AI is Accelerating Threats. Assurance has to Keep Up.

Artificial intelligence is changing cybersecurity from both sides.

Organizations are using AI to improve productivity, automate workflows, accelerate development, and unlock new business opportunities. At the same time, threat actors are using AI to accelerate reconnaissance, identify vulnerabilities faster, refine social engineering attacks, and scale exploitation efforts.

The result is a threat landscape that’s evolving faster than ever.

For years, organizations could rely on security assessments and assurance activities that remained relevant for extended periods of time. Today, that assumption is hard to defend. As AI speeds up the pace of attacks, the discovery and exploitation of vulnerabilities, and breaches, assurance must evolve alongside the threats it is designed to address.

AI is changing the risk equation. Assurance has to keep up.

The pace of exploitation is increasing 

Cybersecurity has always been a race between adversaries and defenders.

What has changed is the speed.

Threat actors are using AI to become more sophisticated, speed up attacks, and scale the attacks against more targets at lower cost. Activities that once took days or weeks can increasingly be performed in hours.

AI is helping attackers:

• Identify vulnerabilities faster across larger attack surfaces
• Refine phishing and social engineering campaigns at scale
• Automate reconnaissance and information gathering
• Reduce the effort required to identify and exploit weaknesses (both people and systems)

This creates a challenge for organizations that rely on static views of security.

An assessment may accurately reflect an environment at a specific point in time, but if the threat landscape changes rapidly, organizations must also ask a different question:

Are the controls being evaluated still aligned with the threats that matter today?

That concept is becoming increasingly important in an AI-driven threat environment. Security teams need confidence that assurance remains relevant as adversaries evolve their tactics and techniques. As HITRUST has noted, AI can speed up vulnerability discovery, which means weaknesses may be found and exploited faster than organizations have historically experienced. Assurance must stay tied to current threat conditions, not simply reflect a past review.

Threat-adaptive assurance matters more in the age of AI 

Many cybersecurity frameworks were built around periodic updates and relatively stable control environments.

Today's threat landscape is different.

New attack techniques emerge constantly. Existing techniques evolve. AI introduces new dependencies, new operational risks, and new opportunities for misuse and abuse. Organizations need assurance mechanisms that can respond to those realities.

This is why HITRUST continues to invest in Cyber Threat Adaptive program.

Cyber Threat Adaptive uses threat intelligence, vulnerability research, and real-world attack data to help ensure assurance requirements remain aligned with how adversaries actually operate. Rather than relying solely on static control sets, HITRUST continuously evaluates emerging threats and incorporates those insights into the HITRUST CSF. Cyber Threat Adaptive is designed to keep assurance relevant as threats evolve, helping organizations demonstrate security practices that align with today's threat environment.

HITRUST has also expanded its threat analysis beyond MITRE ATT&CK to include MITRE ATLAS, MITRE's knowledge base of adversarial tactics and techniques targeting AI-enabled systems. Based on extensive analysis of threat intelligence and attack indicators, HITRUST uses these insights to help ensure AI Security Certification remains responsive to the evolving AI threat landscape.

In an AI-driven world, relevance matters.

A control can still be operating exactly as designed and still no longer be sufficient for the risk it was intended to address. Continuous relevance asks whether controls remain effective against the threats organizations face now, not just the threats they faced when an assessment began.

AI systems require AI-specific assurance 

The rise of AI is not only changing how attacks occur. It is also changing what organizations need to secure.

AI-enabled systems introduce considerations that extend beyond traditional software security.

Organizations must account for risks such as:

• Model and third-party AI dependencies
• Data exposure and sensitive information handling
• Access controls, permissions, and oversight responsibilities
• Integrations with business-critical systems
• Emerging attack techniques that target AI systems directly

These considerations create assurance requirements that differ from those for traditional software.

That is why AI security assurance cannot simply be treated as another checkbox within a broader security program.

Organizations need evidence that AI systems and the environments supporting them have been evaluated against AI-specific cybersecurity expectations.

HITRUST AI Security Certification was designed to help provide that evidence and assurance. Available as a standalone offering for deployed AI systems and AI-enabled technologies, it provides a structured path to validated AI cybersecurity assurance. Rather than relying solely on AI policies or high-level governance statements, organizations can demonstrate that AI systems have been assessed and validated against defined security requirements designed to address real-world threats.

