Identity & Access Management
CSA AI Controls Matrix v1.1 domain
Control human and machine identities that access AI systems and tools.
What this domain means for procurement
AI platforms introduce service accounts, API keys, agents, tools, and delegated identities. Buyers need least privilege, strong authentication, lifecycle controls, and attributable actions.
How TrustAtlas dimensions support it
Security covers authentication and authorization; agent governance covers non-human identity, delegated authority, and traceable autonomous actions.
SecurityAgent governance
This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.
Questions to ask vendors
Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.
- Do you support SSO, MFA, SCIM, granular roles, and separation of administrative duties?
- How are API keys, service accounts, agents, and delegated tool credentials created, scoped, rotated, and revoked?
- Can every agent action be attributed to a requesting identity, policy decision, and credential scope?
Related
- Back to all 18 CSA AICM v1.1 domains
- Official CSA AICM v1.1 artifact
- NIST AI RMF cross-walk
- TrustAtlas methodology — how the nine risk dimensions are scored