The 2026 CISO Report is Here Download Now

Dark teal and black gradient

Blog

AIHITRUST

Building Trust in AI: What to Know About the HITRUST AI Security Certification

December 8, 2025

By Edward Martinez, Chad Stanger & Jason Lee

Artificial intelligence is reshaping how organizations operate, innovate, and deliver value. As the adoption of AI grows, there is new security, compliance, and trust challenges.  

Enterprises, regulators, and customers alike are asking:  

How do we know if an AI platform or product is secure and responsibly managed? 

To address this, HITRUST, long recognized for its leading cybersecurity and risk management certifications, has launched the HITRUST AI Security Assessment and Certification. This new program brings prescriptive, relevant security requirements specifically for AI platforms and AI-enabled products. 

In this post, we’ll explore what the certification is, who it’s designed for, how it works, and why it matters in today’s rapidly evolving AI landscape. 

What is the HITRUST AI Security Certification 

The HITRUST AI Security Certification enables organizations to prove they have implemented proper controls to secure their AI models, platforms, and supporting infrastructure. It focuses specifically on cybersecurity risks to AI systems, such as data poisoning, model manipulation, and prompt injection attacks. 

This certification is not designed to address broader Responsible AI topics like ethics, fairness, or transparency, but rather it ensures that the AI system itself is technically secure. 

Why a HITRUST AI Security Certification Matters 

AI security risks are different from traditional IT risks. Data poisoning, model manipulation, adversarial prompts, and ethical misuse are just a few of the challenges organizations now face. The HITRUST AI Security Certification helps close those gaps by providing: 

  • Prescriptive and relevant AI security controls – Curated requirements that focus on the unique risks of AI systems. 
  • A means to assess and validate those controls – Independent evaluation aligned with HITRUST’s proven certification model. 
  • Inheritance of security controls – The ability to leverage validated controls from AI solution providers, reducing redundancy and audit fatigue. 
  • Reliable reporting – Assessor-verified reports that can be shared with executives, regulators, customers, and partners. 
  • A market differentiator – A clear signal that your AI product or platform has been tested against high standards. 

The Takeaway: It’s about building trust and demonstrating security maturity in an AI-driven world. 

Who Can Get Certified? 

The HITRUST AI Security Certification is designed specifically for providers of AI technologies, not consumers. Eligible organizations include: 

  • AI Platform Providers – Companies that build and deliver platforms enabling others to create or host AI-enabled products. 
  • AI Product Providers – Organizations offering AI-enabled solutions directly to end-users or customers. 

To qualify, the platform or product must leverage an AI model in scope. 

While this certification is not currently intended for organizations that only use AI tools internally or build workflows on third-party AI models, HITRUST has confirmed that future updates to the HITRUST CSF (targeted for 2026) will expand coverage to address AI usage risks across all implementation types, including internal use and workflow integrations. 

How HITRUST AI Certification Works 

Unlike some frameworks, the HITRUST AI Security Assessment is not a stand-alone certification. Instead, it must be paired with a concurrent or existing HITRUST assessment to provide a complete picture of organizational and AI-specific security. 

The two options are:  

  • ai1 – Adds AI-specific requirements to an e1 or i1 certification. 
  • ai2 – Adds AI-specific requirements to a more rigorous r2 certification. 

Both pathways ensure that AI security is assessed in the context of your broader cybersecurity and compliance posture. The certification’s validity period aligns with that of the underlying assessment. One year for e1 and i1, and two years for r2, making it straightforward to manage as part of existing compliance efforts. 

The AI Control Framework 

The HITRUST AI Security Assessment introduces up to 44 AI-specific requirements, mapped to trusted frameworks such as NIST SP 800-53, the NIST AI Risk Management Framework (AI RMF), ISO/IEC 27001, ISO/IEC 23894:2023, ISO/IEC 42001:2023 and OWASP. These mappings build on the foundation of the HITRUST CSF®, which harmonizes controls from more than 40 global standards to create a unified, certifiable framework. 

