Why HITRUST, Why Now

Myrna Soto, Chief Trust Officer, HITRUST

Over the course of my career, I have had the privilege of serving in executive leadership roles across some of the world’s most complex and highly regulated organizations, while also spending more than a decade serving in governance, advisory, and board leadership roles across public and private companies. Those experiences have reinforced a belief I have carried throughout my professional journey: trust is ultimately the foundation of every successful business relationship.

• Trust between companies and their customers.

• Trust between boards and management teams.

• Trust between technology innovation and responsible risk management.

Today, that foundation is being tested in entirely new ways.

Organizations are navigating an environment where cyber threats continue to evolve, AI adoption is accelerating rapidly, regulatory scrutiny is increasing, and digital ecosystems are becoming more interconnected than ever before. In this environment, security alone is no longer enough.

Companies must be able to demonstrate trust. They must show resilience. They must provide transparency and accountability at scale. And they must create confidence among customers, partners, boards, regulators, and other stakeholders.

For more than a decade, I have spent significant time in boardrooms, advisory roles, and governance discussions focused on helping organizations navigate increasingly complex technology, cybersecurity, and risk landscapes.

That perspective has strengthened my belief that one of the greatest challenges facing organizations today is not simply managing cyber risk—it is establishing and maintaining trust.

• Trust has become the currency that underpins digital business.

• Boards are demanding greater transparency.

• Customers expect stronger accountability.

• Regulators are increasing scrutiny.

• And executives are balancing innovation, AI adoption, operational resilience, and growth—all at once.

Increasingly, cybersecurity is no longer viewed solely as a technical issue. It is a governance issue. A business resilience issue. And, perhaps most importantly, a trust issue.

As organizations adopt AI-enabled operations, autonomous agents, machine-driven decision-making, and increasingly interconnected third-party ecosystems, the opportunities are extraordinary. Yet these advancements also demand a more mature approach to assurance, accountability, and risk oversight.

In the middle of this transformation sits a critical question:

How do organizations create measurable confidence in a world that is becoming more interconnected, automated, and risk-intensive by the day?

That question is one of the primary reasons I chose to join HITRUST as Chief Trust Officer.

This decision was not about returning to a traditional operating role. Rather, it represents a continuation of the work I have been most passionate about in recent years—helping organizations navigate complex risk environments, strengthen stakeholder trust, and align cybersecurity, governance, and assurance strategies with broader business objectives.

The opportunity to do so at HITRUST, at such an important moment for our industry, was particularly compelling.

HITRUST occupies a unique position in the market. For years, the organization has helped enterprises create greater consistency, assurance, and confidence in how cybersecurity and risk management practices are assessed and validated. As digital ecosystems continue to expand and organizations become increasingly dependent on interconnected partners, suppliers, platforms, and technologies, the importance of scalable trust models will only continue to grow.

Resilience and trust are increasingly inseparable. Organizations earn stakeholder confidence not simply by preventing adverse events, but by demonstrating the ability to anticipate risk, adapt to change, and recover from disruption. One of the reasons HITRUST’s model is so valuable is that it helps organizations move beyond point-in-time compliance activities toward more mature, measurable, and repeatable approaches to risk management and assurance. The result is not only stronger security outcomes, but greater operational resilience and confidence across the enterprise.

What makes this moment particularly exciting is that HITRUST is entering an important new chapter in its evolution.

The organization has earned significant trust and credibility through years of leadership in healthcare and other highly regulated environments. The framework, assurance model,

and ecosystem built under the vision of its founder established a strong foundation for organizations seeking greater confidence in their cybersecurity and risk management programs.

Today, however, the opportunity is even larger.

Organizations across virtually every industry are confronting many of the same challenges: accelerating digital transformation, increasing regulatory expectations, expanding third-party risk, rapid AI adoption, and growing demands for demonstrable trust and resilience. The need for consistent, scalable assurance is no longer confined to any single sector.

As with any enduring organization, new leadership creates an opportunity to honor the foundation that has been built while reimagining what is possible for the future.

Under new leadership and a clear strategic vision, HITRUST is building upon its legacy while expanding its reach and relevance across industries. This is not a departure from what made the organization successful; it is an evolution of that success. The principles that established HITRUST as a trusted leader remain firmly intact, while the company’s focus, capabilities, market presence, and industry impact continue to broaden to meet the needs of a rapidly changing world.

I believe the next chapter for HITRUST will be defined not only by the trust it helps organizations validate, but by the role it plays in shaping how trust is measured, operationalized, and sustained across the global digital economy.

I believe we are entering a new phase in the evolution of cybersecurity and governance.

