Addresses Market Need to Comprehensively Secure AI Deployments and to Demonstrate Security to Customers and Stakeholders
FRISCO, Texas, November 19, 2024
HITRUST, a leader in information security assurance for risk and compliance management, today announced the general availability of the HITRUST AI Security Assessment with Certification for AI platforms and deployed systems. This offering, developed in collaboration with leading AI industry vendors and their adopters, leverages HITRUST's trusted assurance approach paired with a relevant and prescriptive set of controls to secure AI technologies and tackle the unique risks and threats AI systems face.
Responding to Industry's Need for Trustworthy AI Security
AI is transforming industries while introducing significant security risks that existing frameworks fail to adequately address. As organizations struggle to understand their AI system risks and security requirements, their customers, business leaders, risk managers, and regulators are seeking assurances that these systems and the sensitive information they contain are secure and trustworthy. Existing Information security standards and assurance programs do not adapt well to AI-specific risks and threats, while emergent AI frameworks and standards are lacking the prescriptiveness and assurance required for third parties to rely upon.
In response, HITRUST has delivered the HITRUST AI Security Assessment with Certification, ensuring that organizations can secure their AI systems comprehensively and demonstrate risk management, security and trustworthiness with confidence.
About the HITRUST AI Security Assessment with Certification
The HITRUST AI Security Assessment with Certification addresses the unique risks of AI systems by establishing a comprehensive control requirement targeting AI-specific security risks and threats. Paired with HITRUST’s proven, rigorous assurance process, it ensures control implementation to sufficient strength and maturity to effectively mitigate risk, the resultant HITRUST certification provides AI platforms and deployers with a highly trusted means to communicate their security posture to customers, users, and other stakeholders.
“Unlike other AI assurance programs that lack sufficient specificity for mitigating cybersecurity and information risk, the HITRUST program is dedicated to addressing these needs in AI platforms and deployed systems,” said Robert Booker, HITRUST Chief Strategy Officer. “Through a HITRUST AI certification, organizations can confidently demonstrate their security posture to stakeholders, establishing trust and credibility as they adopt and deploy AI technologies.”
The AI controls were designed and developed by the HITRUST Standards Development, Innovation, and Research Teams in consultation with multiple AI industry working groups. These groups consist of leading providers of cloud and AI platforms, tool and security solution providers, enterprises, and industry visionaries. The development process leveraged threat research and analysis, integrating the HITRUST CSF security framework with the HITRUST Cyber Threat Adaptive (patent pending) controls evaluation engine, the HITRUST Standards Development Engine, and an open RFC process for industry input and feedback. The result is the industry's first certifiable, comprehensive, prescriptive, and practical control specification. It is aligned with and supportive of the AI security elements in ISO, NIST, and OWASP standards and publications, as well as the 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence and the Department of Homeland Security’s Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure released in November 2024.
In addition, HITRUST delivers the industry’s most reliable assurances through a rigorous assessment and certification methodology. This includes Specific Definitions for Measurement, Testing, and Validation, Third-Party External Assessment, and Centralized HITRUST Review, Quality Checks, Scoring, Reporting, and Certification award.
HITRUST's certification process ensures that the right controls are implemented with sufficient strength, maturity, and completeness to mitigate risks effectively, providing organizations with either a 1-year or 2-year certification period, depending on the assessment selected.
Collectively, HITRUST has assembled all the necessary components to make strong, trusted AI security practical and efficient today. This includes the company’s assessment SaaS platform, MyCSF, to manage and automate the assessment and certification process, and an electronic result distribution (RDS) to efficiently and accurately share results with relying parties. Additionally, the HITRUST AI Assessments leverages Inherited Security Controls, allowing validated controls from AI providers to be seamlessly relied upon, reducing the effort, cost, and time during the assessment process.
Who This Is For
The HITRUST AI Security Assessment and Certification is specifically designed for the creators and providers of AI systems and platforms, as well as for those building and deploying applications that utilize these AI subsystems.
