HECVAT Category
AI Large Language Model (LLM)
AI Large Language Model (LLM) covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you limit your solution's LLM privileges by default?
This question is asking whether your LLM solution follows the principle of least privilege by default, meaning the AI system only has access to the minimum resources, data, and capabilities necessary to perform its intended functions.
Is your LLM training data vetted, validated, and verified before training the solution's AI model?
This question is asking whether your organization has a robust process for ensuring the quality, accuracy, and appropriateness of the data used to train your Large Language Model (LLM) before it's incorporated into the training dataset.
Do any actions taken by your solution's LLM features or plugins require human intervention?
This question is asking whether your LLM-based solution requires human approval or verification before taking certain actions, particularly those that might have security implications.
Do you limit multiple LLM model plugins being called as part of a single input?
This question is asking whether your organization restricts the number of different LLM plugins that can be called within a single user input or request.
Do you limit your solution's LLM resource use per request, per step, and per action?
This question is asking whether your LLM solution implements resource usage limits at different operational levels (per request, per step, and per action).
Do you leverage LLM model tuning or other model validation mechanisms?
This question is asking whether your organization uses techniques to improve the accuracy and reliability of Large Language Models (LLMs) through model tuning or validation mechanisms.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
