HAIAMM vs Other AI Security Frameworks
A comparative analysis of HAIAMM v3.0 against the Cloud Security Alliance AI security framework family — plus the other major frameworks and maturity models for AI security and governance (NIST AI RMF, ISO/IEC 42001, Google SAIF, OWASP LLM Top 10, MITRE ATLAS, Gartner AI TRiSM, Databricks DASF) — with a practice-to-control alignment map.
Published: 2026-05-28 · Source basis: HAIAMM v3.0 framing doc; CSA AICM v1.0.3 (Oct 2025); CSA AISMM (May 19, 2026).
Orientation
CSA doesn't publish a single AI maturity model. It publishes a three-artifact family:
- AICM (AI Controls Matrix, v1.0.3, July 2025): 243 controls in 18 domains. Flat catalog, no maturity levels.
- AISMM (AI Security Maturity Model, May 19, 2026): 12 categories in 3 domains, 5 CMM-aligned levels (L1-L5). Qualitative self-assessment.
- STAR for AI: external certification/assurance program built on AICM and ISO 42001.
HAIAMM is a single integrated framework: 12 practices × 6 domains × 3 maturity levels = 216 cells, organized into 4 business functions (Governance, Building, Verification, Operations).
Side-by-side
| Dimension |
CSA (AICM + AISMM) |
HAIAMM v3.0 |
| Shape |
Two separate artifacts (controls vs. maturity) |
Single integrated model |
| Functional grouping |
AISMM: 3 domains (Foundational, Structural, Procedural) |
4 business functions (OpenSAMM/BSIMM lineage) |
| Practices / Categories |
AISMM: 12 categories (names not public) |
12 practices, fully public |
| Domains |
AICM: 18 (17 inherited from Cloud Controls Matrix, 1 AI-native: MDS) |
6, all AI-native |
| Atomic units |
AICM: 243 un-tiered controls |
216 maturity-typed cells |
| Maturity levels |
AISMM: L1-L5, qualitative |
L1 Foundational, L2 Comprehensive, L3 Industry-Leading, with per-cell metrics and success criteria |
| Scoring |
Qualitative, no number |
Quantitative, 108-question per-domain workbook |
| Lineage |
Cloud Controls Matrix |
OpenSAMM v1.0 / BSIMM |
| Last release |
AISMM 2026-05-19 |
v3.0 2026-05-14 |
HAIAMM strengths
- One coherent model. CSA splits "what to control" (AICM), "how mature you are" (AISMM), and "how to assure" (STAR). HAIAMM puts the control, the maturity tier, and the success criteria in the same 216-cell grid.
- AI-native domain taxonomy. AICM's 18 domains are 17 inherited cloud-security categories (HRS, DCS, etc.) plus one AI-only domain (MDS). HAIAMM's 6 domains were designed for AI lifecycle reality: Software, Data, Infrastructure, Vendors, Processes, Endpoints.
- Shadow AI as a first-class L1 outcome. Third-party AICM analysis flags shadow AI as absent. HAIAMM makes "shadow AI reduction" the primary L1 outcome of the Vendors domain and threads it through all other domains.
- GPU / model registry / vector-store / AI CI/CD coverage. Not present in AICM. HAIAMM's Infrastructure domain has dedicated archetypes for each, with SLSA provenance, GPU residual-state clearing, and orchestrator least-privilege as explicit concerns.
- EU AI Act is structural, not annexed. CSA's EU AI Act work lives in a separate Catastrophic Risk Annex (April 2026, rolling out through Dec 2027). HAIAMM bakes Art. 14 (human oversight), Art. 22 GDPR, Art. 50 transparency, and the Annex III FRIA gate into the Processes domain handbook directly.
- Endpoint AI is its own domain. Browser-extension AI governance, MDM allowlists for AI assistants, mobile/edge AI integrity, SaaS-AI silent-enablement detection, and Art. 50 disclosure UX have no dedicated home in AICM.
- Quantitative assessment. AISMM is explicitly qualitative with no numerical score. HAIAMM ships a 108-question per-domain workbook with scoring methodology that produces a concrete number per practice-domain cell.
- Public, granular content. Every HAIAMM practice, domain, and per-level cell template is public markdown. AISMM's 12 category names are not publicly enumerated.
- HAI-specific TTP framework (EA / AGH / TM / RA). Threaded through every domain's Threat Assessment practice. CSA's 9 threat categories are framework-level only.
- Per-cell maturity, not program-level CMM. You can be at L3 in Vendors and L1 in Infrastructure simultaneously. AISMM's CMM is one program-wide rating.
Complementary CSA strengths
A serious comparison names where the other framework is stronger. CSA's family has clear advantages worth borrowing or pairing with HAIAMM:
- Catalog breadth. 243 AICM controls vs. HAIAMM's 216 cells. AICM goes deeper on traditional cloud-security areas (encryption, IAM, data center security).
