirements. The requirements should outline the specific data and system functions that each user group is authorized to access.

13. Dynamic Access Controls: Where appropriate, integrate intelligent risk scoring into access decisions so that privileges adapt dynamically to the user's activity, data sensitivity, and AI workload complexity. Set clear thresholds for elevated access requirements and step-up authentication. Implement dynamic data access patterns including temporary, just-in-time access grants.

14. Identity-Related Incident Response: Establish specific procedures for handling identity compromise scenarios in AI systems, including immediate access revocation, model quarantine capabilities, and forensic analysis requirements. Include procedures for containing incidents across distributed system components.

15. Secure Secret Management: Never hardcode credentials, API keys, or other secrets in application code. Use appropriate secret management services with tightly controlled permissions and audit logging for storing, accessing, and rotating secrets.

1. Verify that IAM policies cover cloud infrastructure hosting AI components, including compute, storage, and networking.

2. Confirm the CSP enforces IAM policies for internal operators managing AI workloads or model containers.

3. Ensure policies include fine-grained access controls using IAM roles, service accounts, and conditions.

4. Validate that CSP IAM policies are reviewed periodically, with evidence of updates tied to service-level risk assessments.

5. Check compliance with regulatory IAM requirements (e.g., GDPR, FedRAMP) and alignment with cloud-native security frameworks (e.g., AWS IAM, GCP IAM).

From CCM:
1. Examine policy and/or procedures related to identity and access management to determine if policy and/or procedure content:
  a. addresses the provisioning, modification and deprovisioning of logical access.
  b. establishes password complexity and management requirements.
  c. addresses authorization concept following separation of duties and least privilege.
  d. addresses privileged access management and access reviews.
  e. includes roles and responsibilities for provisioning, modifying and deprovisioning of logical access.
  f. understands the delineation of identity and access management control responsibility in relation to the shared responsibility model.
2. Determine if the policy is clearly communicated and available to stakeholders.
3. Examine if policy and procedures are reviewed and updated at least annually.