First-of-its-kind assessment for AI risk management and governance

FRISCO, Texas, August 20, 2024

HITRUST, the leader in information security, risk, and compliance assurance, today announced the launch of its AI Risk Management (AI RM) Assessment, the industry’s first comprehensive assessment approach for Artificial Intelligence (AI) risk management processes in an organization. The HITRUST AI Risk Management Assessment ensures that governance associated with implementing AI solutions is in place and can be effectively communicated by companies to management teams, boards of directors, and others.

The HITRUST approach is based on AI risk management expectations and outcomes through a clearly understandable approach to guide AI adopters and their leaders in their risk management efforts that also aligns with standards issued by both NIST and ISO/IEC. The HITRUST AI RM Assessment is fully supported by a complete assessment approach, SaaS platform, and ecosystem that AI-adopting companies can use to demonstrate that AI risk management outcomes are met. The offering provides an essential toolkit for benchmarking and reporting on the AI risk management efforts for any organization using or deploying AI-based technologies such as ML and LLMs and addresses an essential step for organizations seeking to validate and communicate a comprehensive approach and leadership in addressing AI Risk Management. 

“Standards for AI risk management are evolving rapidly, and it is crucial for companies to address these principles with a thoughtful and comprehensive approach. Governance of this important and powerful capability is vital to unlocking the potential that AI offers, and risk management is critical to implementing AI responsibly,” said Robert Booker, Chief Strategy Officer at HITRUST. HITRUST has applied over 15 years of practical experience and a best-in-class assurance methodology to AI risk management. The result is an approach that organizations can use to demonstrate that they have established appropriate governance structures and meet essential risk management principles. 

The HITRUST AI Risk Management Assessment is the second in a series of AI assurance solutions designed to address AI risk management and security. This comprehensive approach helps companies meet their governance responsibilities at any stage of AI deployment and is strongly recommended as a key starting point. Additionally, HITRUST will release its AI Security Certification Program in Q4 2024, which will include AI-specific control specifications incorporated in the HITRUST CSF and enhancements to the company's assurance methodologies, systems, and ecosystem. The AI security certification will deliver a highly trusted security assurance solution for AI-specific systems. Together, these two offerings are designed to complement each other, with AI RM serving as the ideal starting point, followed by AI security certification for specific AI deployments. 

All adopters of AI, including early adopters, need to demonstrate that they have effectively considered and managed the risks associated with AI. Until now, to address this critical need, governance and risk management teams have had to consider standards and references from numerous sources such as ISO/IEC and NIST to understand the risk management principles needed for AI governance and then consider how to address and confirm those requirements.  

Understanding AI risk management expectations and associated control requirements is foundational to implementing and documenting numerous risk management outcomes. The management lifecycle of these efforts is complex, as companies also often develop multiple and different approaches to socialize the risk management requirements across their organizations; to assemble information from different risk management teams; and to provide meaningful reports that identify the completion and maturity of those requirements. The HITRUST AI Risk Management Assessment leverages the proven HITRUST assessment platform and reporting capabilities to support clear understanding of the risk management requirements and outcomes and generate reports for internal or external teams to demonstrate the requirements are met. 

“The total effort to address risk management at scale can take weeks or months of labor just to design and maintain an assessment approach, socialize that approach, and prepare for the assessment work itself,” said Bimal Sheth, EVP Standards Development & Assurance Operations at HITRUST. “Even then, there can be questions about completeness and quality and the work can be exhausting where the organization wishes to align to multiple industry standards.” 

As an accelerator for AI risk management, HITRUST has created an approach consisting of 51 comprehensive control requirements and a mapping to both NIST and ISO/IEC to illustrate coverage to the different standards and to address the recommendations of both. HITRUST has bundled the AI risk management control requirements with a 1-year subscription to MyCSF, HITRUST’s powerful assessment SaaS platform tool, and a report credit for a HITRUST AI Risk Management Insights Report describing the state of AI Risk Management aligned with the language and recommendations of both standards. The HITRUST approach and solution provides an effective, efficient, and no-compromise solution to AI risk management requirements.  

“HITRUST has leveraged its years of experience in information risk, security, and compliance assurances to tackle AI risk management, providing a reliable foundation for organizations at any stage of their AI journey. We believe this should be the essential starting point for any organization engaging with AI and have designed it to be comprehensive and cost-effective for every organization,” added Jeremy Huval, Chief Innovation Officer at HITRUST. “The AI RM solution can be used as a self-assessment and benchmarking tool, or companies can engage one of over 100 HITRUST external assessor firms to validate and verify implementation. Finally, existing HITRUST customers can access the capability with a simple report credit to their existing subscriptions to MyCSF.” 

The HITRUST AI Risk Management Assessment and Insights Report are available immediately. For more information about the HITRUST AI Assurance Program and to access the latest resources, visit HITRUST AI Hub or contact sales@hitrustalliance.net.