Subodh KCSubodh KC/systems
let's talk →
AI Security & Governance

How to Secure and Govern AI:
NIST, ISO and SOC 2

AI laws, NIST AI RMF, ISO/IEC 42001, SOC 2, security testing, and continuous evidence work together — not as alternatives. Learn the seven layers of AI compliance, risk management, security, and assurance.

Synopsis

No single law, framework, audit, or certification proves that an AI system is secure and compliant. Organizations need a layered approach that connects legal obligations, AI governance, cybersecurity, impact assessment, technical testing, independent assurance, and continuous evidence. This article explains how NIST AI RMF, ISO/IEC 42001, SOC 2, OWASP GenAI, MITRE ATLAS, and applicable AI laws fit together — and how to build a defensible chain from requirement to evidence.

Business leadersAI developers and deployersSecurity teamsCompliance officersProcurement teamsHealthcare organizationsAI SaaS providersSmall businesses using AI

A business leader asks a reasonable question:

"How do we make sure our AI is secure and compliant?"

The tempting answer is: "Follow NIST, obtain SOC 2, and comply with applicable AI laws." That answer is directionally helpful but incomplete.

  • A company may have a SOC 2 report and still operate a chatbot vulnerable to prompt injection.
  • It may align with NIST AI RMF and still violate a healthcare disclosure requirement.
  • It may receive ISO/IEC 42001 certification and still have an individual model produce inaccurate or discriminatory outcomes.
  • It may pass a technical penetration test while lacking clear ownership, legal review, or incident-response procedures.
To secure and govern AI, identify the obligations that apply, establish accountable governance, assess the system's impact, protect its data and infrastructure, implement AI-specific controls, validate those controls, and continuously retain evidence that they still work.

No single badge completes that process.

The Direct Answer

  1. Identify applicable laws and contractual obligations.
  2. Assign ownership and establish an AI governance process.
  3. Assess the system's potential impact and blast radius.
  4. Protect the data, identities, infrastructure, and vendors around it.
  5. Implement controls for AI-specific risks — prompt injection, RAG poisoning, excessive agency, hallucination.
  6. Test the implemented system and obtain independent assurance where justified.
  7. Monitor changes, incidents, and evidence throughout the system's lifecycle.

NIST AI RMF can help organize AI risk management. ISO/IEC 42001 can formalize an organizational AI management system. SOC 2 can provide independent assurance over relevant controls at a service organization. None of them independently proves that every AI system is legal, accurate, secure, or safe.

Why AI Security and Compliance Are Commonly Confused

Law

Establishes legally enforceable obligations, restrictions, rights, disclosures, or penalties.

Examples: Texas TRAIGA, EU AI Act, privacy laws, biometric laws, employment discrimination laws, healthcare regulations, consumer-protection law.

Framework

Provides a structure for organizing risk-management activities.

NIST AI RMF organizes AI risk management around: Govern, Map, Measure, Manage. Voluntary and adaptable.

Standard

Defines requirements through a formal standards process.

ISO/IEC 42001 specifies requirements for an AI Management System.

Certification

Written assurance from an independent certification body.

ISO develops standards but does not certify. External certification bodies perform certification.

Attestation

SOC 2 is an independent CPA examination and report.

Not an ISO certification and should not be described as one.

Technical Validation

Tests whether the AI system behaves as expected and resists realistic failures.

Prompt-injection testing, RAG-poisoning testing, access-control testing, hallucination evaluation, bias testing, agent-permission testing.

Evidence

Proves that a control, test, approval, or review actually occurred.

A policy is not the same as evidence that the policy is operating.

The Seven Layers of AI Compliance

The AI Secure & Govern Assurance Stack organizes AI governance into seven connected layers. Each layer answers a different question.

1

Legal and contractual applicability

What are we required to do?

2

Governance and accountable ownership

Who owns the system and its risks?

3

AI risk and impact assessment

What could happen if it fails or is misused?

4

Cybersecurity, privacy, and data controls

Are the data, identities, and infrastructure protected?

5

AI-specific application and model security

Is the AI application resistant to AI-specific failures and attacks?

6

Validation and independent assurance

Do the controls work, and has anyone independently examined them?

7

Continuous evidence, monitoring, and improvement

Can we prove the system remains controlled after launch?

Layer 1

Legal and Contractual Applicability

What laws, regulations, contractual obligations, and professional duties apply to this specific AI system?

There is no universal state called "AI compliant." An AI system may be compliant with one law while violating another. A company may also be outside a dedicated AI law but remain subject to privacy, consumer-protection, employment, healthcare, intellectual-property, or contract requirements.

