Skip to main content
AAT

Artificial Intelligence & Autonomous Technologies

156 controls

Ensure trustworthy and resilient Artificial Intelligence (AI) and autonomous technologies to achieve a beneficial impact by informing, advising or simplifying tasks, while minimizing emergent properties or unintended consequences.

SCF # Control Name Weight NIST CSF Frameworks
AAT-01 Artificial Intelligence (AI) & Autonomous Technologies Governance 10 — Critical Govern 10
AAT-01.1 AI & Autonomous Technologies-Related Legal Requirements Definition 8 — High Govern 8
AAT-01.2 Trustworthy AI & Autonomous Technologies 10 — Critical Protect 6
AAT-01.3 AI & Autonomous Technologies Value Sustainment 1 — Low Identify 5
AAT-01.4 AI Model & Agent Inventory & Lifecycle Management 5 — Medium Identify 2
AAT-02 Situational Awareness of AI & Autonomous Technologies 9 — Critical Identify 7
AAT-02.1 AI & Autonomous Technologies Risk Mapping 9 — Critical Identify 6
AAT-02.2 AI & Autonomous Technologies Internal Controls 9 — Critical Identify 5
AAT-02.3 Adequate Protections For AI & Autonomous Technologies 10 — Critical Govern 4
AAT-02.4 AI Threat Modeling & Risk Assessment 5 — Medium Govern 2
AAT-03 AI & Autonomous Technologies Context Definition 8 — High Identify 7
AAT-03.1 AI & Autonomous Technologies Mission and Goals Definition 8 — High Identify 5
AAT-03.2 Model & AI Agent Documentation 5 — Medium Govern 3
AAT-04 AI & Autonomous Technologies Business Case 8 — High Identify 4
AAT-04.1 AI & Autonomous Technologies Potential Benefits Analysis 2 — Low Identify 3
AAT-04.2 AI & Autonomous Technologies Potential Costs Analysis 2 — Low Identify 5
AAT-04.3 AI & Autonomous Technologies Targeted Application Scope 8 — High Identify 3
AAT-04.4 AI & Autonomous Technologies Cost / Benefit Mapping 2 — Low Identify 3
AAT-05 AI & Autonomous Technologies Training 5 — Medium Identify 4
AAT-06 AI & Autonomous Technologies Fairness & Bias 9 — Critical Identify 4
AAT-07 AI & Autonomous Technologies Risk Management Decisions 10 — Critical Identify 6
AAT-07.1 AI & Autonomous Technologies Impact Assessment 8 — High Identify 6
AAT-07.2 AI & Autonomous Technologies Likelihood & Impact Risk Analysis 10 — Critical Identify 6
AAT-07.3 AI & Autonomous Technologies Continuous Improvements 8 — High Identify 5
AAT-08 Assigned Responsibilities for AI & Autonomous Technologies 9 — Critical Identify 6
AAT-09 AI & Autonomous Technologies Risk Profiling 9 — Critical Identify 8
AAT-09.1 AI & Autonomous Technologies High Risk Designations 7 — High Identify 5
AAT-10 Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) 10 — Critical Detect 6
AAT-10.1 AI TEVV Trustworthiness Assessment 10 — Critical Detect 5
AAT-10.2 AI TEVV Tools 7 — High Detect 3
AAT-10.3 AI TEVV Trustworthiness Demonstration 9 — Critical Detect 4
AAT-10.4 AI TEVV Safety Demonstration 10 — Critical Detect 4
AAT-10.5 AI TEVV Security & Resiliency Assessment 6 — Medium Detect 4
AAT-10.6 AI TEVV Transparency & Accountability Assessment 7 — High Detect 3
AAT-10.7 AI TEVV Privacy Assessment 9 — Critical Detect 3
AAT-10.8 AI TEVV Fairness & Bias Assessment 9 — Critical Detect 4
AAT-10.9 AI & Autonomous Technologies Model Validation 5 — Medium Detect 3
AAT-10.10 AI TEVV Results Evaluation 10 — Critical Detect 4
AAT-10.11 AI TEVV Effectiveness 5 — Medium Detect 3
AAT-10.12 AI TEVV Comparable Deployment Settings 5 — Medium Identify 3
AAT-10.13 AI TEVV Post-Deployment Monitoring 9 — Critical Detect 6
AAT-10.14 Updating AI & Autonomous Technologies 9 — Critical Identify 4
AAT-10.15 AI TEVV Reporting 5 — Medium Protect 3
AAT-10.16 AI TEVV Empirically Validated Methods 1 — Low Protect 2
AAT-10.17 AI TEVV Benchmarking Content Provenance 7 — High Protect 2
AAT-10.18 AI TEVV Model Collapse Mitigations 8 — High Protect 2
AAT-10.19 AI TEVV Third-Party Risk Management 5 — Medium Identify 2
AAT-11 Robust Stakeholder Engagement for AI & Autonomous Technologies 9 — Critical Protect 5
