AI applications, models, code security, vulnerability detection, and AI-powered SAST/DAST.
Stand up an AI/HAI Software Assurance program that discovers, inventories, and strategically governs all AI/HAI software the organization builds, with shadow-AI-in-engineering prevention as the primary L1 outcome and a defensible risk-tier rubric as the primary L2 deliverable.
Explore →Publish the priority policies and compliance map that make the AI/HAI Software Assurance program enforceable, so every AI/HAI artifact the organization builds is governed by a documented set of rules, gated before it reaches production, and defensible to auditors and regulators.
Explore →Build the AI-assurance literacy every engineer touching AI/HAI software needs and the practitioner skills the smaller population performing threat modeling, secure code review, security testing, architecture review, and red-teaming of AI systems must have, with shadow AI in engineering awareness as the primary L1 cultural outcome.
Explore →Build and maintain a reusable threat library for AI/HAI software the organization builds, one archetype-level threat model per software artifact type, so every intake into the SM inventory produces a threat snapshot in minutes rather than a blank-page exercise.
Explore →Translate the threats from TA-Software and the policies from PC-Software into a reusable Requirements Pack for AI/HAI software the organization builds, a base set plus per-archetype deltas, so every artifact entering production carries a testable Requirements-Evidence Map (REM) rather than a blank slate.
Explore →Publish the reference architectures for safely building each AI/HAI software archetype the organization ships, so teams have a vetted "green path" that already implements SR-Software requirements and contains the threats identified by TA-Software.
Explore →Operate the design checkpoint between intake approval and build-out for every non-trivial AI/HAI software artifact, confirming the proposed design follows the applicable SA reference pattern, covers the SR requirements pack, and documents residual risks before engineering begins.
Explore →Verify, at go-live and on a recurring cadence, that the actual code and configuration of AI/HAI software the organization builds matches the design approved at DR, and that it stays there as the artifact evolves.
Explore →Prove that every AI/HAI software artifact the organization builds behaves correctly under adversarial conditions, by running a foundational per-archetype test battery in CI, maintaining versioned regression corpora, and escalating to scheduled red-team and continuous adversarial testing at higher maturity levels.
Explore →Run the single unified backlog for AI/HAI issues across the Software domain, findings from TA snapshots, SR gaps, DR conditions, IR drifts, ST failures, ML detections, and external advisories, with a tier-calibrated incident playbook containing AI-specific containment plays, and regulatory SLA tracking (GDPR Art. 33, EU AI Act Art. 73, HIPAA, sector-specific).
Explore →Harden the compute, build, model-supply-chain, engineering-endpoint, and data-flow envelopes in which AI/HAI software the organization builds is developed, trained, and served, so each artifact runs in a least-privilege, observable perimeter and unsanctioned AI development is detectable before it reaches production.
Explore →Establish the logging baseline per AI/HAI software archetype, operate a small high-signal detection set targeted at the top threats from TA-Software, and produce the evidence trail that proves EU AI Act deployer duties, GDPR processor obligations, and ISO/IEC 42001 AIMS requirements, on demand, inside a published SLA.
Explore →