U.S. regulators have stated that existing civil-rights, consumer-protection, competition, and employment laws continue to apply when organizations use automated systems and AI. There is no general exemption because a decision was produced by software.

What determines applicability?

  • Where the business operates
  • Where affected users reside
  • Whether the organization develops or deploys the system
  • The data being processed
  • Whether the system affects employees, patients, consumers, or children
  • Whether it influences consequential decisions
  • Whether it uses biometric identifiers
  • Whether it takes external action
  • Whether it is part of a regulated product
  • What customer and vendor contracts require

Scenario: The same AI model, different laws

Local service company

An HVAC business uses an AI receptionist. Its concerns may include: consumer protection, call recording, privacy, accurate representation, emergency escalation, and Texas TRAIGA's targeted prohibitions.

Medical practice

The same underlying model summarizes patient records and recommends diagnoses. The legal profile changes substantially: PHI, professional licensing, patient disclosure, clinical review, medical records, healthcare nondiscrimination, and medical-device regulation.

The model did not change. The use case did.

Outputs from Layer 1

Applicable-law register
Developer-vs-deployer classification
Jurisdiction map
Required disclosures
Prohibited-use analysis
Contractual requirements
Records and retention obligations
Legal-review triggers
AI law tells an organization what must be achieved. It rarely provides the complete technical design for achieving it.

Layer 2

Governance and Accountable Ownership

Who owns the AI system, its purpose, its risks, and its consequences?

Technology does not govern itself. A production AI system needs identifiable accountability for business purpose, technical architecture, data quality, security, privacy, legal compliance, model performance, vendor management, operations, incident response, and residual-risk acceptance.

NIST AI RMF

A flexible, voluntary framework. Its Core contains four functions:
Govern: Policies, accountability, roles, risk tolerance.
Map: Context, users, data, intended purpose, impacts.
Measure: Performance, reliability, security, fairness, transparency.
Manage: Prioritize risks, implement responses, monitor residual risk.

Not a certification scheme. A structured way to organize AI risk-management outcomes.

ISO/IEC 42001

AI management-system requirements standard.

Establishes a systematic approach to policies, objectives, responsibilities, risk treatment, monitoring, and continual improvement.

Organizations may seek certification of their defined AI management-system scope through an external certification body.

NIST AI RMF versus ISO/IEC 42001

NIST AI RMFISO/IEC 42001
Voluntary risk-management frameworkAI management-system requirements standard
Flexible and outcome-orientedFormal management-system structure
No NIST AI RMF certificationSupports third-party certification
Useful for building an AI-risk programUseful for formalizing repeatable governance
Can be applied selectively by use caseUsually implemented within a defined scope
Strong public resource and PlaybookFormal standard with auditable requirements

Do organizations need both?

Not always. A smaller organization may use NIST AI RMF without immediately pursuing certification. An enterprise AI provider may use NIST AI RMF to shape risk methods, ISO/IEC 42001 to formalize its management system, ISO/IEC 27001 for security, and SOC 2 for customer-facing assurance.

Minimum governance structure

RolePrimary accountability
Business ownerIntended outcome and business-risk acceptance
Product ownerRequirements, users, and roadmap
Technical ownerArchitecture, integration, reliability, and change
Data ownerData quality, classification, and permitted use
AI/model ownerModel selection, evaluation, and behavior
SecurityThreats, access, testing, and incident response
Privacy/legal/complianceLegal, contractual, and regulatory analysis
OperationsMonitoring, recovery, and user support

Outputs from Layer 2

AI policy
AI system inventory
Defined owners
Risk-acceptance authority
Approved-use process
Vendor-governance process
Model and system change control
Incident ownership
Training requirements
Retirement process
NIST AI RMF helps organize AI risk. ISO/IEC 42001 helps turn that governance into a formal management system. Neither replaces the controls inside the application.

Layer 3

AI Risk and Impact Assessment

What could this system do to people, the organization, or society if it is wrong, manipulated, misused, or unavailable?

A general-purpose chatbot that drafts marketing copy should not receive the same assessment as an AI system influencing hiring, credit, insurance, medical treatment, or physical safety. Risk assessment determines how much control and assurance the system requires.

ISO/IEC 23894

Provides guidance for managing AI-specific risk. Guidance rather than an independently certifiable standard.

ISO/IEC 42005

Provides guidance for AI system impact assessments — how AI systems may affect individuals, groups, and society.

