Software

AI applications, models, code security, vulnerability detection, and AI-powered SAST/DAST.

📖
Software Domain Handbook (v3.0)
Full v3.0 practitioner reference, Parts I–V, all 12 practices, 108-question assessment workbook with scoring methodology and improvement roadmap
Read the Handbook →

⚖ Governance

Strategy & Metrics (SM)

Stand up an AI/HAI Software Assurance program that discovers, inventories, and strategically governs all AI/HAI software the organization builds, with shadow-AI-in-engineering prevention as the primary L1 outcome and a defensible risk-tier rubric as the primary L2 deliverable.

☑ Questionnaire

Explore →

Policy & Compliance (PC)

Publish the priority policies and compliance map that make the AI/HAI Software Assurance program enforceable, so every AI/HAI artifact the organization builds is governed by a documented set of rules, gated before it reaches production, and defensible to auditors and regulators.

☑ Questionnaire

Explore →

Education & Guidance (EG)

Build the AI-assurance literacy every engineer touching AI/HAI software needs and the practitioner skills the smaller population performing threat modeling, secure code review, security testing, architecture review, and red-teaming of AI systems must have, with shadow AI in engineering awareness as the primary L1 cultural outcome.

☑ Questionnaire

Explore →

⚒ Building

Threat Assessment (TA)

Build and maintain a reusable threat library for AI/HAI software the organization builds, one archetype-level threat model per software artifact type, so every intake into the SM inventory produces a threat snapshot in minutes rather than a blank-page exercise.

☑ Questionnaire

Explore →

Security Requirements (SR)

Translate the threats from TA-Software and the policies from PC-Software into a reusable Requirements Pack for AI/HAI software the organization builds, a base set plus per-archetype deltas, so every artifact entering production carries a testable Requirements-Evidence Map (REM) rather than a blank slate.

☑ Questionnaire

Explore →

Security Architecture (SA)

Publish the reference architectures for safely building each AI/HAI software archetype the organization ships, so teams have a vetted "green path" that already implements SR-Software requirements and contains the threats identified by TA-Software.

☑ Questionnaire

Explore →

✓ Verification

Design Review (DR)

Operate the design checkpoint between intake approval and build-out for every non-trivial AI/HAI software artifact, confirming the proposed design follows the applicable SA reference pattern, covers the SR requirements pack, and documents residual risks before engineering begins.

☑ Questionnaire

Explore →

Implementation Review (IR)

Verify, at go-live and on a recurring cadence, that the actual code and configuration of AI/HAI software the organization builds matches the design approved at DR, and that it stays there as the artifact evolves.

☑ Questionnaire

Explore →

Security Testing (ST)

Prove that every AI/HAI software artifact the organization builds behaves correctly under adversarial conditions, by running a foundational per-archetype test battery in CI, maintaining versioned regression corpora, and escalating to scheduled red-team and continuous adversarial testing at higher maturity levels.

☑ Questionnaire

Explore →

⚙ Operations

Issue Management (IM)

Run the single unified backlog for AI/HAI issues across the Software domain, findings from TA snapshots, SR gaps, DR conditions, IR drifts, ST failures, ML detections, and external advisories, with a tier-calibrated incident playbook containing AI-specific containment plays, and regulatory SLA tracking (GDPR Art. 33, EU AI Act Art. 73, HIPAA, sector-specific).

☑ Questionnaire

Explore →

Environment Hardening (EH)

Harden the compute, build, model-supply-chain, engineering-endpoint, and data-flow envelopes in which AI/HAI software the organization builds is developed, trained, and served, so each artifact runs in a least-privilege, observable perimeter and unsanctioned AI development is detectable before it reaches production.

☑ Questionnaire

Explore →

Monitoring & Logging (ML)

Establish the logging baseline per AI/HAI software archetype, operate a small high-signal detection set targeted at the top threats from TA-Software, and produce the evidence trail that proves EU AI Act deployer duties, GDPR processor obligations, and ISO/IEC 42001 AIMS requirements, on demand, inside a published SLA.

☑ Questionnaire

Explore →