HECVAT Category

AI Data Security

AI Data Security covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

AISC-01

If sensitive data is introduced to your solution's AI model, can the data be removed from the AI model by request?

Data removability is the concern: it asks whether sensitive data introduced to your AI model can later be taken back out on request. This is important because:

AISC-02

Is user input data used to influence your solution's AI model?

At issue is data flow into your models: whether user input is used to train, fine-tune, or otherwise shape your solution's AI. In the context of security, this is important because if user data (which may contain sensitive or proprietary information) is used to improve or modify AI models, there are significant security and privacy implications.

AISC-03

Do you provide logging for your solution's AI feature(s) that includes user, date, and action taken?

Auditability of AI usage is what's being probed: whether your solution logs AI feature activity capturing the user, the date, and the action taken.

AISC-04

Please describe how you validate user inputs.

Input validation is the subject here: describe how your AI system checks and sanitizes user-supplied input before it is processed. Input validation is a critical security control that helps prevent various attacks like injection attacks, cross-site scripting, buffer overflows, and other vulnerabilities that could be exploited when processing untrusted data.

AISC-05

Do you plan for and mitigate supply-chain risk related to your AI features?

AI supply-chain risk is the subject: the question asks how you plan for and mitigate risks arising from the components, data sources, and dependencies behind your AI features.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron