At this level, AI systems implement essential security protocols to ensure basic protection, including encryption, secure coding practices, and adherence to privacy regulations. Supply chain aspects include basic tracking of third-party components and dependencies used in the AI system to ensure that external software libraries meet minimal security and privacy standards. These foundational measures are suited for non-critical use cases, where security risks are lower but must still be managed to prevent vulnerabilities.
This grade focuses on implementing more advanced security and privacy practices for AI systems. In addition to basic encryption, these systems are designed to secure sensitive data through rigorous data handling procedures and proactive vulnerability management. The standards emphasize alignment with well-established security frameworks (e.g., ISO/IEC 27001 or NIST) and are intended for AI systems handling sensitive data.
From a software supply chain perspective, AIGP-2 grade systems must also ensure the generation of Software Bill of Materials (SBOMs) and AI Bill of Materials (AIBOMs). At a minimum, these BOMs should include the essential elements necessary for transparency and traceability. This ensures that all third-party components, training data, and other dependencies are properly tracked and validated for security, minimizing the risk of vulnerabilities within the supply chain.
This advanced grade focuses on ensuring full transparency and robust security across the entire lifecycle of an AI system, from third-party model acquisition, development, and training to deployment and ongoing operations, in alignment with regulatory requirements.
Central to this grade is the generation and operationalization of an AI Bill of Materials (AIBOM), which documents all components involved in building and maintaining the AI system, including training data sources, third-party libraries, models, and dependencies. The AIBOM must be seamlessly integrated into the MLOps (AI/ML development and operations) lifecycle, ensuring end-to-end visibility and traceability, from model acquisition and development to continuous deployment and monitoring.
AI systems at this stage adhere to stringent supply chain security protocols, conducting thorough assessments of the origins and security of all software, models, and data inputs. These practices are critical for AI systems deployed in highly sensitive or regulated environments, such as healthcare, critical infrastructure, or financial services, where complete visibility into the AI supply chain is essential for mitigating risks. This level also incorporates continuous monitoring and proactive vulnerability management, ensuring that AI systems evolve securely over time.
By embedding AIBOM into the MLOps pipeline, organizations can ensure ongoing compliance, seamless updates, and robust risk management throughout the AI system's lifecycle.
The CIAS framework introduces sector-specific enhancements for AI systems operating in critical infrastructure, while recognizing overlapping security needs across multiple sectors. To achieve a CIAS-specific grade, which certifies AI systems for safe use in critical infrastructure sectors, AI systems must first meet the minimum security requirements of AIGP-2. This ensures that foundational security practices—such as enhanced data protection, supply chain transparency, and proactive vulnerability management—are already in place before adding the additional layers required for critical infrastructure.
The CIAS standards then build on this foundation, introducing sector-specific safety, compliance, and resilience requirements essential for highly regulated environments such as healthcare, energy, and transportation. This approach ensures that AI systems are both secure and adaptable to the stringent demands of critical infrastructure, providing confidence in their operational safety and regulatory alignment while leveraging shared security practices across sectors.
CIAS-1: Baseline for critical infrastructure that interacts with less sensitive environments but still requires safety and regulatory alignment.
CIAS-2: Enhanced level for AI systems directly impacting human safety, essential services, or large-scale critical infrastructure (e.g., energy grids, transportation control systems).
CIAS-3: Highest level of certification for AI systems used in high-risk environments, such as nuclear power plants, defense, or systems with life-or-death implications (e.g., healthcare AI systems).
Energy (AIGP-2-CIAS-2):
For the energy sector, AI systems must prioritize grid stability, secure communication with control systems, and compliance with energy-specific regulations like NERC CIP. A minimum AIGP-2-CIAS-2 grade ensures that the AI systems are equipped with enhanced security and supply chain transparency, along with the specific safety requirements needed to operate in the energy sector.
Example: An AI system used to manage real-time energy distribution must have the AIGP-2-CIAS-2 grade to ensure its secure and reliable operation across the grid, preventing disruptions or vulnerabilities in the energy supply chain.
Healthcare (AIGP-2-CIAS-2 and AIGP-2-CIAS-3):
In healthcare, the focus is on patient data protection, HIPAA compliance, and ensuring that AI-driven diagnostic or treatment systems do not introduce risks that could endanger patients. Systems handling more sensitive or critical operations, such as AI-powered diagnostic tools or AI-powered robotics, may require the higher AIGP-2-CIAS-3 grade for the strictest levels of security, operational safety, and regulatory compliance.
Example: An AI system that powers a surgical robot would require a minimum AIGP-2-CIAS-3 grade to ensure secure data handling, patient safety, and compliance with healthcare regulations like HIPAA and FDA standards during high-risk surgeries.
Transportation (AIGP-2-CIAS-2):
In the transportation sector, AI systems must comply with safety standards for autonomous vehicles, air traffic control, and logistics. This includes securing communication channels and ensuring operational reliability to prevent accidents or system failures. An AIGP-2-CIAS-2 grade would be the minimum requirement to certify that these systems are secure and suitable for such critical applications.
Example: An autonomous vehicle fleet management AI system would need to implement AIGP-2-CIAS-2 grade to ensure its algorithms are safe for public road usage and that its communication systems are secure from potential cybersecurity threats.