The AI Blast Radius Model

Six dimensions for prioritizing systems:

Data sensitivity

What can the AI read?

Decision consequence

What decisions can it influence?

Action authority

What can it create, change, send, or delete?

Reach

How many people, records, or systems can one failure affect?

Irreversibility

How difficult is it to undo the damage?

Detection delay

How long could the failure continue unnoticed?

Try the interactive AI Blast Radius Calculator to score your system.

Example

SystemLikely blast radius
Marketing drafting toolLimited
Internal policy RAG assistantGuarded
Employee-ranking systemHigh
Customer refund agentHigh
Clinical treatment assistantCritical

Why "high risk" is not only a legal classification

Some laws use a formal legal definition of high-risk AI. An organization should also perform its own operational risk classification even when no applicable law labels the system "high risk."

Outputs from Layer 3

Intended-use statement
Foreseeable misuse scenarios
Affected-person analysis
AI Blast Radius score
Data and system dependencies
Potential harms
Required human oversight
Control requirements
Residual-risk decision
The sophistication of the model does not determine the risk. The system's access, authority, reach, and consequences do.

Layer 4

Cybersecurity, Privacy, and Data Controls

Are the data, identities, infrastructure, and operating environment around the AI properly protected?

AI security cannot compensate for weak enterprise security. A carefully tested model connected through an administrator account to an unrestricted database remains dangerous.

NIST CSF 2.0

Organizes cybersecurity outcomes: Govern, Identify, Protect, Detect, Respond, Recover.

ISO/IEC 27001

Defines requirements for an Information Security Management System.

ISO/IEC 27002

Implementation guidance and controls for access control, cryptography, secure operations, incident management.

ISO/IEC 27701

Privacy Information Management System for controllers and processors of PII.

Security controls relevant to AI

Authentication
Authorization
Row-level security
Tenant isolation
Least-privileged service accounts
Encryption
Secret management
Secure development
Vulnerability management
Network restrictions
Logging
Backup and recovery
Data retention
Data deletion
Vendor access
Incident response
Business continuity

Scenario: Internal RAG assistant

A company builds a RAG assistant that searches contracts and customer records. The model may be well configured, but exposure remains if:

  • Every document shares one vector index without tenant filtering
  • The retriever uses an administrator credential
  • Cached results are shared across users
  • Deleted documents remain searchable
  • Logs contain complete customer contracts
  • Employees can upload unapproved documents

The security foundation must restrict which information enters the model context.

The model should not decide what the user is allowed to see. The model should receive only information the user is already authorized to access.

Outputs from Layer 4

Identity and access design
Data-classification map
RLS and tenant-isolation design
Retention schedule
Vendor-access controls
Security architecture
Incident-response plan
Privacy impact records
Recovery procedures

For a deep dive, see the Secure Enterprise RAG Architecture Guide.

Layer 5

AI-Specific Application and Model Security

Is the complete AI application resistant to the failures and attacks that are specific to generative and agentic systems?

Traditional security controls remain necessary, but they do not cover every AI-specific risk.

OWASP GenAI

Addresses prompt injection, sensitive-information disclosure, supply-chain vulnerabilities, data and model poisoning, improper output handling, excessive agency, system-prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption.

OWASP also published a Top 10 for Agentic Applications in late 2025.

MITRE ATLAS

A living knowledge base of adversary tactics and techniques against AI-enabled systems. Helps with threat modeling, red teaming, and threat-informed defense.

CSA AI Controls Matrix

Vendor-neutral control framework for cloud-based AI systems. v1.1 contains 247 control objectives across 18 domains with mappings to ISO/IEC 42001 and EU AI Act.

AI-specific risks to test

Prompt injection

Can a user or external document override intended instructions?

RAG poisoning

Can false or malicious content influence retrieval?

Excessive agency

Can the AI execute more powerful actions than required?

Cross-tenant retrieval

Can one user retrieve another customer's information?

Improper output handling

Can AI-generated SQL, code, URLs, or HTML compromise downstream systems?

Tool and MCP abuse

Can a tool call bypass permissions or send data to an unauthorized destination?

Hallucination

Can the system produce unsupported but convincing conclusions?

Unbounded consumption

Can an agent enter a loop or create uncontrolled expense?

Scenario: AI accounts-payable agent

An AI accounts-payable system can read invoices, create vendors, change banking information, approve payments, and send confirmations. A traditional cybersecurity review may confirm the API is encrypted and authenticated. An AI-specific review asks:

  • Can a malicious invoice contain indirect instructions?
  • Can the model change the payment destination?
  • Does it use the employee's permissions or a broad service account?
  • Are new vendors independently verified?
  • Is approval required above a threshold?
  • Can one prompt create several payments?
  • Can the action be reversed?
  • Is every tool call retained?

