Assess cloud vs on-prem processing

Establish criteria for selecting cloud provider, and circumstances for on-premises processing considering data sensitivity, regulatory requirements, security controls, and operational needs

Keywords

Deployment

Cloud Security

On-Premise Security

Data Residency

Application

Mandatory

Frequency

Every 12 months

Type

Preventative

Crosswalks

AML-M0017: AI Model Distribution Methods

MAP 4.2: Internal risk controls

LLM03:25 - Supply Chain

Control activities

Conducting deployment risk assessments. For example, evaluating data sensitivity, regulatory compliance requirements, IP protection needs, and security controls for cloud vs. on-premises AI processing.

Documenting decision criteria and rationale. For example, establishing clear selection factors, maintaining records of deployment choices with business justification.

Implementing deployment-appropriate security controls. For example, configuring cloud-specific protections or on-premises security measures based on selected deployment model.

Implementing hybrid deployment strategies. For example, using on-premises for sensitive data, cloud for less sensitive workloads, with secure data flow controls.

Establishing cloud vendor management procedures. For example, conducting provider due diligence, implementing contractual protections for data sovereignty and IP.

Reviewing deployment decisions when requirements change. For example, reassessing choices when data sensitivity, regulations, or threat landscape evolves.

Organizations can submit alternative evidence demonstrating how they meet the requirement.

AIUC-1 is built with industry leaders

"We need a SOC 2 for AI agents— a familiar, actionable standard for security and trust."

Phil Venables

Former CISO of Google Cloud

"Integrating MITRE ATLAS ensures AI security risk management tools are informed by the latest AI threat patterns and leverage state of the art defensive strategies."