AAT-11.1 AI & Autonomous Technologies Stakeholder Feedback Integration 9 — Critical Protect 4
AAT-11.2 AI & Autonomous Technologies Ongoing Assessments 9 — Critical Protect 5
AAT-11.3 AI & Autonomous Technologies End User Feedback 7 — High Protect 4
AAT-11.4 AI & Autonomous Technologies Incident & Error Reporting 9 — Critical Protect 5
AAT-12 AI & Autonomous Technologies Intellectual Property Infringement Protections 10 — Critical Protect 5
AAT-12.1 Data Source Identification 10 — Critical Govern 5
AAT-12.2 Data Source Integrity 10 — Critical Protect 4
AAT-12.3 Data Source Lineage & Origin Disclosure 9 — Critical Protect 3
AAT-12.4 Digital Content Modification Logging 9 — Critical Protect 2
AAT-13 AI & Autonomous Technologies Stakeholder Diversity 8 — High Identify 4
AAT-13.1 AI & Autonomous Technologies Stakeholder Competencies 9 — Critical Govern 7
AAT-14 AI & Autonomous Technologies Requirements Definitions 8 — High Govern 4
AAT-14.1 AI & Autonomous Technologies Implementation Tasks Definition 8 — High Govern 4
AAT-14.2 AI & Autonomous Technologies Knowledge Limits 10 — Critical Identify 4
AAT-15 AI & Autonomous Technologies Viability Decisions 10 — Critical Protect 5
AAT-15.1 AI & Autonomous Technologies Negative Residual Risks 9 — Critical Protect 6
AAT-15.2 Responsibility To Supersede, Deactivate and/or Disengage AI & Autonomous Technologies 10 — Critical Protect 6
AAT-16 AI & Autonomous Technologies Production Monitoring 9 — Critical Detect 7
AAT-16.1 AI & Autonomous Technologies Measurement Approaches 8 — High Detect 2
AAT-16.2 Measuring AI & Autonomous Technologies Effectiveness 5 — Medium Detect 3
AAT-16.3 Unmeasurable AI & Autonomous Technologies Risks 7 — High Detect 5
AAT-16.4 Efficacy of AI & Autonomous Technologies Measurement 5 — Medium Govern 3
AAT-16.5 AI & Autonomous Technologies Domain Expert Reviews 8 — High Govern 4
AAT-16.6 AI & Autonomous Technologies Performance Changes 10 — Critical Govern 3
AAT-16.7 Pre-Trained AI & Autonomous Technologies Models 8 — High Protect 3
AAT-16.8 AI & Autonomous Technologies Event Logging 7 — High Protect 3
AAT-16.9 Serious Incident Reporting For AI & Autonomous Technologies 5 — Medium Protect 4
AAT-16.10 Serious Incident Root Cause Analysis (RCA) For AI & Autonomous Technologies 8 — High Protect 3
AAT-16.11 Anomaly Detection & Human Oversight 5 — Medium Protect 3
AAT-16.12 Human-in-the-Loop & Escalation 5 — Medium Protect 3
AAT-16.13 Emergent Behavior & Collusion Protections 5 — Medium Protect 3
AAT-16.14 Multi-Agent Trust & Communication Validation 5 — Medium Protect 3
AAT-17 AI & Autonomous Technologies Harm Prevention 10 — Critical Protect 6
AAT-17.1 AI & Autonomous Technologies Human Subject Protections 10 — Critical Protect 4
AAT-17.2 AI & Autonomous Technologies Environmental Impact & Sustainability 9 — Critical Govern 4
AAT-17.3 Previously Unknown AI & Autonomous Technologies Threats & Risks 9 — Critical Govern 5
AAT-17.4 Novel Risk Assessment Methods & Technologies 7 — High Protect 2
AAT-17.5 Fine Tuning Risk Mitigation 9 — Critical Protect 2
AAT-18 AI & Autonomous Technologies Risk Tracking Approaches 9 — Critical Govern 5
AAT-18.1 AI & Autonomous Technologies Risk Response 10 — Critical Govern 6
AAT-19 AI & Autonomous Technologies Conformity 9 — Critical Protect 5
AAT-19.1 Manipulative or Deceptive Techniques 9 — Critical Protect 3
AAT-19.2 Materially Distorting Behaviors 9 — Critical Protect 3
AAT-19.3 Social Scoring 9 — Critical Protect 3
AAT-19.4 Detrimental or Unfavorable Treatment 9 — Critical Protect 3
AAT-19.5 Risk and Criminal Profiling 4 — Medium Protect 3
AAT-19.6 Populating Facial Recognition Databases 9 — Critical Protect 3
AAT-19.7 Emotion Inference 5 — Medium Protect 3
AAT-19.8 Biometric Categorization 5 — Medium Protect 4
AAT-20 AI & Autonomous Technologies Development Practices 10 — Critical Protect 3
