Artificial intelligence (AI) is no longer in its experimental phase — it’s everywhere. From healthcare to finance, AI is continuously transforming industries and reshaping both personal and professional lives. Yet, while adoption and innovation have accelerated at an unprecedented pace, the traditional governance frameworks and security controls needed to manage AI securely and responsibly have not kept up. This imbalance creates a critical gap.
As organizations increasingly develop, deploy and scale AI systems across multiple departments, they often lack a unified approach to assess risk, ensure accountability or maintain transparency.
Recognizing this challenge early, Health Information Trust Alliance (HITRUST) introduced its AI Security Assurance Program — a structured framework designed to close the AI security governance gap.
What Is HITRUST AI?
HITRUST AI refers to HITRUST’s AI Assurance Program, which offers AI security and AI risk management assurance products — HITRUST AI Security Assessment and Certification and HITRUST AI Risk Management Assessment — built on the proven HITRUST Common Security Framework (CSF) model.
HITRUST AI Security vs. HITRUST AI Risk Management
While the risk management assessment offers a detailed report based on 51 relevant and practical AI risk management controls, the security assessment and certification provide AI platform and service providers with measurable, testable, and AI-specific controls and methodologies that address unique security risks.
HITRUST AI Security offers a certifiable pathway to secure AI technologies, enabling organizations to demonstrate, through independent validation, that their AI systems meet rigorous security, privacy and ethical benchmarks.
HITRUST AI Security can certify AI systems across the following broad types of AI: generative, predictive and rule-based. It also considers security issues brought about by popular generative AI development partners, including the use of:
- Retrieval Augmented Generation
- Agents and Plugins
- Embeddings
- AI Platform-as-a-Service
Why Is HITRUST AI Security Certification Important?
1. Addressing New and Evolving Risks
AI introduces novel opportunities but also several risks — technical, legal, ethical and operational. These include prompt injection, model theft, regulatory noncompliance, bias, misuse of sensitive data and more.
Traditional IT governance frameworks often fall short in addressing these threats, especially as AI systems become more complex and pervasive. Few are measurable and certifiable, but HITRUST AI Security takes those high-level ideals of ethical AI checklists, internal policies, and aspirational guidelines and maps them into real controls that can be validated even before models are deployed.
Security and compliance teams are often being asked to manage a moving AI target — without the right tools, context or cross-functional alignment. But the framework is flexible enough to apply across a range of AI systems, whether generative, predictive and rule-based, and addresses multiple threat areas.
"The next evolution and innovation in AI isn't next year. It isn't six months from now. It's next month,” said HITRUST’s Ryan Patrick, quoting an industry peer.
2. Meeting Regulatory and Market Demands
Regulators around the world are moving from discussion to action: the EU AI Act is advancing toward enforcement, and in the U.S., executive orders, agency guidance and state-level proposals are rapidly gaining momentum.
Some specific examples of public and regulatory pressures include:
- Federal Regulation
- WH Exec Order 13859 & 14110
- Bill for AI Consent Act
- FTC Equity in AI Guidance
- AI Ethics Framework
- State Regulation
- California AI Accountability
- Washington HB 1951
- Massachusetts SB 31, 2539
- Tennessee Image & Voice Security
- International Regulation
- EU AI Liability Directive
- EU AI Act
- EU AI Guidelines for Europe
- UK AI Regulation Bill
Additionally, buyers and partners are also increasingly demanding evidence of robust AI governance and risk management as part of procurement and vendor assessments. Boards and executive teams are asking, “What’s our AI risk posture?”, signaling that AI isn’t just living in the hands of technical teams — it’s now a matter of enterprise risk.
HITRUST’s AI Security anticipates these trends by mapping its controls to key regulatory principles such as fairness, transparency and accountability. This means that organizations that achieve HITRUST AI Security certification are not only meeting today’s requirements but are also well-positioned for future regulatory and market developments.
