Library

What is HITRUST + AI?

HITRUST has long been the go-to cybersecurity and privacy assurance framework for organizations handling sensitive data, especially in healthcare and highly regulated industries. As artificial intelligence (AI) technologies move from experimental models to operational systems, assurance standards are evolving in step. Now, HITRUST offers dedicated assessments for AI, creating clarity and accountability for organizations building or deploying AI-enabled solutions.

Why it matters: AI introduces new attack surfaces and governance questions. HITRUST’s AI initiative harmonizes security and risk controls to keep pace with how AI is actually developed, deployed, and used—delivering trust at the speed of innovation.

The evolution of HITRUST + AI

Until recently, AI raised compliance concerns without offering clear standards. Organizations faced a fragmented landscape: emerging government guidance like the NIST AI Risk Management Framework, global AI regulations on the horizon, and widespread uncertainty over how to validate the security and integrity of AI systems.

In 2024, HITRUST formalized its AI Assurance program with two complementary components:

  1. AI Risk Management Assessment (AI RM): A governance-based evaluation using 51 requirements derived from the NIST AI RMF and ISO/IEC 23894. It helps organizations assess AI risk posture, either in a self-assessed or validated format.
  2. AI Security Assessment and Certification (ai1/ai2): An extension of HITRUST’s established certifications (e1/i1/r2), this control-based certification adds up to 44 AI-specific control requirements, ensuring deployed AI systems—rather than just development environments—are measurably secure.

This structure makes use of the HITRUST Common Security Framework (CSF), leverages the MyCSF platform, and applies HITRUST’s assurance rigor to a rapidly evolving tech area.

What HITRUST + AI entails today

Executing a HITRUST AI assessment requires preparation. Organizations must accurately map their AI platforms, scope them in MyCSF, and identify whether they’re eligible based on AI deployment criteria.

AI RM Assessment:

This offering assesses governance maturity across 51 controls tied to AI principles like data integrity, system transparency, and bias management. It can be self-assessed or validated by a HITRUST Authorized External Assessor, with results summarized in an AI RM Insights Report. It's ideal for organizations in early AI adoption stages or those developing governance programs before deployment.

AI Security Assessment (ai1/ai2):

Integrated into traditional HITRUST certifications (e1/i1/r2), this option adds targeted security requirements for AI systems. An ai1 certification builds on e1 or i1, while ai2 layers onto the more robust r2. Scoring thresholds must be met: ≥83 for ai1 and ≥62 for ai2. The result is a certification letter issued by HITRUST, alongside the base CSF certification.

Eligibility is key: Only organizations that develop or deploy AI systems (e.g., AI-enabled platforms or products in production) qualify. Customers of AI SaaS tools, and standalone software developers without deployed systems, are not eligible for ai1/ai2 certification.

Common challenges in HITRUST AI engagements

Despite the clear structure, challenges arise during assessment execution—especially for organizations new to HITRUST or those scaling AI initiatives rapidly.

Scoping errors derail timelines.

Misidentifying which systems qualify as AI-enabled platforms—versus tools merely using third-party AI—can lead to QA delays or failed submissions. Scoping must align with HITRUST criteria in MyCSF, including AI-specific factors.

Improper reliance on third-party reports results in control gaps.

Leveraging third-party AI/cloud provider attestations requires more than inclusion—it demands precise mapping to HITRUST CSF controls and evidence access permitted by the service provider. Relying on generic SOC 2 reports without this mapping risks noncompliance.

Misapplied expectations around speed and eligibility.

Some organizations assume the AI assessments can utilize rapid methodologies from the broader HITRUST i1/r2 programs. Currently, ai1 certifications do not support rapid sampling. Ineligible entities seeking ai1/ai2 status—for example, companies using OpenAI or AWS-hosted models—also encounter rejection if they haven’t deployed proprietary systems.

QA bottlenecks are common without compliant assessor workflows.

Assessments must be performed by HITRUST Authorized External Assessors, with appropriately credentialed personnel (e.g., CCSFPs and CHQPs) handling fieldwork and QA. Choosing an assessor with insufficient experience or improper staffing leads to redo cycles and prolonged engagements.

Where HITRUST + AI is headed by 2026

Looking ahead, HITRUST’s AI programs are expected to play a foundational role in enterprise AI compliance across industries. The program will expand as AI becomes more deeply built into business processes—from voice assistants in healthcare to ML-powered decision tools in finance and logistics.

More sectors will adopt AI RM and AI Security assessments as preconditions for trust.

As regulators introduce AI transparency laws and security protocols (especially in Europe and Canada), frameworks like the HITRUST AI RM assessment will offer organizations a clear path to readiness. The AI RM Insights Report can help demonstrate alignment to regulators and customers alike.

Mature organizations will operationalize AI assurance, not treat it as a point-in-time need.

Just as annual risk assessments became a compliance staple, AI controls will shift toward continuous assurance. MyCSF’s control inheritance and automation capabilities make this possible by reducing duplicative work across frameworks and environments.

Expect AI-specific certifications like ai1/ai2 to become procurement requirements.

Buyers will increasingly require certified proof not just that an AI platform works, but that it’s secure, explainable, and governed appropriately. ai1/ai2 will serve as a recognized badge of assurance in complex service relationships.

How Thoropass simplifies HITRUST + AI

Compliance shouldn’t slow you down. Thoropass is a HITRUST-accredited External Assessor and a certified MyCSF integration partner—uniquely positioned to help you navigate AI RM and AI Security assessments from scoping to certification.

We streamline evidence collection and submission.

With Thoropass, you can automate control mappings, maintain audit readiness, and avoid duplicative documentation across HITRUST, NIST, ISO, and other frameworks. Evidence flows directly between our platform and MyCSF, reducing prep time and avoiding last-minute surprises.

Our team understands AI assessment complexity.

We’ve supported organizations in determining eligibility, mapping third-party responsibilities, and aligning AI-enabled environments to HITRUST certification thresholds. As the first HITRUST partner to achieve i1 certification for our own platform, we lead by example.

Avoid costly rework with our assessor expertise.

Thoropass employs qualified CCSFPs and CHQPs to ensure assessments run smoothly—not just during fieldwork but in QA reviews and submission cycles. We don’t grade our own work, and we equip your team for success with clear expectations and transparent workflows.

Integrated control inheritance reduces redundant effort.

We help you fully leverage HITRUST’s shared responsibility model—linking controls to cloud and platform providers, so you don’t re-test what’s already assured. Our integration with MyCSF ensures current, accurate control inheritance across your environment.

Ready when AI is

Whether your organization is building its first AI-enabled product or scaling secure AI platforms across markets, HITRUST’s AI Assurance offerings provide the roadmap. Thoropass delivers the trusted expertise and technology to get you there faster—with clarity, confidence, and complete readiness.

Schedule a discovery session with us today.

Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2025 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com