The rise of AI-enabled operations, autonomous systems, machine-driven decision-making, and increasingly sophisticated threat environments is fundamentally changing how organizations must think about resilience, accountability, and trust. Security can no longer operate as a siloed technical function. It must become deeply integrated into business strategy, enterprise governance, operational execution, and stakeholder confidence.

The organizations that will lead in this next era will not simply be those that innovate the fastest. They will be the ones that can innovate responsibly, govern effectively, and demonstrate to stakeholders that trust is embedded in the way they operate.

That is where I believe HITRUST has an important role to play—and where I believe I can add value.

My focus as Chief Trust Officer will center on engaging with executive leaders, boards of directors, customers, regulators, and industry stakeholders around the future of trust, cyber resilience, governance, and assurance. I look forward to helping organizations think more strategically about how they build, measure, and sustain trust while continuing to enable innovation and growth.

Equally important, I remain deeply committed to my governance and advisory work. Today’s most effective leaders increasingly operate across multiple dimensions—governance, strategic advisory, operational leadership, ecosystem influence, and industry collaboration. I view these experiences as highly complementary and believe the ability to bridge strategy, governance, technology, and risk across multiple environments has become increasingly important in today’s leadership landscape.

Throughout my career, I have been motivated by opportunities to help organizations navigate moments of meaningful transformation. The convergence of cybersecurity, AI, trust, and governance represents one of the most important leadership conversations of our time.

I am excited to work alongside the HITRUST team as we help shape that future. Most importantly, I am excited to contribute to advancing the broader industry dialogue around trust—because trust is no longer simply a security objective.

It is a core business imperative, a measure of organizational resilience, and an increasingly defining competitive advantage.

Myrna Soto

Request for Comment

Overview

HITRUST is issuing this request for comment to gather feedback on a proposed set of updates to select certification requirements in response to the rapidly evolving vulnerability identification and exploitation landscape made possible through frontier AI models. As the time between vulnerability disclosure, weaponization, and active exploitation continues to compress, HITRUST may clarify and strengthen certain HITRUST CSF requirements to better reflect current operational realities and risk expectations. These updates are also intended to help organizations address the “Defend” and “Thwart” focus areas reflected in the NIST Cyber AI Profile.

The proposed updates affect five requirements applicable to the e1 assessment type, fifteen requirements applicable to the i1 and r2 assessment types, and seven requirements applicable to only r2 assessment types. These changes span the following domains: Endpoint Protection, Configuration Management, Vulnerability Management, Audit Logging & Monitoring, Third Party Assurance, Incident Management, and Risk Management.

Request for Feedback

Through this request for comment, HITRUST invites assessors, MyCSF subscribers, and companies with TPRM programs participating in the HITRUST certification program to review the proposed changes and provide input directly in Manula, on their clarity, feasibility, and potential implementation impact. Feedback is particularly encouraged on whether the revised requirements appropriately address the increased speed and complexity of modern vulnerability exploitation while remaining practical and auditable across varying organizational environments.

Input from the assessors, MyCSF subscribers, and companies with TPRM programs community will help ensure the updated requirements improve the effectiveness of the certification program and support a consistent, risk-informed approach to assurance. Please be sure to provide all feedback before 7/1/2026.

What Should You Require from AI Vendors?

Why AI-enabled vendors need AI-specific cybersecurity assurance

AI is quickly becoming part of the enterprise vendor ecosystem.

Organizations are using AI-enabled tools for customer support, clinical workflows, document processing, analytics, fraud detection, productivity, security operations, software development, automation, and decision support. In many cases, AI is no longer a standalone technology. It is embedded inside the products and services organizations already rely on.

That creates a new third-party risk challenge.

When a vendor uses AI, the relying organization may inherit risks that are not always visible in traditional vendor review processes. Sensitive data may flow through AI-enabled systems. AI tools may influence business-critical decisions. Models may interact with users, applications, workflows, and external systems. AI agents may be granted access to information, tools, or actions that expand the risk surface.

For relying parties, this raises a practical question:

What should we require from vendors that develop, deploy, or materially rely on AI?

The answer should go beyond a policy, a questionnaire, or a general security report. Customers need AI-specific cybersecurity assurance.

General assurance may not answer AI-specific questions

Traditional assurance reports can provide useful information about a vendor’s broader control environment. But AI introduces risks that may not be explicitly addressed unless they are specifically defined, assessed, and validated.

A vendor may have a general cybersecurity program. It may have an AI policy. It may even have a broad security report. But that does not necessarily mean its deployed AI systems have been evaluated against AI-specific security and governance expectations.

Relying parties increasingly need answers to questions such as:

• Does the vendor use AI in products, services, workflows, or decision-making that affect our data or operations?

• What sensitive data can the AI system access, process, generate, or expose?