HITRUST AI Security Comparison to Other Frameworks
The deployment of AI poses novel security threats while exacerbating others, requiring additional security measures that are not comprehensively addressed by current risk frameworks and approaches (including the HITRUST CSF to date).
|
Feature |
HISTRUST CSF+ AI |
ISO 42001 |
NIST AI RMF |
EU AI Act |
|
Certifiable |
Yes | Yes | No | No (instead, a CE-mark is awarded) |
|
AI-specific |
Deep | Partial | Partial | High-risk only |
|
Mapped to Other Frameworks |
All major regulations | Partial | Conceptual | Regulation only |
|
Control Depth |
High | Process-focused | Risk-focused | Regulatory |
|
Adopting in Healthcare |
Extensive | Low | Growing | Limited |
3. Differentiation and Confidence
Having HITRUST AI Security certification is a powerful market differentiator because it provides credible, third-party validation that your organization governs AI responsibly and effectively. Trust is fragile, and reputational risk can escalate quickly, so this kind of assurance sets organizations apart, especially in competitive or highly regulated industries like healthcare.
Externally, HITRUST AI Security certification builds customer and market trust by demonstrating that your AI systems are not only innovative but also secure and compliant. Internally, it strengthens executive and board confidence, showing that your organization has taken the time and done the hard work of assessing models, testing controls and documenting safeguards.
Ultimately, certification turns AI trust into a provable advantage, sending a clear message: “We don’t just use AI, we govern it responsibly and can prove it.” This distinction can be the deciding factor for customers and partners when choosing with whom to do business in an AI-driven world.
4. Unified, Scalable Governance
HITRUST AI Security certification is designed to be an extension of an organization’s existing HITRUST certifications (e1, i1 or r2). Rather than requiring a separate, siloed assessment, HITRUST allows organizations to layer AI-specific controls on top of their foundational security and privacy framework. This unified approach means that both traditional information systems and emerging AI-driven processes are governed under a single, consistent set of standards.
The benefits of this unified, scalable governance are significant. It creates consistency and alignment across security, compliance, and AI governance efforts, reducing redundancy and audit fatigue.
Internal teams across legal, security, compliance, and data science can work from a shared framework, using a common language and expectations. This not only streamlines risk management and makes oversight more structured and repeatable, but also builds confidence with internal stakeholders and external partners that AI governance is grounded in real, effective controls — not just good intentions.
Ultimately, HITRUST’s approach enables organizations to scale their AI initiatives responsibly, ensuring that as their AI use grows, their governance and assurance practices grow with it.
Benefits of HITRUST Security Certification By Organization
The following table outlines the benefits of HITRUST AI Security Certification for organizations that design and deploy AI models, including AI solution providers, cloud/AI platform providers and enterprises building their own AI systems. Unlike frameworks aimed at AI consumers, HITRUST AI Security is specifically tailored for those responsible for implementing and managing security controls within and around AI models.
The Importance of Using a Reputable Assessor Firm
The journey to a HITRUST Security AI certification is a strategic commitment, and it is best navigated with a reputable assessor firm. Certification requires cross-functional alignment, careful scoping of AI systems, and the development of robust policies, procedures and controls, but most importantly, an approved HITRUST assessor firm offers expert guidance, readiness assessment support, and efficiency and confidence.
Expert Guidance
A reputable assessor helps organizations identify which AI systems and processes to include, guides governance documentation, and ensures all requirements are mapped correctly to the HITRUST framework. Their expertise is essential for navigating the unique complexities of HITRUST AI certification, which differs significantly from standards like NIST and ISO.
Readiness Assessment
Assessors conduct readiness reviews before formal testing, validating that policies, procedures and controls are in place. This step streamlines the process, reduces delays and ensures organizations are truly prepared for certification and ongoing AI governance.
Efficiency and Confidence
Experienced assessors make the certification journey smoother and more credible, helping organizations avoid common pitfalls. Working with a trusted HITRUST-approved firm builds clarity, confidence and trust — transforming certification into a strategic advantage for long-term success.
How Cherry Bekaert Can Help
AI is advancing rapidly, and the risks of inaction are significant. As a recognized HITRUST assessor firm with deep knowledge in the matter, Cherry Bekaert is equipped to guide organizations through the HITRUST AI Security assessment and certification process from initial readiness to successful validation. Our Cybersecurity professionals stand ready to help your organization not only achieve HITRUST AI certification but also help you lead with AI that is responsible and trustworthy.
Related Insights
- Case Study: Securing HITRUST Certification for a Professional Services Firm
- Podcast: HITRUST 101: Understanding the Basics
- Case Study: HITRUST Services for a Healthcare Company
- Webinar Recording: HITRUST CSF: A Comprehensive Overview
