INFRASTRUCTURE
Owner: IT Operations / Procurement / Vendor Management / CISO
AI Infrastructure Controls
Ensure the underlying AI assets and vendors are inventoried and managed securely.
Framework Mapping
Controls from each source framework that map to this domain.
| Framework | Mapped Controls |
|---|---|
| ISO 42001 |
A.4 Resources for AI Systems
A.10 Third Party & Customer Relationships
|
| NIST AI RMF |
GV-6 Supply Chain
MP-4 Data Requirements
MG-4 Risk Treatment
|
| OWASP LLM |
LLM05 Supply Chain Vulns
|
| OWASP Agentic |
ASI04 Supply Chain
ASI10 Misplaced Trust
|
Controls
2 controls across Tier 1 (essential) and Tier 2 (advanced).
Audit Checklist
Quick-reference checklist items grouped by control.
- ☐ AI asset inventory exists with all required schema fields and is accessible to the governance team
- ☐ Automated discovery mechanisms are deployed and actively detecting AI tool usage across the network
- ☐ Every inventoried asset has an assigned business owner and a current security review (within 12 months)
- ☐ Quarterly reconciliation between automated discovery and registered inventory is performed with documented results
- ☐ Inventory integrates with at least two downstream governance workflows (policy enforcement, vendor evaluation, incident response, or compliance reporting)
- ☐ An AI-specific vendor security questionnaire exists and covers data training practices, data residency, model provenance, and incident response
- ☐ All AI vendors processing organizational data have a completed evaluation on file within the past 12 months
- ☐ Contracts with Tier 1 and Tier 2 AI vendors include explicit prohibitions on using customer data for model training
- ☐ A vendor risk register is maintained with current evaluation status and next review dates for all AI vendors
- ☐ At least one vendor re-evaluation has been triggered by a material change (model update, acquisition, or policy change) in the past 12 months