Outputs from Layer 5

AI threat model
Prompt-injection controls
RAG source-governance process
Agent action matrix
Tool allow-list
MCP server assessment
Model-security controls
Input and output validation
Cost and step limits
Human-approval requirements
Governance without AI-specific technical controls can produce a well-documented but insecure system.

Explore the Agent Read/Write/Action Matrix and Prompt Injection Scenario Library.

Layer 6

Validation and Independent Assurance

Do the controls actually work, and has an appropriate independent party reviewed them?

A control may exist in one of four states: Described, Implemented, Tested, Independently assured. These states should not be confused.

Functional validation

Does the workflow complete its intended task?

Are tool arguments valid?

Do approvals stop unauthorized execution?

Are errors handled?

Can failed work be recovered?

Are duplicate actions prevented?

Model-quality validation

Accuracy

Groundedness

Citation correctness

Hallucination rate

Refusal behavior

Structured-output validity

Retrieval quality

Tool-selection accuracy

Security validation

Direct prompt injection

Indirect prompt injection

RAG poisoning

Cross-tenant access

Service-account abuse

Tool manipulation

MCP server misuse

Improper output handling

Agent loops

Unauthorized external communication

Impact validation

Bias testing

Accessibility testing

Group-level performance analysis

Human-factors testing

Safety evaluation

Clinical or professional validation

Appeal and override testing

What SOC 2 does

SOC 2 is commonly used by service organizations whose customers need information about controls relevant to security, availability, processing integrity, confidentiality, or privacy.
SOC 2 Type I: Evaluates control design as of a specified date.
SOC 2 Type II: Also evaluates operating effectiveness over a defined period.

Does SOC 2 cover AI?

It can cover relevant controls around an AI service — access control, change management, availability, logging, incident response, confidentiality, privacy, vendor management. But SOC 2 does not automatically prove that an AI system is accurate, unbiased, resists prompt injection, prevents RAG poisoning, uses appropriate agent permissions, complies with every AI law, or is safe for every intended use.

An organization may incorporate AI-related controls into a SOC 2 engagement, but this must be deliberately scoped rather than assumed.

When SOC 2 is relevant

SOC 2 is most useful when: the company is a service organization, enterprise customers request assurance, the system processes customer data, security questionnaires repeatedly ask for a report, or the company needs to demonstrate control operation over time.

A local business using an internal AI drafting assistant usually does not need SOC 2 merely because it uses AI. An AI SaaS provider selling to large enterprises may find SOC 2 commercially necessary.

What ISO certification does

Certification against ISO/IEC 42001 demonstrates an AI management system within a defined scope. ISO/IEC 27001 demonstrates an information-security management system. ISO/IEC 27701 demonstrates a privacy information management system.

Certification does not guarantee that every AI-generated answer will be correct or that every individual system is immune to attack.

Outputs from Layer 6

Functional test evidence
Model evaluation report
AI red-team results
Impact-assessment tests
Penetration test
Independent technical assessment
SOC 2 report where appropriate
ISO certification where appropriate
Legal review
Residual-risk approval
A framework describes desired outcomes. Testing shows whether the implementation achieves them. Independent assurance increases confidence within a defined scope.

Layer 7

Continuous Evidence, Monitoring, and Improvement

Can the organization prove that the AI remains governed after it enters production?

AI systems can change without a traditional software release. Changes may include: new model versions, prompt revisions, updated documents, new embeddings, new data sources, new tools, new MCP servers, changed permissions, vendor subprocessors, model-provider policies, regulatory updates, user behavior, and model or data drift.

A one-time assessment is not enough for a material AI system.

System evidence

System name

Purpose

Business owner

Technical owner

Model and version

Prompt version

Tools

Data sources

Vendor dependencies

Risk evidence

Blast-radius classification

Impact assessment

Threat model

Applicable-law mapping

Approved limitations

Risk acceptance

Test evidence

Functional tests

Model evaluations

Retrieval evaluations

Prompt-injection tests

Access tests

Bias or impact tests

Recovery tests

Retest results

Operational evidence

User identity

Relevant prompt or request

Retrieved records

Applied access filters

Tool calls

Approvals

Output

Resulting business actions

Errors and exceptions

Incidents and complaints

Retention should be proportionate and should comply with privacy, confidentiality, and records requirements.

