Audit & Assurance

CSA AI Controls Matrix v1.1 domain

Independent evidence that AI controls are designed, operated, and reviewed.

What this domain means for procurement

Buyers need repeatable assurance evidence rather than a vendor assertion that controls exist. This domain frames audit scope, evidence, independence, findings, and remediation.

How TrustAtlas dimensions support it

Regulatory compliance captures attestations and assurance obligations; transparency captures whether the vendor shares scope, exceptions, and remediation evidence.

Regulatory complianceTransparency

This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.

Questions to ask vendors

Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.

  1. Which independent AI, cloud, or security assessments cover the service in scope, and when were they completed?
  2. Will you provide the assessment scope, material exceptions, and remediation status under NDA?
  3. How often are AI-specific controls reassessed after model, architecture, or supplier changes?
Application & Interface Security →

Related