- External assurance program. STAR for AI is a public certification registry; STAR Level 2 requires ISO 42001 certification plus a "Valid-AI-ted" scored assessment. HAIAMM has no equivalent third-party attestation.
- Release velocity. CSA shipped AICM v1.0 → v1.0.3, plus CBRA, STAR for AI, AISMM, and the Agentic Trust Framework in ~10 months.
- Recognition. AICM won the 2026 CSO Awards. CSA became a CVE Numbering Authority (CNA) in 2026.
- Shared-responsibility tagging. Each AICM control is tagged to one of five provider roles (Model Provider, Orchestrated Service, Application Provider, AI Customer, Cloud Service Provider). HAIAMM's domain split implies but does not formally tag this.
- Standards mapping density. AICM ships with explicit ISO 42001 / ISO 27001 / NIST AI RMF / BSI AI C4 / EU AI Act crosswalks. HAIAMM has NIST AI RMF Playbook mapping; the others are partial.
How HAIAMM compares to other AI security & governance frameworks
CSA is the closest peer (it's the only other group shipping an AI maturity model), so it gets the deep treatment above. But teams rarely choose in a vacuum. Here are the most important comparisons against the other frameworks and maturity models tailored for AI security and governance. The recurring pattern: most are either risk/governance frameworks or flat control catalogs — HAIAMM is the one that fuses concrete controls, AI-native domains, and per-cell maturity tiers with a quantitative score.
vs. NIST AI RMF (+ Generative AI Profile)
- Risk framework, not a maturity model. NIST AI RMF organizes work into four functions (Govern, Map, Measure, Manage) but ships no maturity levels and no score — you cannot say "we're at Level 2." HAIAMM gives you a measurable tier per practice-domain cell.
- Trustworthiness-wide, not security-deep. AI RMF spans the full trustworthiness set (validity, safety, fairness, explainability, privacy, security). Security is one slice. HAIAMM is security-first and goes far deeper on adversarial threat, hardening, and monitoring.
- HAIAMM maps to it. HAIAMM already crosswalks to the NIST AI RMF Playbook, so adopting HAIAMM operationalizes AI RMF rather than competing with it. Pair them: AI RMF for board-level risk language, HAIAMM for the engineering maturity roadmap.
vs. ISO/IEC 42001 (AI Management System)
- Management system, not technical controls. ISO 42001 certifies that you have an AI management system (policies, roles, PDCA improvement loop) — it is governance- and process-oriented and deliberately light on prescriptive technical control text. HAIAMM supplies the concrete, AI-native control depth a 42001 program needs as evidence.
- Certifiable vs. free & public. ISO 42001 is a paid, externally-certifiable standard. HAIAMM is fully public markdown with no license cost and no certification body (CSA's STAR-for-AI is the certification path that pairs with ISO 42001).
- No maturity gradient. 42001 is conformant / non-conformant; it has no L1→L3 progression. HAIAMM's per-cell tiers give you an improvement runway, not a pass/fail gate. Pair them: 42001 for the auditable governance shell, HAIAMM for what actually goes inside each control.
vs. Google SAIF + OWASP LLM Top 10 + MITRE ATLAS
- These are threat/control inputs, not maturity scaffolds. Google SAIF is a set of security-engineering principles/risk map; OWASP LLM Top 10 is a vulnerability list; MITRE ATLAS is an adversary TTP knowledge base. None of the three is a maturity model or gives you a program score.
- HAIAMM consumes them. HAIAMM threads MITRE ATLAS plus its own HAI-specific TTPs (EA / AGH / TM / RA) through every domain's Threat Assessment practice, and the OWASP LLM risks land naturally in the Software and Endpoints domains. They are the "what to test for"; HAIAMM is the "how mature is our program at handling them."
- Coverage breadth. OWASP/ATLAS/SAIF center on the model and application layers. HAIAMM extends the same rigor to Vendors, Infrastructure, Processes, and Endpoints — the parts those lists barely touch.
vs. Gartner AI TRiSM + Databricks DASF
- Analyst category vs. operational framework. Gartner AI TRiSM is a conceptual market category (governance, runtime enforcement, information governance, infosec pillars) behind a paywall — strong for strategy slides, but not a free, hands-on assessable model. HAIAMM is open and directly assessable.
- DASF is a control catalog, not a maturity model. The Databricks AI Security Framework maps ~60 risks to ~50 controls across AI system components — excellent breadth, but flat (no tiers, no score), much like CSA's AICM. HAIAMM adds the maturity gradient and quantitative workbook on top of comparable control coverage.
- Vendor-neutral. DASF is anchored to the Databricks/lakehouse architecture; AI TRiSM tooling is Gartner's vendor lens. HAIAMM is platform-agnostic across clouds, model providers, and deployment patterns.