Continuous operating cycle

Inventory → Classify → Assess → Implement → Test → Approve → Monitor → Detect change → Reassess

Outputs from Layer 7

Continuous control evidence
Monitoring dashboards
Model and prompt change history
Access reviews
Incident records
Complaint records
Remediation tracking
Updated risk assessments
Vendor-change records
Retirement decisions
Compliance is not proven by what the organization intended to implement. It is supported by evidence of what the organization implemented, tested, monitored, and corrected.

For evidence preservation, see the AI Incident Evidence Checklist. For vendor change monitoring, see the AI Vendor Due Diligence Checklist.

How the Major Frameworks Fit Together

SourcePurposeMandatory?Certification?Does not prove
Applicable AI and sector lawsEstablish obligations, prohibitions, rights, and enforcementYes, when in scopeRegulator or court enforcementComplete technical security
NIST AI RMFOrganize AI risk governance and managementVoluntary unless adopted elsewhereNo NIST certificationLegal compliance or technical effectiveness
ISO/IEC 42001Establish an AI management systemUsually voluntary unless contractually requiredThird-party certification availableAccuracy of every AI output
ISO/IEC 23894Guide AI risk managementVoluntaryNot a management-system certificationOrganization-wide assurance
ISO/IEC 42005Guide AI system impact assessmentsVoluntary unless adopted elsewhereGuidance, not standalone certificationComplete cybersecurity
NIST CSF 2.0Organize cybersecurity outcomesVoluntary unless adopted elsewhereNo NIST certificationAI-specific model behavior
ISO/IEC 27001Establish an information-security management systemUsually voluntaryThird-party certification availableAI accuracy or legal compliance
ISO/IEC 27701Establish a privacy information management systemUsually voluntaryThird-party certification availableEvery privacy-law obligation
SOC 2Independent CPA examination of defined controlsUsually customer or contract drivenIndependent CPA reportComplete AI safety or compliance
OWASP GenAIIdentify AI-application security risks and mitigationsVoluntaryNo certificationComplete governance or legal analysis
MITRE ATLASDescribe adversarial AI tactics and techniquesVoluntaryNo certificationComplete compliance
CSA AI Controls MatrixDetailed controls for cloud-based AI systemsVoluntarySupports CSA assurance approachesAutomatic compliance
Technical testingValidate implementation against defined scenariosDepends on risk and obligationMay be independently performedPermanent security
Continuous evidenceDemonstrate ongoing control operationFrequently required by policy, contract, or lawMay support audits and investigationsElimination of all risk

Which Framework Should a Business Use?

Small business using an AI receptionist

May need:

  • AI inventory
  • Basic applicable-law review
  • NIST AI RMF-inspired ownership
  • Data and access controls
  • Prompt and tool testing
  • Human escalation
  • Incident handling

Probably does not need ISO/IEC 42001 certification or SOC 2 solely because it uses an AI receptionist.

Internal enterprise RAG assistant

May need:

  • NIST AI RMF profile
  • AI impact assessment
  • ISO/IEC 27001-aligned security
  • Privacy controls
  • Row-level security
  • Approved RAG sources
  • Retrieval evaluation
  • Prompt-injection testing
  • Continuous access review

External certification may not be necessary if the application is internal.

AI SaaS provider selling to enterprise customers

May need:

  • Multi-jurisdiction legal analysis
  • Formal AI governance
  • NIST AI RMF alignment
  • ISO/IEC 42001 management system
  • ISO/IEC 27001 security foundation
  • SOC 2 report
  • OWASP and MITRE-based testing
  • Vendor supply-chain controls
  • Continuous customer evidence
  • Incident and model-change notices

No single item replaces the others.

Healthcare AI assistant

May need:

  • Healthcare and AI-law analysis
  • Formal AI impact assessment
  • Security and privacy management
  • Clinical validation
  • Licensed practitioner review
  • Patient disclosure
  • Bias and accessibility evaluation
  • Strong change management
  • Independent technical assurance
  • Detailed incident evidence

Assurance depth should reflect the potential clinical consequence, not merely the size of the organization.

The correct level of governance should be proportionate to data handled, advice provided, actions taken, customer impact, and regulatory context.

Which AI Framework Do I Need?

Answer four questions to get a tailored recommendation of which AI governance frameworks, certifications, and testing apply to your situation.

The AI Assurance Maturity Ladder

Not every organization or AI system needs the highest assurance level.

1

Level 1: Documented

The organization knows what the system is, what it does, who owns it, what data it uses, and which vendors support it.

