CSA AI Controls Matrix v1.1 — cross-walk against TrustAtlas
A procurement-oriented mapping from the Cloud Security Alliance AI Controls Matrix v1.1 domains onto the nine risk dimensions TrustAtlas scores.
The 18 AICM domains
Audit & Assurance
Independent evidence that AI controls are designed, operated, and reviewed.
Buyers need repeatable assurance evidence rather than a vendor assertion that controls exist. This domain frames audit scope, evidence, independence, findings, and remediation.
Regulatory compliance captures attestations and assurance obligations; transparency captures whether the vendor shares scope, exceptions, and remediation evidence.
Application & Interface Security
Secure AI applications, APIs, agent interfaces, and input/output boundaries.
AI interfaces add prompt, tool-use, retrieval, and model-output attack surfaces to conventional application security. Buyers should understand how those boundaries are tested and constrained.
Security covers application testing and defensive controls; agent governance covers tool permissions, action boundaries, and human oversight for autonomous interfaces.
Business Continuity Management and Operational Resilience
Maintain AI service continuity and recover safely from disruption.
AI services depend on models, accelerators, data pipelines, and third parties. Continuity plans must cover loss or degradation of any of those dependencies without silently changing risk posture.
Business stability captures continuity capacity and recovery commitments; dependency chain captures upstream concentration and fallback risk.
Read the Business Continuity Management and Operational Resilience detail page →
Change Control and Configuration Management
Govern changes to models, prompts, infrastructure, and security configuration.
Model and configuration changes can alter safety, privacy, and performance even when an API remains compatible. Buyers need versioning, validation, rollback, and notification practices.
Security covers secure configuration and validation; transparency covers change disclosure; business stability captures release discipline and rollback capability.
Read the Change Control and Configuration Management detail page →
Cryptography, Encryption & Key Management
Protect AI data and assets with managed cryptographic controls.
Prompts, outputs, embeddings, fine-tuning data, model artifacts, and credentials all require appropriate encryption and key lifecycle controls.
Data handling covers protected data throughout its lifecycle; security covers key custody, access controls, rotation, and cryptographic implementation.
Read the Cryptography, Encryption & Key Management detail page →
Datacenter Security
Protect physical facilities and infrastructure supporting AI workloads.
Even cloud-delivered AI relies on physical facilities, hardware, media, and personnel controls. Buyers should establish who owns that layer and what assurance covers it.
Security captures facility and hardware safeguards; dependency chain captures reliance on cloud and colocation providers that operate those controls.
Data Security and Privacy Lifecycle Management
Govern data collection, use, retention, disclosure, and deletion across the AI lifecycle.
AI data flows can span training, retrieval, inference, telemetry, review, and improvement. Procurement must establish purpose, boundaries, rights, location, and deletion at every stage.
Data handling is the direct lifecycle measure; jurisdiction and regulatory compliance cover location and legal obligations; IP exposure covers ownership and reuse boundaries.
Read the Data Security and Privacy Lifecycle Management detail page →
Governance, Risk and Compliance
Assign accountability and manage AI risk and compliance as an ongoing program.
A dependable vendor can identify accountable owners, applicable obligations, risk appetite, exceptions, and evidence that governance decisions reach product operations.
Compliance and jurisdiction capture obligations; transparency captures disclosed governance; agent governance captures accountability for autonomous behavior and human control.
Human Resources
Ensure personnel are screened, trained, accountable, and offboarded appropriately.
People who build, operate, review, or support AI systems can introduce or mitigate risk. Role-specific training and privileged-access lifecycle controls are procurement-relevant evidence.
Security covers workforce access and insider-risk safeguards; agent governance covers competence and accountability for people supervising autonomous systems.
Identity & Access Management
Control human and machine identities that access AI systems and tools.
AI platforms introduce service accounts, API keys, agents, tools, and delegated identities. Buyers need least privilege, strong authentication, lifecycle controls, and attributable actions.
Security covers authentication and authorization; agent governance covers non-human identity, delegated authority, and traceable autonomous actions.
Interoperability & Portability
Enable controlled movement of data and workloads while limiting lock-in risk.
Buyers should be able to export relevant data and transition away from a model or platform without losing governance evidence or accepting unreasonable operational risk.
Dependency chain measures lock-in and substitutes; business stability covers continuity through transition; IP exposure covers rights to export and reuse customer-created assets.
Infrastructure Security
Harden compute, network, virtualization, and orchestration supporting AI services.
AI workloads depend on specialized compute and shared cloud infrastructure. Isolation, hardening, network control, and vulnerability management protect both models and customer data.
Security captures technical safeguards and isolation; dependency chain captures responsibility shared with infrastructure providers.
Logging and Monitoring
Record and detect security, safety, operational, and agent behavior events.
AI-specific monitoring should connect system activity, model behavior, tool use, safety events, and human interventions while respecting data-minimization requirements.
Security covers detection and audit telemetry; transparency covers customer-visible evidence; agent governance covers behavioral monitoring and intervention records.
Model Security
Protect model integrity, access, behavior, artifacts, and inference surfaces.
Model-specific threats include poisoning, manipulation, theft, unauthorized access, prompt injection, and insecure inference. Vendor evidence should cover the full model lifecycle.
Security captures model defenses; IP exposure captures weights, training, and output rights; transparency captures evaluations; agent governance covers models acting through tools and delegated authority.
Security Incident Management, E-Discovery, & Cloud Forensics
Prepare for, investigate, contain, and disclose AI-related security incidents.
AI incidents may involve sensitive prompts, model behavior, agent actions, or shared providers. Buyers need notification commitments and evidence preservation suitable for investigation and legal obligations.
Security covers response and forensics; compliance and jurisdiction govern notification and evidence duties; data handling covers preservation without uncontrolled exposure.
Read the Security Incident Management, E-Discovery, & Cloud Forensics detail page →
Supply Chain Management, Transparency, and Accountability
Identify and govern upstream AI, data, software, and cloud dependencies.
Foundation models, datasets, components, tools, and infrastructure providers can change risk without a buyer changing products. Procurement needs current dependency disclosure and flow-down accountability.
Dependency chain is the direct measure; transparency covers disclosure; business stability covers concentration and substitutes; IP exposure covers rights and provenance across suppliers.
Read the Supply Chain Management, Transparency, and Accountability detail page →
Threat & Vulnerability Management
Identify, prioritize, remediate, and disclose threats and vulnerabilities.
AI systems combine conventional vulnerabilities with model, prompt, data, and agent threats. A mature program covers both and adapts as new attack techniques emerge.
Security captures testing and remediation; transparency captures disclosure channels, timelines, and evidence of closure.
Universal Endpoint Management
Secure endpoints that develop, administer, or consume AI services.
Developer devices, administrator workstations, managed endpoints, and edge clients can expose credentials and customer data or become an entry path to AI systems.
Security covers endpoint posture and access; data handling covers local storage, caching, and movement of prompts and sensitive outputs.
Primary source and related frameworks
- CSA AI Controls Matrix v1.1 artifact — released June 22, 2026
- NIST AI RMF cross-walk — risk-management functions and vendor evidence
- OWASP LLM Top 10 cross-walk — application and model threat vocabulary
- TrustAtlas methodology — how the nine dimensions are scored