• How are AI models, prompts, outputs, integrations, and supporting systems governed?

• How are AI-specific threats such as prompt injection, data leakage, model misuse, unsafe outputs, or unauthorized tool use addressed?

• How is access to AI systems controlled and monitored?

• How are AI-enabled vendors validating that their controls are operating effectively?

   

These questions are not theoretical. They are becoming central to how organizations evaluate vendor trust.

AI vendor risk is still vendor risk

AI can make vendor relationships more complex, but it does not change the basic responsibility of third-party risk management.

Organizations still need to understand what risk they inherit from vendors. They still need assurance that vendor controls are appropriate to the risk. They still need evidence that those controls have been validated. And they still need a way to apply consistent requirements across vendor populations.

What changes with AI is the type of assurance needed.

When AI systems touch sensitive data, critical workflows, customer-facing services, regulated processes, or business operations, relying parties should not have to infer whether AI risks were addressed inside a broad report. They should be able to ask for evidence that the AI system itself has been evaluated.

That is where AI-specific certification becomes important.

Why HITRUST AI Security Certification matters

HITRUST AI Security Certification is now available as a standalone offering for deployed AI systems and AI-enabled technologies.

That matters because organizations now have a more direct way to demonstrate or require AI-specific cybersecurity assurance. Vendors developing or deploying AI can pursue a focused certification for AI systems. Relying parties can point to a clearer assurance expectation for vendors whose AI solutions may introduce meaningful risk.

This is especially important because AI risk often sits at the intersection of cybersecurity, governance, data protection, model behavior, software security, cloud infrastructure, and third-party dependency. A general statement of AI responsibility may not be enough. A broad security attestation may not provide enough specificity. A questionnaire may not provide enough validation.

HITRUST AI Security Certification helps move the conversation from “Do you use AI responsibly?” to “Can you demonstrate validated assurance over the security of your deployed AI system?”

That is a stronger question. It is also a more useful one.

When should relying parties require AI-specific certification?

Not every use of AI carries the same risk. A low-risk internal productivity tool may not require the same assurance as an AI-enabled platform that processes sensitive customer data or supports business-critical decisions.

But relying parties should consider requiring AI-specific certification when a vendor’s AI system:

• Processes, stores, transmits, analyzes, or generates sensitive data

• Supports regulated, clinical, financial, security, legal, or business-critical workflows

• Is embedded in a product or service delivered to customers

• Uses AI agents or automation that can access systems, data, or tools

• Influences decisions that affect customers, patients, members, employees, or business operations

• Relies on third-party models, platforms, or infrastructure that may affect risk

• Provides AI-enabled functionality that materially changes the vendor’s risk profile

   

In these cases, general assurance may not be enough to support confident vendor reliance.

A practical requirement for AI vendors

Customer organizations can begin by adding clearer AI assurance language to vendor requirements, procurement processes, and third-party risk policies.

A practical requirement could look like this: For vendors that develop, deploy, or materially rely on AI systems that process sensitive data, support critical workflows, or deliver customer-facing functionality, HITRUST AI Security Certification is preferred or required as evidence of AI-specific cybersecurity assurance.

This kind of language gives organizations a stronger and more consistent way to evaluate AI-enabled vendors. It also gives vendors a clear path to demonstrate that they are taking AI security seriously.

The goal is not to slow AI adoption. The goal is to make AI adoption more trustworthy.

What customer organizations should ask now

As AI becomes more deeply embedded across vendor ecosystems, relying parties should revisit their vendor review processes and ask:

Do we know which vendors are using AI in ways that affect our data, workflows, or customers?

• Do our current vendor requirements distinguish between general cybersecurity assurance and AI-specific assurance?

• Are we relying on broad reports that may not explicitly address AI risk?

• Do our procurement, security, compliance, and risk teams have a consistent standard for AI-enabled vendors?

• Have we defined when AI-specific certification should be required?

These questions can help organizations move from ad hoc AI vendor review to a more scalable assurance model.

AI trust needs evidence

AI adoption will continue to accelerate. Vendors will continue embedding AI into products, platforms, services, and workflows. Relying parties will continue inheriting risk from technologies they may not fully control.

That means trust cannot depend on claims alone.

For AI-enabled vendors, validated AI cybersecurity assurance can help demonstrate that deployed AI systems are being secured and governed with the seriousness customers expect.

For customers relying on those vendors, AI-specific certification can help reduce ambiguity, improve consistency, and strengthen confidence in vendor decisions.

AI is changing what organizations build, buy, and rely on.

It should also change what organizations require.

Learn how HITRUST AI Security Certification can help your organization evaluate, require, or demonstrate validated cybersecurity assurance for deployed AI systems.