AI inventoryOwnerPurposeData mapBasic legal screening
2

Level 2: Controlled

The organization has implemented policies, access restrictions, vendor review, human oversight, change controls, and incident ownership.

Approved policiesAccess designTool permissionsVendor assessmentApproval matrix
3

Level 3: Tested

The organization verifies model quality, retrieval quality, access controls, prompt-injection resistance, tool restrictions, recovery, and applicable impact considerations.

Test casesResultsFindingsRemediationRetesting
4

Level 4: Independently assessed

An independent party reviews security, AI risk, legal applicability, control design, and technical operation.

Independent security assessmentAI red-team reportLegal memorandumExternal gap assessment
5

Level 5: Formally assured

The organization maintains applicable formal assurance such as SOC 2, ISO/IEC 42001, ISO/IEC 27001, ISO/IEC 27701, or sector-specific assurance.

SOC 2 reportISO/IEC 42001 certificationISO/IEC 27001 certificationISO/IEC 27701 certificationSector-specific assurance

Important limitation

A Level 5 organization can still operate a poorly controlled individual AI system. Formal assurance must be connected to the correct organizational scope, the actual AI product, current controls, current vendors, and current deployment configuration.

What Claims Can a Business Truthfully Make?

ClaimAppropriate use
"Mapped to NIST AI RMF"Controls and evidence have been mapped to relevant AI RMF outcomes
"Aligned with NIST AI RMF"A documented, risk-based subset has been implemented
"NIST AI certified"Avoid; AI RMF is not a NIST certification program
"Certified to ISO/IEC 42001"An external certification body has certified the defined AIMS scope
"ISO certified our company"Avoid; ISO does not perform certification
"SOC 2 Type II report available"An independent CPA has issued a report covering a defined period
"SOC 2 certified"Avoid; SOC 2 is an examination and report, not certification
"Tested against OWASP GenAI risks"Defined tests were performed and documented
"Compliant with Texas TRAIGA"A scoped legal and control assessment supports the statement
"AI secure"Avoid as an absolute claim
"Fully AI compliant"Avoid unless the claim identifies exact laws, systems, scope, and date
"No AI risk"Avoid; risk can be reduced and managed, not eliminated

A Practical Implementation Roadmap

1Phase 1: Discover and scope

Understand the systems, business context, and obligations.

Tasks:

  • Inventory AI systems
  • Identify developers, deployers, and vendors
  • Assign business and technical owners
  • Map data, models, retrieval, tools, and integrations
  • Identify jurisdictions and affected users
  • Calculate the AI Blast Radius
  • Determine initial assurance requirements

Deliverables:

AI inventoryStakeholder mapSystem and data-flow diagramsApplicable-law registerInitial risk registerBlast-radius heat map

2Phase 2: Design governance and controls

Define how the organization will manage and control AI.

Tasks:

  • Select relevant NIST and ISO outcomes
  • Define policies and accountability
  • Establish approval and risk-acceptance processes
  • Define human-oversight requirements
  • Design access, RLS, and tenant isolation
  • Establish vendor controls
  • Define evidence and retention requirements
  • Build the test strategy

Deliverables:

AI governance policyControl matrixApproval matrixSecurity architectureImpact-assessment templateTesting planEvidence plan

3Phase 3: Implement

Put the controls into the application and operating environment.

Tasks:

  • Implement authentication and authorization
  • Restrict tools and agent actions
  • Add RAG-source governance
  • Implement input and output validation
  • Add monitoring, logging, and cost limits
  • Add human confirmation and escalation
  • Configure incident response
  • Train affected users

Deliverables:

Implemented technical controlsTool registryMonitoring configurationIncident processTraining recordsUpdated architecture

4Phase 4: Validate

Verify that the implemented system and controls work.

Tasks:

  • Conduct functional testing
  • Evaluate model and retrieval quality
  • Test direct and indirect prompt injection
  • Test RAG poisoning
  • Test unauthorized and cross-tenant access
  • Test tool and MCP permissions
  • Test bias, accessibility, or safety where relevant
  • Test failure, recovery, and rollback
  • Remediate and retest findings

Deliverables:

Validation reportFindings registerRemediation evidenceRetest resultsResidual-risk assessment

5Phase 5: Assure and approve

Obtain the appropriate level of independent confidence.

Tasks:

  • Obtain independent security testing
  • Complete legal review
  • Pursue SOC 2 where customers require it
  • Pursue applicable ISO certification when justified
  • Complete executive risk acceptance
  • Document deployment approval

Deliverables:

Independent reportsCertification or SOC evidenceLegal assessmentExecutive approvalProduction readiness package

6Phase 6: Operate and improve

Keep the system controlled as it changes.

