HITRUST Releases Groundbreaking AI Assurance Program

HITRUST, the information risk management, standards, and certification body, recently announced the release of the industry’s first program designed to provide organizations with a secure and sustainable strategy for implementing trustworthy AI.

As AI technologies continue to evolve, the industry sees a mounting necessity to ensure trustworthy and responsible AI use. The newest program fills this gap by providing organizations with a comprehensive framework to navigate the complexities of growing AI adoption, while maintaining compliance with evolving regulatory frameworks.

The program prioritizes risk management, AI-specific assurances, shared responsibilities, and inheritance as a foundation in the newly updated version 11.2 of the HITRUST Common Security Framework (CSF).

In partnership with industry leaders, HITRUST has identified and delivered practical and scalable assurance for AI risk and security management through these key initiatives:

1. Prioritizing AI Risk Management as a Foundational Consideration using the HITRUST CSF

HITRUST has incorporated AI-specific controls into the HITRUST CSF v11.2, providing a valuable foundation for AI system providers and users to leverage to identify risks and negative outcomes in their AI systems. HITRUST will continue to make updates to the CSF to manage AI adoption risks.

At the core of the HITRUST AI Assurance Program lies a robust risk management strategy. By incorporating AI-specific controls into their existing risk management processes, organizations can proactively identify and address AI-related risks. Through risk assessments, mitigation measures, and continuous monitoring, businesses can navigate the dynamic AI landscape and build a solid foundation for the secure and ethical use of AI technologies.

2. Providing Reliable Assurances around AI Risks and Risk Management through HITRUST

In 2024, HITRUST assurance reports will include AI risk management for organizations to reliably address AI risks. Organizations and service providers implementing AI systems and models will understand the risks associated and demonstrate their adherence with AI risk management principles.

In addition, AI risk management certifications will be supported with the HITRUST Essentials (e1), HITRUST Leading Practices (i1), and HITRUST Expanded Practices (r2) reports. These

HITRUST Insight Reports will also be available for organizations wishing to demonstrate the quality of their AI Risk Management initiatives to customers and other stakeholders.

3. Embracing Inheritance in Support of Shared Responsibility for AI

HITRUST’s Shared Responsibility Model helps providers and customers define AI risk distribution and shared responsibilities. HITRUST leverages its inheritance and shared responsibility model expertise from cloud computing to enhance AI governance to facilitate the collaboration between AI service providers and their customers in managing AI risks and responsibilities.

These parties must demonstrate several key considerations including training data quality, safeguards against data poisoning, bias mitigation, model user responsibilities, and distinctions between proprietary and externally sourced large language models.

4. Leading Industry Collaboration

HITRUST plans to use its experience in control frameworks, assurance, and shared responsibility in partnership with Microsoft, Databricks, and other stakeholders to drive AI risk management and security solutions.

The HITRUST AI Assurance Program release came at a time when new AI regulations and laws are gaining more traction. The European Parliament implemented the Artificial Intelligence Act, which creates a regulatory framework for AI systems, emphasizing transparency, accountability, and human oversight.

Similarly, in the U.S., the recent White House Executive Order on AI focuses on improving the safety, security, and accountability of AI systems to protect the privacy of Americans.

The latest legislative actions emphasize the need for transparency, accountability, and human oversight in AI adoption. HITRUST’s program aligns seamlessly with these initiatives, providing organizations with a practical framework to meet regulatory requirements while embracing the transformative power of AI.

As organizations increasingly incorporate AI into their operations, the importance of trust, compliance, and responsible AI practices becomes pivotal. HITRUST’s pioneering AI Assurance Program revolutionizes the way businesses approach AI adoption, paving the way for secure, ethical, and compliant AI implementation.

A-LIGN can help organizations identify threats related to their AI technology implementation and adoption. With our team’s expertise in HITRUST CSF, we can help evaluate AI risk and recommend controls to implement to protect your customer’s data and maintain compliance with growing AI regulations. Contact our team today to get started.

Download our HITRUST checklist now!