AICM AtlasCSA AI Controls Matrix
UEM · Universal Endpoint Management
UEM-02Cloud & AI Related

Application and Service Approval

Specification

Define, document, apply and evaluate a list of approved services, applications and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data.

Threat coverage

Model manipulation
Data poisoning
Sensitive data disclosure
Model theft
Model/Service Failure
Insecure supply chain
Insecure apps/plugins
Denial of Service
Loss of governance

Architectural relevance

Physical infrastructure
Network
Compute
Storage
Application
Data

Lifecycle

Preparation

Data storage

Development

Guardrails

Evaluation

Not applicable

Deployment

Orchestration, AI Services supply chain, AI applications

Delivery

Operations, Maintenance, Continuous monitoring, Continuous improvement

Retirement

Data deletion

Ownership / SSRM

PI

Shared across the supply chain

Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.

Model

Owned by the Model Provider (MP)

The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.

Orchestrated

Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)

The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.

Application

Shared Application Provider-AI Customer (Shared AP-AIC)

The AP and AIC both share responsibility and accountability for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they offer and consume.

Implementation guidelines

[Applicable to all actors except CSP]            
        1.        Use a unified approval workflow (e.g., ticketing system or governance portal) where MP, OSP, AP, and AIC submit requests, perform formal reviews, and authorize new applications or services.

        2.        Maintain a single source of truth for the approved software/services list with version control, change logs, categorization by risk level, sensitivity, and purpose, and an established exception handling process backed by formal risk assessment and approval.

        3.        Automate enforcement of the approved list via UEM controls (such as application whitelisting, allowlisting, and device compliance gating), including mechanisms for access denial or quarantine based on integrity checks or policy violations (e.g., jailbroken or non‑compliant devices).

        4.        Define review frequency based on risk tier and conduct periodic triage reviews (e.g., monthly or quarterly) for critical/high‑risk apps and semi‑annual or annual reviews for lower‑risk ones, with provisions for ad‑hoc or event‑driven reassessments (triggered by incidents or threat intelligence).

        5.        Embed audit and monitoring capabilities that log and flag installation attempts for unauthorized or sensitive applications, and ramp up user awareness via training and communication of application usage policies.

Auditing guidelines

Irrespective of cloud service delivery model, the CSP is responsible for defining, documenting, applying, and evaluating a list of approved services, applications, and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data.

Implementation best practices include (but not limited to):

1. Centralized Configuration: For managed endpoints, universally enforce policies through one or more centralized configuration management tools.

2. Unmanaged Endpoints Risk Management: Risk assessment should be conducted to determine what (if any) information or systems may be accessed or stored using unmanaged endpoints.

3. Approved Stores Usage: Approved sources (stores) for obtaining applications of only trusted vendor applications should be maintained, such as official app stores or internal repositories (e.g., Linux, Windows, macOS, Android, and iOS).

4. Unauthorized Stores Usage Exception: The installation of applications from unauthorized sources should be prohibited, unless a business need exists after following the organizational exceptions approval process/cycle.

From CCM:
1. Determine if a list of approved services, applications and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data have been identified and documented.
2. Determine if the identified and documented list of approved services, applications and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data have been enforced.
3. Examine how endpoints are monitored for unauthorized services and the process to remove or terminate use of non-sanctioned resources.

Standards mappings

ISO 42001No Gap
ISO 42001 - A.4.3
ISO 42001 - A.4.4
ISO 42001 - A.9.4
ISO 27001 - A.5.9
ISO 27001 - A.5.10
ISO 27001 - A.8.1
Addendum

N/A

EU AI ActFull Gap
No Mapping
Addendum

Define, document, apply, and evaluate a list of approved services.

NIST AI 600-1Partial Gap
GV-1.4-001
GV-1.4-002
GV-3.2-003
Addendum

NIST AI 600-1 does not fully cover the UEM-02 topic that requires endpoints in policy making. The policies listed would only apply if an endpoint was an AI system and had an application that used GAI.

BSI AIC4No Gap
C4 SR-06
C5 AM-02
Addendum

N/A

AI-CAIQ questions (1)

UEM-02.1

Is there a defined, documented, applicable and evaluated list containing approved services, applications, and the sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data?