Tasks:

  • Monitor quality, access, incidents, and cost
  • Review model and prompt changes
  • Monitor vendors and subprocessors
  • Repeat evaluations after material changes
  • Review user feedback and complaints
  • Conduct periodic access reviews
  • Update the legal map
  • Retire obsolete systems

Deliverables:

Operational scorecardChange historyContinuous evidencePeriodic risk reviewIncident reportsImprovement backlogRetirement records

Where CSM6 Fits

CSM6 can serve as the execution bridge between the assurance stack and project delivery.

CSM6 elementAI Secure & Govern application
ScopeIntended use, affected users, jurisdictions, laws, and risk tolerance
SystemModels, data, RAG, agents, tools, MCP servers, vendors, and dependencies
SignalQuality, drift, attacks, access failures, incidents, complaints, and costs
StructureLifecycle gates, ownership, testing, approvals, change control, and retirement
StrategyControl depth, assurance investment, adoption plan, and risk acceptance
ComplianceLegal mapping, framework alignment, testing evidence, and independent assurance

CSM6 is not another certification standard. It is the practical operating framework that helps an organization move from requirement to ownership to implementation to validation to evidence to operation.

How HAIEC Fits Into the Stack

HAIEC is positioned as an integration, assessment, and evidence layer — not as a replacement for the laws, standards, auditors, or certification bodies.

The HAIEC AI Secure & Govern Assessment can help an organization:

Inventory AI systems

Calculate the AI Blast Radius

Identify relevant legal requirements

Map controls to NIST AI RMF

Assess ISO/IEC 42001 readiness

Map relevant SOC 2 control areas

Evaluate privacy and security gaps

Test prompt injection and RAG poisoning

Review agent, tool, and MCP permissions

Identify evidence gaps

Prioritize remediation

Prepare an executive assurance roadmap

HAIEC does not:

  • Provide legal advice
  • Issue ISO certification
  • Issue a SOC 2 report
  • Guarantee that an AI system is safe
  • Eliminate the need for independent technical testing
HAIEC connects legal applicability, AI governance, security controls, technical validation, and evidence into one scoped readiness program.

Or more simply: Secure the system. Govern the use case. Validate the controls. Prove the evidence.

Learn more about the HAIEC AI Compliance & Governance platform or the HAIEC AI Exposure Assessment.

Frequently Asked Questions

How do I secure an AI system?

Secure the full application, not only the model. Protect identities, data, infrastructure, retrieval, tools, APIs, outputs, vendors, and logs. Then test for AI-specific risks such as prompt injection, RAG poisoning, sensitive-data disclosure, excessive agency, and unauthorized actions.

How do I make sure my AI is compliant?

Identify the laws and contracts that apply to the specific use case, implement the required controls, test those controls, retain evidence, and reassess when its model, data, purpose, tools, users, or jurisdiction changes.

Is there one AI compliance certification?

No single certification establishes compliance with every AI, privacy, employment, healthcare, biometric, or consumer-protection law. ISO/IEC 42001 certification can provide assurance over an AI management system within a defined scope. SOC 2 can provide assurance over defined service-organization controls. Neither establishes universal legal compliance.

Is NIST AI RMF mandatory?

NIST AI RMF is voluntary unless incorporated into a contract, organizational policy, regulatory expectation, or another binding requirement.

Can a company become NIST AI certified?

NIST AI RMF is not a NIST certification program. Organizations may state that their controls are mapped or aligned to the framework when supported by evidence.

What is ISO/IEC 42001?

ISO/IEC 42001 is an international management-system standard specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system.

Is ISO/IEC 42001 certification mandatory?

Generally voluntary unless required by a customer, contract, regulator, procurement process, or organizational policy.

What is the difference between NIST AI RMF and ISO/IEC 42001?

NIST AI RMF is a voluntary, flexible risk-management framework. ISO/IEC 42001 is a formal AI management-system requirements standard that supports third-party certification.

Can an organization use NIST AI RMF and ISO/IEC 42001 together?

Yes. NIST AI RMF can inform practical risk-management activities, while ISO/IEC 42001 can formalize those activities within an auditable management system.

Does ISO/IEC 42001 replace ISO/IEC 27001?

No. ISO/IEC 42001 addresses AI management. ISO/IEC 27001 addresses information-security management. An AI organization may benefit from both.

What is ISO/IEC 23894?

