STAR AI Controls Auditor

I have just completed the STAR AI Controls Auditor Training. For me, this is another important step in better understanding the Cloud Security Alliance AI Controls Matrix and how assurance can be performed under the STAR for AI scheme.

The course focuses on how auditors should evaluate the 34 AI-specific controls in AICM v1.0.3, including areas such as prompt injection defenses, data poisoning prevention, agent security boundaries, model integrity verification, adversarial attacks, guardrails, input/output monitoring, AI impact assessments and human supervision.

What I like most is that the training does not treat AI assurance as a simple extension of traditional IT audit. AI control testing requires different evidence than traditional IT controls. We are not only looking at policies, configurations, access rights and logs. We also need to understand model cards, AI bills of materials, adversarial testing results, AI impact assessments, guardrail effectiveness, model integrity evidence, data poisoning controls and prompt injection testing.

In my opinion, compliance with ISO42001 alone is not sufficient to confirm that AI used by an organization is implemented at a mature level of security and safety. ISO42001 is useful as a management system standard. It creates structure, governance and accountability. But many of its requirements are relatively high-level.

AICM goes much deeper. The AI Controls Matrix is a vendor-agnostic framework addressing security, safety and privacy risks related to the development, deployment, orchestration and consumption of AI systems. It was created because traditional security controls alone are not enough for AI-specific threats. AICM v1.0 is structured into 18 domains and 243 controls, building on the Cloud Controls Matrix and adding a dedicated Model Security domain. It also maps to standards and frameworks such as ISO/IEC 42001, NISTAI600-1, BSIAIC4 and the AI Act.

One of the strongest elements of AICM is the AI-specific Shared Security Responsibility Model. This matters because AI services are rarely delivered by one actor only. In practice, we often have a cloud provider, foundation model provider, orchestration layer, application provider, customer configuration and additional third-party tools. These roles are functions, not necessarily separate legal entities. One organization may perform several roles at the same time, for example when it self-hosts an open-weight model and also operates the application layer.

I see STAR for AI and AICM as very valuable tools for auditors, consultants, AI service providers and customers who want to assess AI systems in a more structured, practical and risk-based way.

Author: Sebastian Burgemejster