HECVAT Category
AI Data Security
AI Data Security covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
If sensitive data is introduced to your solution's AI model, can the data be removed from the AI model by request?
This question is asking whether your AI solution has the capability to remove specific sensitive data from its training or operational models if requested to do so. This is important because:
Is user input data used to influence your solution's AI model?
This question is asking whether your AI solution incorporates user input data to train, fine-tune, or otherwise influence its AI models. In the context of security, this is important because if user data (which may contain sensitive or proprietary information) is used to improve or modify AI models, there are significant security and privacy implications.
Do you provide logging for your solution's AI feature(s) that includes user, date, and action taken?
This question is asking whether your AI solution maintains detailed logs of user activities, specifically capturing who used the AI features (user identification), when they used them (date/timestamp), and what specific actions they performed (action taken).
Please describe how you validate user inputs.
This question is asking about how your AI system validates and sanitizes inputs from users before processing them. Input validation is a critical security control that helps prevent various attacks like injection attacks, cross-site scripting, buffer overflows, and other vulnerabilities that could be exploited when processing untrusted data.
Do you plan for and mitigate supply-chain risk related to your AI features?
This question is asking about how your organization identifies and manages risks in the AI supply chain - the components, data sources, and dependencies that make up your AI systems.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