ISO/IEC 23894 provides guidance for managing AI-specific risk and integrating it into organizational risk-management activities. It is not a standalone certification standard.

What is ISO/IEC 42005?

ISO/IEC 42005 provides guidance for assessing how an AI system and its foreseeable uses may affect individuals, groups, or society throughout its lifecycle.

What is SOC 2?

SOC 2 is an independent CPA examination and report concerning controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

Is SOC 2 an AI certification?

No. SOC 2 is a control examination and report. It can include controls relevant to an AI service, but does not automatically certify the AI as accurate, unbiased, safe, or legally compliant.

Does every company using AI need SOC 2?

No. SOC 2 is most relevant to service organizations whose customers require independent control assurance. A company using an internal AI tool may not need SOC 2 solely because it uses AI.

What is the difference between SOC 2 Type I and Type II?

Type I evaluates control design as of a specified date. Type II also evaluates operating effectiveness over a defined period.

Does ISO certification prove that an AI system is safe?

No. Certification demonstrates that a defined management system meets a standard’s requirements. Individual AI systems still require use-case-specific evaluation and technical testing.

What is AI assurance?

AI assurance is the process of building confidence that an AI system is governed, controlled, tested, monitored, and supported by sufficient evidence for its intended use.

What is the difference between AI governance and AI security?

AI governance establishes ownership, policies, risk decisions, oversight, and lifecycle processes. AI security protects the model, application, data, tools, identities, infrastructure, and integrations from unauthorized access, misuse, attack, and disruption.

What is an AI impact assessment?

An AI impact assessment examines how an AI system may affect individuals, groups, the organization, and society. It may consider rights, safety, privacy, discrimination, accessibility, economic effects, and foreseeable misuse.

What is AI red teaming?

AI red teaming uses adversarial scenarios to test how a system behaves when users, documents, tools, or integrations attempt to manipulate it or cause harmful outcomes.

Is a penetration test enough for an AI system?

Usually not. A traditional penetration test may evaluate infrastructure, APIs, and application vulnerabilities. AI-specific testing should also evaluate prompt injection, retrieval poisoning, hallucination, agent authority, tool calls, model outputs, and human oversight.

Do small businesses need AI governance?

Yes, but proportionate. A small business may begin with an AI inventory, named owner, approved-use policy, data restrictions, vendor review, basic testing, and incident process rather than pursuing formal certification immediately.

What evidence should an organization retain?

Relevant evidence may include AI inventory, purpose and ownership, model and prompt versions, data sources, access controls, risk and impact assessments, tests and results, tool calls, human approvals, incidents, complaints, remediation, vendor changes, and risk acceptance.

How often should AI compliance be reviewed?

Review whenever the system’s model, prompt, data, purpose, users, permissions, tools, vendors, or applicable laws change. Higher-impact systems should also undergo regular scheduled reassessment.

Can an AI system ever be fully risk-free?

No. AI risk can be identified, reduced, monitored, transferred, accepted, or avoided. It cannot be permanently eliminated.

Who should own AI governance?

The business owner should own the outcome and accept residual business risk. Technical, data, security, legal, privacy, compliance, and operations teams should own the controls within their areas.

Final Perspective

The question is not: "Should we use NIST, ISO, or SOC 2?"

What kind of assurance does this AI system require, and which combination of law, governance, controls, testing, and independent evidence will provide it?
  • AI laws establish obligations.
  • NIST AI RMF helps organize risk.
  • ISO/IEC 42001 formalizes AI management.
  • ISO/IEC 27001 and 27701 strengthen security and privacy management.
  • SOC 2 can provide customer-facing assurance over defined controls.
  • OWASP, MITRE ATLAS, and technical testing help expose application-level weaknesses.
  • Continuous evidence shows whether the controls remain effective after the system changes.

The result is not a single certificate. It is a defensible chain:

Applicable requirement → accountable owner → implemented control → test evidence → independent assurance → continuous monitoring

That is how organizations move from saying their AI is secure and governed to demonstrating what they have actually done.

AI Secure & Govern Framework Checklist

Get a practical checklist covering AI inventory, legal applicability, governance, risk assessment, AI-specific security controls, validation, and continuous evidence — aligned with NIST AI RMF, ISO/IEC 42001, SOC 2, OWASP GenAI, and MITRE ATLAS.

No spam. Unsubscribe anytime.

Ready to secure and govern your AI?

The HAIEC AI Secure & Govern Assessment connects legal applicability, AI governance, security controls, technical validation, and evidence into one scoped readiness program.

Let's Talk →