Home
Browse frameworks
Contact us
SAMMY premium
Sign in
SAMMY UI is optimized for resolutions with a width 1024px and higher.
AIMA
Browse AIMA
AIMA
ASVS
BSIMM 15
CIS Critical Security Controls
Cloud Controls Matrix
Cybersecurity Fundamentals
Cybersecurity Fundamentals 2.0
DSOMM
NIS2
NIST 800-171 Rev 2
NIST 800-171 Rev 3
NIST 800-34
NIST 800-53 v5
NIST CSF 2.0
NIST SSDF
OpenSAMM1.5
SAMM
Secure Controls Framework
Responsible AI Principles
Ethical and Societal Impact
Transparency and Explainability
Fairness and Bias
Governance
Strategy and Metrics
Policy and Compliance
Education and Awareness
Data Management
Data Quality and Integrity
Data Governance and Accountability
Data Training
Privacy
Data Minimization and Purpose Limitation
Privacy by Design and Default
User Control and Transparency
Design
Threat Assessment
Security Architecture
Security Requirements
Implementation
Secure Build
Secure Deployment
Defect Management
Verification
Security Testing
Requirement-based Testing
Architecture Assessment
Operations
Incident Management
Event Management
Operational Management
G-PC-A: Stream A
G-PC-B: Stream B
Maturity Level 1
Maturity Level 2
Maturity Level 3
G-PC-A-1
G-PC-A-1: Is there an awareness or initial informal policy for AI usage within the organization?
Minimal AI-Specific Policies:
AI risks are loosely covered by general IT/security policies, if at all.
Reactive Updates:
Policies change only after incidents or regulatory pressure.
Limited Guidance:
Teams lack clear instructions for secure or responsible AI development.
0
1
2
3
Description
Minimal AI-Specific Policies:
AI risks are loosely covered by general IT/security policies, if at all.
Reactive Updates:
Policies change only after incidents or regulatory pressure.
Limited Guidance:
Teams lack clear instructions for secure or responsible AI development.
G-PC-A-2
G-PC-A-2: Is there basic awareness of compliance needs relevant to AI (e.g., GDPR, ethical guidelines)?
Documented AI Policies and Standards:
Formal requirements cover data use, model validation, bias testing, explainability, etc.
Periodic Reviews:
Policies reviewed on a defined schedule or when major changes occur.
Consistent Application:
Projects follow standards; exceptions require documented approval.
0
1
2
3
Description
Documented AI Policies and Standards:
Formal requirements cover data use, model validation, bias testing, explainability, etc.
Periodic Reviews:
Policies reviewed on a defined schedule or when major changes occur.
Consistent Application:
Projects follow standards; exceptions require documented approval.
G-PC-A-3
G-PC-A-3: Has a formal AI policy been established and clearly communicated to all relevant stakeholders?
Integrated Policy Framework:
AI policies embedded in enterprise governance, risk, and ethics programs.
Proactive Evolution:
Updates anticipate emerging threats and regulations, guided by continuous risk scanning and industry input.
Automated Enforcement:
CI/CD gates, data-use controls, and policy-as-code tooling flag or block non-compliant artifacts automatically.
0
1
2
3
Description
Integrated Policy Framework:
AI policies embedded in enterprise governance, risk, and ethics programs.
Proactive Evolution:
Updates anticipate emerging threats and regulations, guided by continuous risk scanning and industry input.
Automated Enforcement:
CI/CD gates, data-use controls, and policy-as-code tooling flag or block non-compliant artifacts automatically.