CSA AI Controls Matrix v1.1 — cross-walk against TrustAtlas

A procurement-oriented mapping from the Cloud Security Alliance AI Controls Matrix v1.1 domains onto the nine risk dimensions TrustAtlas scores.

How to read this. CSA AICM v1.1 contains 247 control objectives across 18 security domains. TrustAtlas does not claim that this cross-walk is an official CSA mapping or a substitute for implementing or auditing the matrix. It names verified CSA domain names only and links each domain to vendor-side evidence and questions buyers can use.

The 18 AICM domains

Audit & Assurance

Independent evidence that AI controls are designed, operated, and reviewed.

Buyers need repeatable assurance evidence rather than a vendor assertion that controls exist. This domain frames audit scope, evidence, independence, findings, and remediation.

TrustAtlas dimensions that address this:
Regulatory complianceTransparency

Regulatory compliance captures attestations and assurance obligations; transparency captures whether the vendor shares scope, exceptions, and remediation evidence.

Read the Audit & Assurance detail page →

Application & Interface Security

Secure AI applications, APIs, agent interfaces, and input/output boundaries.

AI interfaces add prompt, tool-use, retrieval, and model-output attack surfaces to conventional application security. Buyers should understand how those boundaries are tested and constrained.

TrustAtlas dimensions that address this:
SecurityAgent governance

Security covers application testing and defensive controls; agent governance covers tool permissions, action boundaries, and human oversight for autonomous interfaces.

Read the Application & Interface Security detail page →

Business Continuity Management and Operational Resilience

Maintain AI service continuity and recover safely from disruption.

AI services depend on models, accelerators, data pipelines, and third parties. Continuity plans must cover loss or degradation of any of those dependencies without silently changing risk posture.

TrustAtlas dimensions that address this:
Business stabilityDependency chain

Business stability captures continuity capacity and recovery commitments; dependency chain captures upstream concentration and fallback risk.

Read the Business Continuity Management and Operational Resilience detail page →

Change Control and Configuration Management

Govern changes to models, prompts, infrastructure, and security configuration.

Model and configuration changes can alter safety, privacy, and performance even when an API remains compatible. Buyers need versioning, validation, rollback, and notification practices.

TrustAtlas dimensions that address this:
SecurityTransparencyBusiness stability

Security covers secure configuration and validation; transparency covers change disclosure; business stability captures release discipline and rollback capability.

Read the Change Control and Configuration Management detail page →

Cryptography, Encryption & Key Management

Protect AI data and assets with managed cryptographic controls.

Prompts, outputs, embeddings, fine-tuning data, model artifacts, and credentials all require appropriate encryption and key lifecycle controls.

TrustAtlas dimensions that address this:
Data handlingSecurity

Data handling covers protected data throughout its lifecycle; security covers key custody, access controls, rotation, and cryptographic implementation.

Read the Cryptography, Encryption & Key Management detail page →

Datacenter Security

Protect physical facilities and infrastructure supporting AI workloads.

Even cloud-delivered AI relies on physical facilities, hardware, media, and personnel controls. Buyers should establish who owns that layer and what assurance covers it.

TrustAtlas dimensions that address this:
SecurityDependency chain

Security captures facility and hardware safeguards; dependency chain captures reliance on cloud and colocation providers that operate those controls.

Read the Datacenter Security detail page →

Data Security and Privacy Lifecycle Management

Govern data collection, use, retention, disclosure, and deletion across the AI lifecycle.

AI data flows can span training, retrieval, inference, telemetry, review, and improvement. Procurement must establish purpose, boundaries, rights, location, and deletion at every stage.

TrustAtlas dimensions that address this:
Data handlingJurisdictionRegulatory complianceIP exposure

Data handling is the direct lifecycle measure; jurisdiction and regulatory compliance cover location and legal obligations; IP exposure covers ownership and reuse boundaries.

Read the Data Security and Privacy Lifecycle Management detail page →

Governance, Risk and Compliance

Assign accountability and manage AI risk and compliance as an ongoing program.

A dependable vendor can identify accountable owners, applicable obligations, risk appetite, exceptions, and evidence that governance decisions reach product operations.

TrustAtlas dimensions that address this:
Regulatory complianceJurisdictionTransparencyAgent governance

Compliance and jurisdiction capture obligations; transparency captures disclosed governance; agent governance captures accountability for autonomous behavior and human control.

Read the Governance, Risk and Compliance detail page →

Human Resources

Ensure personnel are screened, trained, accountable, and offboarded appropriately.

People who build, operate, review, or support AI systems can introduce or mitigate risk. Role-specific training and privileged-access lifecycle controls are procurement-relevant evidence.

