Artificial Intelligence (AI) continues to influence industries across sectors. In the recent webinar, The SOCial Hour – Certifying AI With HITRUST®, professionals from HITRUST, Armilla AI, and the consulting space discussed how organizations can proactively manage AI-related risks with HITRUST, the urgency of AI governance, and actionable strategies for securing AI deployments. Their insights remain relevant as AI evolves, reinforcing the importance of governance and risk awareness within AI deployment.
This article highlights key themes from the session, including the HITRUST framework, the MyCSF tool, and strategies for supporting AI certification efforts.
HITRUST & the MyCSF Tool
HITRUST, originally founded to address healthcare security needs, has evolved into an industry-agnostic framework which integrates multiple standards (HIPAA, ISO, and NIST, among others) into a unified, prescriptive control set. The MyCSF tool is HITRUST’s platform for managing assessments, scoping, and control selection. It organizes over 2,000 controls into 19 domains and dynamically adjusts those controls based on organization size, risk profile, and AI usage.
There are three levels of HITRUST Assessments:
- e1 (Essentials): 44 foundational controls for any organization
- i1 (Intermediate): 182 controls focused on implementation
- r2 (Risk-based): More than 250 controls tailored through scoping
The MyCSF tool also supports AI-specific Assessments, adding up to 44 controls for AI Security and 51 for AI Risk Management. The AI Security Assessment can be layered onto any of the three core assessments, allowing organizations to certify their AI usage in a scalable way. With an all-encompassing framework, organizations should evaluate which HITRUST Assessment level fits their operation, which can help inform their strategic and risk mitigation planning and future AI deployments.
Why AI Governance Matters
Despite the speed of adoption, AI governance is lacking across industries. Risks include data leakage, model bias, hallucinations, and legal liability. HITRUST’s approach helps organizations proactively manage these risks by translating emerging threats and regulations into actionable controls.
AI governance starts with the foundational elements of policies, procedures, and employee training. Organizations must define acceptable AI use, secure sensitive data, and utilize human oversight in decision making.
Moreover, organizations need to be aware of “shadow AI,” in which employees use public tools (such as ChatGPT or Sora) without proper safeguards, potentially exposing proprietary data and causing immense harm to the organization and its clients.
AI governance also impacts litigation trends. Armilla AI’s research identified over 200 active AI-related lawsuits, spanning sectors from real estate to publishing. These cases often involve unauthorized data use, copyright infringement, and model errors, underscoring the need for structured governance and compliance.
Organizations may find it helpful to develop or update their AI governance policy to define acceptable use, data boundaries, and oversight. To avoid risk exposure, they can also incorporate AI security awareness training into onboarding and annual compliance programs so that all employees are informed and up to date. Finally, companies can monitor evolving regulations and litigation trends to stay ahead of compliance risks.
Utilizing HITRUST to Certify AI
HITRUST’s AI certification process is designed to be both rigorous and adaptable. Organizations begin with a readiness phase to define scope and identify applicable controls. The MyCSF tool uses rule-based logic to determine which AI controls to apply based on use case, e.g., generative versus rule-based AI, handling of confidential data, etc.
The AI Security Assessment helps AI platforms and service providers confidently adopt and secure AI technologies by offering clear, actionable security controls and a practical methodology tailored to real-world needs. The HITRUST AI Risk Management Assessment is an independent, non-certifiable evaluation based on 51 practical AI risk management controls. Aligned with ISO 23894 and the NIST AI Risk Management Framework, it provides a unified control specification which enables organizations to assess and report their AI risk posture in terms consistent with both ISO’s and NIST’s standards.
From an insurance perspective, HITRUST certification can help improve insurability by demonstrating credible governance and risk management. Underwriters increasingly look for evidence of AI Assessments and controls, making HITRUST a strategic asset for organizations deploying AI.
How Forvis Mazars Can Help
HITRUST provides a scalable framework for organizations to gauge AI risk through the use of its MyCSF tool. With great capabilities comes great potential for risk. AI governance is no longer optional for companies deploying AI or implementing it within their internal operations. Certifying AI with HITRUST supports trust and insurability for organizations, and the available assessments can help future-proof operations from emerging threats.
Our SOC & HITRUST Solutions team members are available to assist you in refining processes, enhancing controls, maintaining regulatory excellence, and responding to third-party assurance requests. In addition, Forvis Mazars offers various HITRUST services, such as risk assessments, to help meet your organization’s needs. For more in-depth insights, watch our HITRUST webinar on demand. If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.