This distinction is increasingly important as customers, partners, boards, and regulators seek stronger evidence that AI-enabled technologies are being deployed securely.

The future of AI trust depends on assurance 

AI adoption will continue to accelerate.

The question is whether assurance can evolve at the same pace.

Organizations need more than confidence that controls were effective yesterday. They need confidence that assurance remains aligned with today's threats and tomorrow's risks.

That requires a threat-informed approach that continuously evaluates how adversaries operate, how technologies evolve, and how security expectations should adapt.

As AI reshapes the cybersecurity landscape, organizations will increasingly need assurance that is both validated and threat-relevant.

Because when AI accelerates exploitation, assurance cannot stand still.

Learn how HITRUST AI Security Certification helps organizations demonstrate validated, threat-informed assurance for deployed AI systems.

Contact us to learn how HITRUST AI Security Certification can help you demonstrate validated cybersecurity assurance for deployed AI systems.

How HITRUST Inheritance Helps Make TPRM Scalable

Organizations rely on third-party vendors for crucial functions. These vendors often gain internal access to sensitive data. As dependencies increase, the risk of cyber threats increases, too.

At the same time, third-party risk management (TPRM) teams are being asked to do more with less. Most approaches to TPRM lack a consistent, standardized risk reporting approach. TPRM teams have limited bandwidth and resources. TPRM teams can’t keep up with the high volume of vendor assessments. Vendors are overwhelmed with repetitive, proprietary questionnaires and audits.

Managing third-party risk requires standardized assessments, reliable assurances, remediation of gaps, and regular updates. Due to the many stakeholders involved, a technological, systematic approach is necessary for efficiency.

That is where HITRUST inheritance can help.

The HITRUST Shared Responsibility and Inheritance Program allows organizations to reuse inheritable controls from internal and external third-party organizations. Controls can be inherited from vendors, major cloud service providers (CSPs), and an organization’s existing HITRUST Validated or Certified Assessments.

For TPRM teams managing growing vendor ecosystems, that matters. Inheritance helps reduce redundant work, clarify control ownership, and make it easier to manage assurance across multiple vendors, platforms, and providers.

The scalability challenge in TPRM

Third-party vendors are not all the same. They differ in size, scope of work, risk profile, and cyber maturity. Some vendors are at a higher risk than others, and organizations need a risk-tiering strategy to meet appropriate security requirements.

But scale creates pressure.

Traditional TPRM processes often rely on manual reviews, questionnaires, inconsistent evidence, and extensive back-and-forth. These approaches can slow reviews, drive up costs, and leave organizations with little evidence that risk is actually being reduced.

HITRUST helps replace fragmented reviews with a standardized vendor process. Organizations can assess based on data sensitivity, access level, and business impact, then apply the right assessment so effort matches exposure.

That approach helps teams:

• Classify vendors by inherent risk.

• Get a rapid view of vendor posture.

• Standardize reporting for easier reviews.

• Reduce review volumes across vendors.

For organizations managing five vendors or five thousand vendors, scalability depends on repeatability. The more a TPRM program can rely on standardized, validated, and reusable assurance information, the easier it becomes to support growth without adding unnecessary complexity.

What HITRUST inheritance changes

Without inheritance, organizations may spend time re-evaluating controls that have already been assessed through another HITRUST assessment. With inheritance, organizations can reuse applicable, validated control information rather than starting from scratch each time.

In cloud environments, this can be especially useful. Because major CSPs hold HITRUST certifications, customers pursuing HITRUST certification can inherit applicable CSP security controls, making it easier and quicker to achieve security certification.

The Shared Responsibility and Inheritance Program is designed to bring clarity, transparency, time and cost savings, and efficient risk management to the assessment process. In some cases, organizations can inherit up to 85% of requirements in a HITRUST assessment from participating CSPs.

For TPRM, the value is practical: inheritance gives teams a way to build on existing validated work. Instead of creating duplicate evidence requests, teams can focus attention on the areas that still require review, validation, remediation, or monitoring.

Shared responsibility helps clarify control ownership

Inheritance works best when organizations understand which responsibilities belong to which party.

In a cloud or platform environment, some controls may be owned by the provider. Other controls may remain with the customer, vendor, or organization being assessed. Shared Responsibility Matrices help create that clarity.