The key stakeholders who should choose this solution include:
Supporting Quotes
"We are pleased to see the launch of HITRUST's AI Security Certification," said David Houlding, Director of Global Healthcare Security & Compliance Strategy at Microsoft. "HITRUST's ability to support shared responsibility and enable the inheritance of validated security controls is critical for simplifying and accelerating the process of securing complex AI deployments. This program sets an important benchmark for practical, trustworthy AI security and risk management."
"The HITRUST AI Assurance Working Group has brought together some of the brightest minds in AI and cybersecurity to develop this assessment," said Teresa Godfroy, AI Assurance Working Group Member and Founder, CEO of Silverthorn, LLC. "The process was rigorous and deeply collaborative, ensuring that we landed on a control specification that is both highly original and practical. It is rooted in the reality of today's AI risks without being disconnected from established security standards—truly hitting the mark for what organizations need right now."
"Embold Health must both protect its AI offerings and prove their security to our customers. The combination of HITRUST's prescriptive controls, their proven assurance methodology, and the customer trust that comes with certification make it the clear choice," said Stephen Dufour, Chief Security & Privacy Officer, Embold Health.
“Leading an ISO 42001 certified company and helping others achieve the same, I see the HITRUST AI security certification as a key complement to the ISO standard for AI governance. It, along with emerging regulatory requirements like the European Union AI Act, requires artificial intelligence systems to be secure and robust. The HITRUST AI security certification gives organizations a clear roadmap to achieve both,” said Walter Haydock, CEO of StackAware.
“Coalfire recognizes the market's need for certifications like HITRUST AI and ISO 42001, which deliver a third-party review and high assurance level for secure, responsible AI implementation. HITRUST AI and ISO/IEC 42001:2023 provide distinct but complementary frameworks for AI compliance, especially in sensitive data environments. ISO 42001 focuses on general guidelines and governance for AI systems, emphasizing transparency, accountability, and risk management for AI across industries. HITRUST offers a more specific, prescriptive risk management framework designed to be industry agnostic, while integrating other regulations (such as HIPAA, NIST, GDPR, etc.) to ensure comprehensive security and compliance. Together, an ISO/IEC 42001:2023 standard helps organizations align AI practices with ethical and transparent guidelines with the use of controls, while HITRUST would support stringent protection and regulatory alignment in data environments within its requirements, creating a robust compliance strategy that balances AI innovation with security and privacy. Both certifications fill critical unique paths around AI compliance that organizations can benefit from,” said Coalfire’s Vice President of Global Assurance, Booker Young.
Why HITRUST?
HITRUST has been a pioneer in cybersecurity assurance for over 17 years. Our proven methodologies, built around a harmonized framework of over 50 authoritative sources—including NIST, and ISO—have established HITRUST as the most trusted name in information security. With a centralized review process, third-party independent testing, and gold-standard certifications, HITRUST is the only organization that provides the level of reliability, consistency, and thoroughness required to secure AI systems today.
This year, for the first time, HITRUST released the company's inaugural and annual Trust Report. In this report, we revealed key insights about our assurance program, including the fact that our Cyber Threat Adaptive engine and processes cover 100% of the addressable TTPs in the MITRE ATT&CK framework. Even more notably, we reported that over the past two years, only 0.64% of HITRUST-certified systems experienced breaches. This remarkable figure not only demonstrates the effectiveness of our assurance program but also reflects our ability to measure, analyze, and improve through our centralized processes. As a result, HITRUST represents a measurable benchmark for security programs, their efforts, and return on investment (ROI).
Availability and Next Steps
The HITRUST AI Security Assessment and Certification is available for purchase today and complements the HITRUST AI Risk Management Assessment released earlier this year.
Current HITRUST customers can add this certification to their existing assessments and certifications, while new customers can also take advantage of this offering. Early adopter promotions are available for both current and new customers.
For more information about the AI Security Assessment and Certification, visit our website.
For access to updates about HITRUST’s work in AI, stay up to date with our AI Hub.
For a private briefing and demonstration please contact Marketing@HITRUSTAlliance.net.
To find an independent HITRUST AI assessor firm, visit the Find an Assessor tool on our website.
HITRUST Academy courses are being updated for AI and are available for sale now, with classes starting in January 2025. Contact Academy@hitrustalliance.net to learn more.