HECVAT Category
AI Policy
AI Policy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Are your AI developer's policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks conspicuously posted, unambiguous, and implemented effectively?
AI governance maturity is under review here: whether your policies and procedures for mapping, measuring, and managing AI risks are clearly posted, unambiguous, and effectively implemented across the organization. It specifically focuses on three key aspects: mapping (identifying), measuring (assessing), and managing (mitigating) AI risks.
Have you identified and measured AI risks?
AI risk governance is the focus here, asking whether you have formally identified the risks tied to your AI systems and put methods in place to measure them.
In the event of an incident, can your solution's AI features be disabled in a timely manner?
Incident containment for AI is the concern: whether your solution's AI features can be switched off quickly when a security incident strikes. In the context of security, an 'incident' could be a data breach, a model behaving unexpectedly (producing harmful outputs), or the discovery of a vulnerability in the AI system.
If disabled because of an incident, can your solution's AI features be re-enabled in a timely manner?
Recoverability of AI functionality is what reviewers want to confirm, specifically whether features disabled during an incident can be brought back online promptly. In the context of security compliance, this relates to business continuity and incident response capabilities.
Do you have documented technical and procedural processes to address potential negative impacts of AI as described by the AI Risk Management Framework (RMF)?
AI risk governance is the focus here: whether you maintain documented technical and procedural processes to address the potential negative impacts of AI, as outlined in the AI Risk Management Framework. The NIST AI Risk Management Framework (RMF) is a voluntary framework published by the National Institute of Standards and Technology that provides guidance on managing risks in the design, development, use, and evaluation of AI systems.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