TrustAtlas dimensions that address this:
SecurityAgent governance

Security covers workforce access and insider-risk safeguards; agent governance covers competence and accountability for people supervising autonomous systems.

Read the Human Resources detail page →

Identity & Access Management

Control human and machine identities that access AI systems and tools.

AI platforms introduce service accounts, API keys, agents, tools, and delegated identities. Buyers need least privilege, strong authentication, lifecycle controls, and attributable actions.

TrustAtlas dimensions that address this:
SecurityAgent governance

Security covers authentication and authorization; agent governance covers non-human identity, delegated authority, and traceable autonomous actions.

Read the Identity & Access Management detail page →

Interoperability & Portability

Enable controlled movement of data and workloads while limiting lock-in risk.

Buyers should be able to export relevant data and transition away from a model or platform without losing governance evidence or accepting unreasonable operational risk.

TrustAtlas dimensions that address this:
Dependency chainBusiness stabilityIP exposure

Dependency chain measures lock-in and substitutes; business stability covers continuity through transition; IP exposure covers rights to export and reuse customer-created assets.

Read the Interoperability & Portability detail page →

Infrastructure Security

Harden compute, network, virtualization, and orchestration supporting AI services.

AI workloads depend on specialized compute and shared cloud infrastructure. Isolation, hardening, network control, and vulnerability management protect both models and customer data.

TrustAtlas dimensions that address this:
SecurityDependency chain

Security captures technical safeguards and isolation; dependency chain captures responsibility shared with infrastructure providers.

Read the Infrastructure Security detail page →

Logging and Monitoring

Record and detect security, safety, operational, and agent behavior events.

AI-specific monitoring should connect system activity, model behavior, tool use, safety events, and human interventions while respecting data-minimization requirements.

TrustAtlas dimensions that address this:
SecurityTransparencyAgent governance

Security covers detection and audit telemetry; transparency covers customer-visible evidence; agent governance covers behavioral monitoring and intervention records.

Read the Logging and Monitoring detail page →

Model Security

Protect model integrity, access, behavior, artifacts, and inference surfaces.

Model-specific threats include poisoning, manipulation, theft, unauthorized access, prompt injection, and insecure inference. Vendor evidence should cover the full model lifecycle.

TrustAtlas dimensions that address this:
SecurityIP exposureTransparencyAgent governance

Security captures model defenses; IP exposure captures weights, training, and output rights; transparency captures evaluations; agent governance covers models acting through tools and delegated authority.

Read the Model Security detail page →

Security Incident Management, E-Discovery, & Cloud Forensics

Prepare for, investigate, contain, and disclose AI-related security incidents.

AI incidents may involve sensitive prompts, model behavior, agent actions, or shared providers. Buyers need notification commitments and evidence preservation suitable for investigation and legal obligations.

TrustAtlas dimensions that address this:
SecurityRegulatory complianceData handlingJurisdiction

Security covers response and forensics; compliance and jurisdiction govern notification and evidence duties; data handling covers preservation without uncontrolled exposure.

Read the Security Incident Management, E-Discovery, & Cloud Forensics detail page →

Supply Chain Management, Transparency, and Accountability

Identify and govern upstream AI, data, software, and cloud dependencies.

Foundation models, datasets, components, tools, and infrastructure providers can change risk without a buyer changing products. Procurement needs current dependency disclosure and flow-down accountability.

TrustAtlas dimensions that address this:
Dependency chainTransparencyBusiness stabilityIP exposure

Dependency chain is the direct measure; transparency covers disclosure; business stability covers concentration and substitutes; IP exposure covers rights and provenance across suppliers.

Read the Supply Chain Management, Transparency, and Accountability detail page →

Threat & Vulnerability Management

Identify, prioritize, remediate, and disclose threats and vulnerabilities.

AI systems combine conventional vulnerabilities with model, prompt, data, and agent threats. A mature program covers both and adapts as new attack techniques emerge.

TrustAtlas dimensions that address this:
SecurityTransparency

Security captures testing and remediation; transparency captures disclosure channels, timelines, and evidence of closure.

Read the Threat & Vulnerability Management detail page →

Universal Endpoint Management

Secure endpoints that develop, administer, or consume AI services.

Developer devices, administrator workstations, managed endpoints, and edge clients can expose credentials and customer data or become an entry path to AI systems.

TrustAtlas dimensions that address this:
SecurityData handling

Security covers endpoint posture and access; data handling covers local storage, caching, and movement of prompts and sensitive outputs.

Read the Universal Endpoint Management detail page →

Primary source and related frameworks