Notifications
Clear all
Topic starter
08/06/2026 4:49 pm
TL;DR: Enterprises evaluating trustworthy AI now face three complementary frameworks, with MITRE AI Assurance focused on technical assurance, NIST AI RMF on enterprise risk governance, and CSA AICM on control implementation, according to Cyera. The practical issue is not choosing one framework, but sequencing them so governance, controls, and testing reinforce each other.
NHIMG editorial — based on content published by Cyera: Building Trustworthy AI, comparing the MITRE AI Assurance Guide, NIST AI RMF, and CSA AICM
Questions worth separating out
Q: How should organisations structure AI governance across risk, controls, and testing?
A: Use a layered model. Start with an enterprise risk framework to define accountability and acceptable harm, translate those requirements into technical and procedural controls, then challenge the system with adversarial testing to see whether the controls hold under realistic conditions.
Q: Why do AI systems need data security in addition to model security?
A: Because most AI failures begin in the data path.
Q: How do security teams know whether AI assurance is actually working?
A: Look for evidence that controls are mapped to real data flows, that ownership exists for each control, and that red-team or testing results can prove resilience under manipulation.
Practitioner guidance
- Sequence AI governance by layer Start with an enterprise risk model, translate it into enforceable controls, then validate those controls with adversarial testing.
- Map controls to the AI data path Inventory where AI systems ingest, transform, store, and expose data, then attach owners and audit evidence to each stage.
- Test for input manipulation and provenance failure Red team the prompts, datasets, connectors, and training inputs that can alter AI behaviour.
What's in the full article
Cyera's full blog post covers the framework-level detail this post intentionally leaves for the source:
- A framework-by-framework comparison of MITRE AI Assurance, NIST AI RMF, and CSA AICM for implementation planning.
- Specific control domains such as data classification, discovery, lineage, access controls, and integrity validation.
- The article's own view of how these frameworks fit together in an enterprise AI governance programme.
- Context on why data security is treated as foundational to trustworthy AI across the full stack.
👉 Read Cyera's comparison of MITRE AI Assurance, NIST AI RMF and CSA AICM →
MITRE AI Assurance, NIST AI RMF and CSA AICM: what matters most?
Explore further
08/06/2026 6:39 pm
These frameworks are complementary, not competing. AI governance breaks down when teams treat strategic risk management, technical assurance, and operational controls as substitutes. NIST AI RMF, CSA AICM, and MITRE AI Assurance each answer a different question about the same system. The practitioner conclusion is to sequence them as governance, controls, then testing.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian and CyberArk.
A question worth separating out:
Q: What is the difference between AI governance and AI assurance?
A: AI governance defines who is responsible, what risk is acceptable, and how oversight works. AI assurance proves whether the system actually behaves within those boundaries through testing, validation, and operational evidence.
👉 Read our full editorial: Comparing MITRE, NIST and CSA for trustworthy AI security