These AI-focused controls are: 

  • Prescriptive – Clear, actionable requirements aligned to the NIST AI RMF’s core functions (Govern, Map, Measure, and Manage), ensuring organizations address AI risks throughout the model lifecycle. 
  • Threat-adaptive – Regularly updated to reflect emerging guidance from NIST and evolving threat intelligence from the HITRUST Alliance. 
  • Tailored – HITRUST adjusts the AI control set based on your platform’s size, complexity, and deployment model, leveraging the flexibility of the HITRUST CSF® domains. 
  • Efficient – Organizations can inherit validated controls from AI service providers that already meet HITRUST CSF® or NIST 800-53 aligned requirements, reducing redundancy and assessment effort. 

By building both NIST and HITRUST standards, this layered approach ensures organizations aren’t just compliant on paper, but resilient, auditable, and trustworthy in practice. 

Scoring & Certification Requirements 

The HITRUST AI Security Certification uses different scoring models depending on the assessment type: 

  • ai1 (with e1 or i1) – Requires an average score of at least 83% across the selected AI requirements. 
  • ai2 (with r2) – Evaluates five maturity dimensions (Policy, Procedure, Implementation, Measured, Managed) and requires an average score of at least 62% across the selected AI requirements.. 

Importantly, an organization must successfully complete the underlying HITRUST assessment (e1, i1, or r2) before achieving AI certification. 

What Does the HITRUST AI Security Certification Help Solve? 

AI adoption introduces risks that traditional security certifications don’t fully address. Organizations struggle with how to validate controls around model training data, algorithmic integrity, bias prevention, and responsible deployment. Without clear guardrails, it becomes difficult to prove to regulators, partners, and customers that AI solutions are safe, ethical, and secure. 

The HITRUST AI Security Certification helps solve this by: 

  • Closing assurance gaps – Adding AI-specific controls on top of existing cybersecurity frameworks. 
  • Bringing clarity – Offering prescriptive, testable requirements instead of broad, interpretive guidelines. 
  • Reducing complexity – Allowing inheritance of controls from AI solution providers to streamline audits. 
  • Enabling trust – Delivering assessor-validated reports that demonstrate accountability and transparency. 

The Takeaway: The certification bridges the gap between fast-moving AI innovation and the equally fast-growing demand for accountability, regulation, and trustworthiness. 

Why Pursue HITRUST AI Security Certification? 

Organizations that achieve the HITRUST AI Security Certification gain: 

  • Independent validation – Assurance from a globally recognized certification authority. 
  • Trust and transparency – Reliable, shareable reporting for regulators, partners, and customers. 
  • Efficiency – Builds on existing HITRUST certifications, avoiding duplicative work. 
  • Market differentiation – Stand out in a crowded AI market by proving your commitment to secure, responsible AI. 
  • Future readiness – Stay ahead of AI regulations and evolving industry expectations. 

Final Thoughts 

AI is transforming industries, but without trust, adoption stalls. The HITRUST AI Security Certification helps AI platform and product providers demonstrate that they are proactively addressing AI-specific risks, backed by one of the most established names in cybersecurity certification. 

The HITRUST AI Security Certification bridges the gap between innovation and assurance. It gives AI system providers a framework to validate their controls, safeguard against emerging threats, and build confidence with customers.  

For organizations that design or host AI systems, achieving this certification signals to customers and partners that security and reliability are top priorities. 

Your Trusted Partner 

The Tevora Healthcare team is here to support your organization in achieving HITRUST certification. As an approved external assessor, we serve as the liaison between HITRUST and your organization, providing comprehensive HITRUST certification services and guiding you through every stage of your HITRUST CSF journey. Reach out to us directly at [email protected] or (833) 292-1609. 

Back to Resource Center

Explore More In-Depth AI Security Program Resources

View Our Resources