AAT-20.1 AI & Autonomous Technologies Transparency 9 — Critical Protect 4
AAT-20.2 AI & Autonomous Technologies Implementation Documentation 9 — Critical Protect 4
AAT-20.3 AI & Autonomous Technologies Human Domain Knowledge Reliance 5 — Medium Protect 2
AAT-21 AI & Autonomous Technologies Registration 4 — Medium Protect 3
AAT-22 AI & Autonomous Technologies Deployment 8 — High Protect 4
AAT-22.1 AI & Autonomous Technologies Human Oversight 9 — Critical Protect 4
AAT-22.2 AI & Autonomous Technologies Oversight Measures 9 — Critical Protect 4
AAT-22.3 AI & Autonomous Technologies Separate Verification 9 — Critical Protect 2
AAT-22.4 AI & Autonomous Technologies Oversight Functions Competency 9 — Critical Protect 2
AAT-22.5 AI & Autonomous Technologies Data Relevance 5 — Medium Protect 2
AAT-22.6 AI & Autonomous Technologies Irregularity Reporting 8 — High Protect 2
AAT-22.7 AI & Autonomous Technologies Use Notification To Employees 5 — Medium Protect 3
AAT-22.8 AI & Autonomous Technologies Use Notification To Users 5 — Medium Protect 3
AAT-23 AI & Autonomous Technologies Output Marking 5 — Medium Protect 3
AAT-24 Real World Testing of AI & Autonomous Technologies 5 — Medium Protect 3
AAT-25 AI & Autonomous Technologies System Value Chain 3 — Low Protect 3
AAT-25.1 AI & Autonomous Technologies System Value Chain Fallbacks 5 — Medium Protect 2
AAT-26 AI & Autonomous Technologies Testing Techniques 8 — High Protect 2
AAT-26.1 Generative Artificial Intelligence (GAI) Identification 5 — Medium Protect 2
AAT-26.2 AI & Autonomous Technologies Capabilities Testing 2 — Low Protect 2
AAT-26.3 Real-World Testing 7 — High Protect 2
AAT-26.4 Documenting Testing Guidance 5 — Medium Protect 2
AAT-27 AI & Autonomous Technologies Output Filtering 5 — Medium Protect 2
AAT-27.1 Human Moderation 2 — Low Protect 2
AAT-28 AI Model Resilience 5 — Medium Protect 2
AAT-28.1 Model Pollution 5 — Medium Protect 2
AAT-28.2 Cascading Hallucination Defense 5 — Medium Protect 2
AAT-28.3 Resource Exhaustion & DoS Resilience 5 — Medium Protect 2
AAT-29 AI Agent Governance 5 — Medium Protect 3
AAT-29.1 Infrastructure Hardening & Isolation 5 — Medium Protect 3
AAT-29.2 AI Agent Limitations 5 — Medium Protect 3
AAT-29.3 Tool & API Invocation Controls 5 — Medium Protect 3
AAT-29.4 Orchestration Protocol Safeguards 5 — Medium Protect 3
AAT-29.5 Data Pipeline & Input Integrity 5 — Medium Protect 3
AAT-29.6 Privileged Role & Delegation Boundaries 5 — Medium Protect 3
AAT-29.7 AI Agent Data Access Restrictions 5 — Medium Protect 3
AAT-29.8 Data Extraction 5 — Medium Protect 3
AAT-29.9 AI Agent Identity & Impersonation Defense 5 — Medium Protect 3
AAT-29.10 AI Agent Logic Integrity 5 — Medium Protect 3
AAT-29.11 Sandboxing AI Agents 5 — Medium Protect 3
AAT-29.12 Prompt Injection Defense 5 — Medium Protect 3
AAT-29.13 Agent Kill Switch / User Control 4 — Medium Protect 3
AAT-29.14 Adversarial & Red Team Testing 3 — Low Protect 3
AAT-29.15 Self-Modification Controls 5 — Medium Protect 3
AAT-29.16 Purging AI Agent Data 5 — Medium Protect 3
AAT-29.17 Delegation and Chaining Control 5 — Medium Protect 3
AAT-29.18 Behavioral Drift Detection 5 — Medium Protect 3
AAT-29.19 AI Agent Action Authentication & Authorization 5 — Medium Protect 3
AAT-29.20 Transparency & Audit 5 — Medium Protect 3
AAT-29.21 Explainability 5 — Medium Protect 3
AAT-29.22 Ethics, Fairness & Bias Detection 5 — Medium Protect 3
AAT-29.23 Agent Output Integrity & Verification 5 — Medium Protect 3
AAT-30 Agentic Output Traceability & Repudiation 5 — Medium Protect 3
AAT-30.1 AI Agent Logging 5 — Medium Protect 3
AAT-30.2 Session Management 5 — Medium Protect 3
AAT-31 Human-in-the-Loop Workload & Manipulation 5 — Medium Protect 3
AAT-32 Robotic Process Automation (RPA) 5 — Medium Protect 2
AAT-32.1 Business Process Task Enumeration 5 — Medium Protect 2

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free