HECVAT Category
AI Machine Learning
AI Machine Learning covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you separate ML training data from your ML solution data?
Data separation in machine learning is the focus, specifically whether you keep ML training data isolated from the data your ML solution handles in production.
Do you authenticate and verify your ML model's feedback?
Model integrity is the concern: reviewers want to know whether you authenticate and verify the feedback used to train, update, or improve your machine learning models.
Is your ML training data vetted, validated, and verified before training the solution's AI model?
Training-data integrity is what's under scrutiny, meaning whether ML training data is vetted, validated, and verified before it ever feeds your AI model.
Is your ML training data monitored and audited?
Training-data oversight is the focus: reviewers want processes that monitor and audit the data feeding your machine learning models.
Have you limited access to your ML training data to only staff with an explicit business need?
Access control over training data is what's being assessed, specifically whether you restrict your ML training data to staff who have an explicit business need to use it.
Have you implemented adversarial training or other model defense mechanisms to protect your ML-related features?
Model security is the focus here, namely whether you have adopted adversarial training or other defense mechanisms to protect your ML-related features.
Do you make your ML model transparent through documentation and log inputs and outputs?
Model transparency is what's being assessed: whether you document how your ML models work and log their inputs and outputs.
Do you watermark your ML training data?
Training data provenance is the angle here, namely whether you apply watermarks to the data used to train your machine learning models.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