The HITRUST Shared Responsibility and Inheritance Program provides Shared Responsibility Matrices for major CSPs and other prominent cloud data platforms. These matrices help organizations understand which controls may be inheritable and how control responsibilities are shared.

For TPRM teams, this helps reduce ambiguity. Instead of asking every vendor to answer the same questions in a proprietary format, organizations can use a more structured approach to understand:

• Which controls are already validated.

• Which controls may be inherited.

• Which controls remain the vendor’s responsibility.

• Which areas require additional evidence, remediation, or follow-up.

This helps TPRM teams focus resources where they matter most.

Inheritance helps reduce duplicate effort

Vendors are often asked to respond to repetitive questionnaires and audits. TPRM teams spend time coordinating responses, evaluating answers, and following up on incomplete information. That process can become difficult to sustain as the vendor ecosystem grows.

Inheritance helps reduce duplicate effort by allowing organizations to reuse validated control information where applicable. That supports a more efficient assessment process for both the organization and the vendor.

The result is not less rigor. It is a more consistent way to use assurance information that has already been validated through HITRUST.

This is especially important because effective risk mitigation begins with accurate measurement. HITRUST addresses the third-party risk challenge by providing a validated, standardized, and prescriptive assurance program designed to measure control effectiveness and maturity consistently across organizations.

RDS helps make assurance easier to share

Inheritance helps reduce redundant assessment work. The HITRUST Results Distribution System (RDS) helps make assurance results easier to distribute, access, and validate.

The HITRUST Results Distribution System is a centralized, API-enabled platform that automates the secure delivery, access, and validation of assessment results, improving third-party risk transparency and reducing manual effort. RDS replaces manual PDF and email workflows, accelerates third-party assurance timelines, and verifies authenticity with HITRUST-signed results.

For TPRM programs, RDS helps replace manual sharing and fragmented workflows with real-time, validated HITRUST results delivered to the teams who need them.

With RDS, organizations can:

• Get assurance data in real time.

• Eliminate spreadsheets, PDFs, and inbox bottlenecks.

• Equip teams with validated, structured compliance data.

• Streamline workflows and reduce duplicated effort.

• Deliver consistent, audit-ready HITRUST results across the ecosystem.

Scalable TPRM is not just about collecting assurance. It is also about getting assurance data to the right teams quickly and consistently.

HITRUST TPRM Services helps operationalize the process

Even with standardized assurance and reusable controls, many teams still need help managing vendor outreach, reviews, tracking, and follow-up.

HITRUST TPRM Services helps organizations simplify and scale third-party cyber risk management. As more enterprises recommend or require HITRUST certification from their vendors, HITRUST TPRM Services extends the power of HITRUST through ServiceNow integration and expert-led support.

HITRUST TPRM Services can help organizations:

• Accelerate vendor validation with automated workflows or hands-on support.

• Strengthen decisions with structured, verified assurance data.

• Improve efficiency by eliminating duplicate evidence requests and tracking tasks.

• Scale with their program by adapting to their team’s needs and preferred tools.

Organizations can choose automated integration with ServiceNow or expert-led support to streamline onboarding, reduce manual effort, and scale assurance with confidence. HITRUST TPRM Services can also help teams handle growing vendor volumes using automation through ServiceNow or expert-led services from HITRUST.

A more scalable model for third-party assurance

TPRM becomes harder when every vendor review starts from the beginning. It becomes more scalable when teams can rely on standardized assessments, validated assurance, reusable control information, and efficient results sharing.

HITRUST inheritance helps organizations reuse applicable controls from vendors, major CSPs, and existing HITRUST Assessments. RDS helps automate the secure delivery, access, and validation of assessment results. HITRUST TPRM Services helps organizations simplify and scale third-party cyber risk management through automation, managed services, and expert-led support.

Together, these capabilities help organizations reduce manual effort, improve visibility, and scale assurance across their vendor ecosystems.

Explore HITRUST inheritance to learn how your organization can reuse inheritable controls and make third-party assurance more scalable.

The Cyber Insurance Assumption Organizations Can't Afford to Make  

Organizations today invest significant time and resources into managing third-party cyber risk. They assess vendors, review security questionnaires, evaluate controls, and increasingly require vendors to maintain cyber insurance coverage as a condition of doing business. 

