HECVAT Category
AI Large Language Model (LLM)
AI Large Language Model (LLM) covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you limit your solution's LLM privileges by default?
Least privilege for the model is the focus, specifically whether your solution's LLM is constrained by default to only the data, resources, and capabilities it needs.
Is your LLM training data vetted, validated, and verified before training the solution's AI model?
Training-data quality determines model trustworthiness, so reviewers want to know whether your LLM training data is vetted, validated, and verified before it shapes the model.
Do any actions taken by your solution's LLM features or plugins require human intervention?
Human oversight of AI is what this probes: whether actions taken by your solution's LLM features or plugins require human intervention before they proceed.
Do you limit multiple LLM model plugins being called as part of a single input?
At issue is whether you constrain how many LLM model plugins can be invoked from a single input, limiting the chaining of plugins within one request.
Do you limit your solution's LLM resource use per request, per step, and per action?
Resource governance for large language models is the focus: whether your solution caps LLM consumption at the per-request, per-step, and per-action levels.
Do you leverage LLM model tuning or other model validation mechanisms?
LLM reliability practices are in scope here, covering whether you apply model tuning or other validation mechanisms to improve the accuracy of large language models.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

