Change Control and Configuration Management
CSA AI Controls Matrix v1.1 domain
Govern changes to models, prompts, infrastructure, and security configuration.
What this domain means for procurement
Model and configuration changes can alter safety, privacy, and performance even when an API remains compatible. Buyers need versioning, validation, rollback, and notification practices.
How TrustAtlas dimensions support it
Security covers secure configuration and validation; transparency covers change disclosure; business stability captures release discipline and rollback capability.
SecurityTransparencyBusiness stability
This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.
Questions to ask vendors
Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.
- Which model, prompt, safety-policy, and infrastructure changes require documented approval before production?
- Can customers pin versions, review release notes, and receive advance notice of material behavior changes?
- What evaluation gates and rollback criteria apply when a release worsens safety or reliability?
← Business Continuity Management and Operational Resilience
Cryptography, Encryption & Key Management →
Related
- Back to all 18 CSA AICM v1.1 domains
- Official CSA AICM v1.1 artifact
- NIST AI RMF cross-walk
- TrustAtlas methodology — how the nine risk dimensions are scored