On the surface, these practices seem to create a strong foundation for risk management. If a vendor experiences a cyber incident, the assumption is that insurance will help absorb the financial impact and support recovery efforts. 

But what if that assumption isn't entirely accurate? 

A new paper created in collaboration with Trium Cyber explores a critical challenge in modern third-party risk management: whether traditional vendor cyber insurance provides the level of protection many organizations believe it does.

The Challenge with Traditional Risk Transfer

Cyber insurance has become an essential component of enterprise risk management. As cyber threats continue to grow in frequency and sophistication, organizations increasingly rely on insurance to help mitigate the financial consequences of cyber incidents. 

At the same time, third-party ecosystems have become more interconnected than ever. Organizations depend on vendors for cloud infrastructure, software platforms, payment processing, data management, security services, and countless other business-critical functions. 

This dependence creates a unique challenge. A single vendor incident can affect dozens, hundreds, or even thousands of downstream customers simultaneously. 

While many organizations require vendors to maintain cyber insurance, the structure of traditional cyber insurance policies may not account for the realities of today's interconnected digital environment.

The Shared Limits Problem

When evaluating a vendor's cyber insurance coverage, organizations often focus on the limits shown on a certificate of insurance.                  

A vendor may demonstrate that it carries a cyber liability policy, satisfying contractual requirements and creating confidence that appropriate risk transfer mechanisms are in place. 

However, those limits are rarely dedicated to a single customer. 

Instead, they are typically shared across the vendor's entire customer base. In the event of a widespread cyber incident, multiple organizations may seek recovery from the same policy at the same time. 

For isolated incidents, this structure may work as intended. But for large-scale ransomware attacks, supply chain compromises, or major service disruptions, the available limits can quickly become strained. 

The result is that organizations may believe they are protected by a vendor's insurance coverage without fully understanding how that coverage would perform during a systemic event.

Why This Matters Now

The cyber insurance market has evolved dramatically over the past decade. 

As cyber losses have increased, insurers have responded with more rigorous underwriting processes, expanded security requirements, and greater scrutiny of organizational cyber maturity. Coverage decisions and premiums are increasingly influenced by an organization's ability to demonstrate strong cybersecurity practices. 

In other words, cyber insurance is no longer simply about transferring risk after an incident occurs. It is increasingly about understanding and validating risk before coverage is ever written. 

This shift reflects a broader reality: effective risk transfer depends on reliable risk measurement. 

Without trusted, objective information about an organization's cybersecurity posture, insurers, customers, and business partners are left making decisions with incomplete data. 

Building a Stronger Foundation for Cyber Risk Transfer

Insurance remains a critical component of a comprehensive cyber risk management strategy. However, organizations should view insurance as one part of a broader approach rather than a standalone solution. 

A stronger model begins with validated assurance. 

Organizations that can demonstrate mature cybersecurity practices through independent assessment and verification provide stakeholders with greater confidence in their risk profile. This confidence benefits customers, business partners, regulators, and insurers alike. 

Independent assurance helps create a common understanding of risk, reducing ambiguity and enabling more informed decisions throughout the cyber risk ecosystem. 

Where HITRUST Fits

As insurers continue to place greater emphasis on cybersecurity maturity and objective risk evaluation, organizations need credible ways to demonstrate the effectiveness of their security programs. 

HITRUST certification proves that an organization has implemented and maintained a comprehensive set of security controls aligned with recognized frameworks and industry requirements. Rather than relying solely on questionnaires or self-attestations, organizations can provide independently validated evidence of their cybersecurity posture. 

Together, the challenges explored in The Missing Measure in Third-Party Information Risk and The Hidden Weakness in Third-Party Cyber Risk Transfer point to the same conclusion: Improving cyber resilience requires both better measurement and better mechanisms for transferring risk. Organizations that can demonstrate cybersecurity maturity through trusted, validated assurance are better positioned to strengthen both. 

 

Read Part 1: The Missing Measure in Third-Party Information Risk

Explore why organizations struggle to consistently measure residual third-party risk and why a common risk language is essential for governance, decision-making, and risk transfer. 

 

Read Part 2: The Hidden Weakness in Third-Party Cyber Risk Transfer 

Learn how traditional vendor cyber insurance can create blind spots in third-party risk programs and why risk transfer mechanisms must evolve alongside today's interconnected digital ecosystem.