The one-line summary
| Framework |
What it is |
What HAIAMM adds |
| NIST AI RMF |
Risk-management functions, all trustworthiness |
Security depth + measurable maturity tiers |
| ISO/IEC 42001 |
Certifiable AI management system |
Concrete AI-native technical controls + L1→L3 runway |
| Google SAIF / OWASP LLM Top 10 / MITRE ATLAS |
Threat & vulnerability inputs |
A maturity program that operationalizes them |
| Gartner AI TRiSM / Databricks DASF |
Analyst category / vendor control catalog |
Open, vendor-neutral, scored maturity model |
| CSA AICM + AISMM |
Split controls + maturity artifacts |
One integrated 216-cell model with per-cell scoring |
Alignment map
HAIAMM practices ↔ AICM control domains
| HAIAMM practice |
Primary AICM domain(s) |
Notes |
| SM Strategy & Metrics |
GRC, A&A |
HAIAMM adds outcome-metric set; AICM is audit-evidence oriented |
| PC Policy & Compliance |
GRC, IPY |
HAIAMM's priority compliance map ties regulations to single policies; AICM ships standards mappings |
| EG Education & Guidance |
HRS |
HAIAMM separates workforce literacy from practitioner skills; AICM treats HR as one bucket |
| TA Threat Assessment |
TVM, MDS |
HAIAMM threads HAI TTPs (EA/AGH/TM/RA) plus MITRE ATLAS; AICM has 9 framework-level threat categories |
| SR Security Requirements |
AIS, MDS |
HAIAMM requires a Requirements-Evidence Map per artifact; AICM treats requirements as control narrative |
| SA Secure Architecture |
AIS, I&S, MDS |
HAIAMM publishes reference architectures and anti-pattern catalogs; AICM is principle-level |
| DR Design Review |
AIS, CCC |
HAIAMM is a per-intake gate; AICM is change-management oriented |
| IR Implementation Review |
AIS, TVM, MDS |
HAIAMM expects code/config review; AICM treats this as part of secure development |
| ST Security Testing |
TVM, AIS, MDS |
HAIAMM expects red-team and adversarial harnesses; AICM controls are testing-aware but not prescriptive |
| IM Issue Management |
TVM, SEF |
Direct equivalence; both cover vuln management and remediation |
| EH Environment Hardening |
I&S, IAM, CEK, DCS |
AICM is broader/deeper here; HAIAMM is AI-deployment-focused |
| ML Monitoring & Logging |
LOG, SEF, BCR |
Direct equivalence on observability; HAIAMM adds AI-specific signals |
HAIAMM business functions ↔ AISMM domains
| HAIAMM business function |
AISMM domain(s) |
| Governance (SM, PC, EG) |
Foundational + Procedural |
| Building (TA, SR, SA) |
Structural |
| Verification (DR, IR, ST) |
Structural + Procedural |
| Operations (EH, IM, ML) |
Procedural + Foundational |
Maturity-level alignment
HAIAMM is intentionally three-tiered (L1/L2/L3) and per-cell. AISMM is five-tiered (L1-L5) and program-wide. The closest practical mapping:
| AISMM level |
AISMM intent |
Closest HAIAMM tier |
| L1 Initial |
No AI-specific capabilities; baseline only |
Pre-HAIAMM (no AI security in place) |
| L2 Repeatable |
Manual reconciliation, ad-hoc processes |
HAIAMM L1 Foundational (establish) |
| L3 Defined |
Coordinated, documented enterprise processes |
HAIAMM L2 Comprehensive (calibrate & scale) |
| L4 Capable |
Automated and scalable AI security capabilities |
HAIAMM L3 Industry-Leading (automate & contribute) |
| L5 Efficient |
Fully automated and self-improving program |
Beyond HAIAMM L3 (no equivalent tier; HAIAMM L3 includes contribute-back-to-community as the ceiling) |
Translation rule of thumb: AISMM-L2 ≈ HAIAMM-L1; AISMM-L3 ≈ HAIAMM-L2; AISMM-L4 ≈ HAIAMM-L3.
When to use which
- Pair them. Use HAIAMM as the primary maturity-and-practice scaffold, with the per-cell scoring workbook driving roadmaps. Use AICM as a deeper controls catalog when an HAIAMM practice cell needs more concrete control text (especially in IAM, CEK, DCS). Use STAR for AI when you need an externally-attested public posture.
- Use HAIAMM alone when AI-native domain coverage matters (shadow AI, endpoints, AI infrastructure, vendor AI) or when a quantitative maturity number per practice-domain cell is required.
- Use CSA alone when external certification and broad cloud-security control depth dominate, and when AISMM's program-level CMM rating is acceptable.
One-line positioning
HAIAMM's "domains" are the AI things you defend (Vendors, Endpoints, Infrastructure, ...). CSA's "domains" are the security disciplines you do (IAM, BCR, HRS, ...). That structural divergence drives every other difference.