ai · security · skills

Case study · research artifact

Governance was already present.Comprehension was missing.

On the left, the published Cloud Security Alliance (CSA) clause as written. On the right, the explainer’s plain-language answer for an employee’s question about the same clause, citing framework, version, and clause id, with every condition preserved. No blending across versions or frameworks. If the corpus does not carry the answer, the explainer abstains and routes to the policy owner.

One clause, eight languagesEnglish
AICM DSP-15 · v1.1.0AÑÃÉ

Asked in English

Can I use real customer data to test our new AI feature?

Same answer, same clause: AICM DSP-15Limitation of Production Data Use, cited every time.

Situation

Your governance library is complete — the clauses exist for nearly every AI question an employee has.

Complication

Nobody can find or parse them at the moment of need, so people guess. Governance present, comprehension missing.

The question

Can employees get a trustworthy answer from OUR policy, at the moment they need it, without calling us?

The answer

Retrieval over the real corpus: answers composed only from the governing clause, cited every time, abstaining when the corpus is silent — in eight languages.

Honesty. The paraphrases on this page are Modeled Real fixed-corpus result, not independently reviewed.They were authored to mirror the explainer’s contract (normative force preserved, conditions named, clause cited) so the page reads cold even without a large language model (LLM) call. Want to ask your own question? Try the live explainer →

Employee asks

How often do we have to update our audit policies?

Before — the published clause

Verbatim CSA clause text is owner-only at this tier.

AICM 1.1.0 · A&A-01 · Audit and Assurance Policy and Procedures

After — the explainer answer

Your AI audit and assurance policies must be reviewed and updated at least once a year, plus any time something significant changes. They have to be written down, signed off, shared, applied, and re-evaluated as a steady practice — not a one-off.

Conditions

  • At least annually, even if nothing has changed.
  • Any significant change to the AI program or its environment triggers an update outside the annual cycle.
AICM 1.1.0 · A&A-01

The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.

Employee asks

Where does the rule about data classification live, and what do we have to do?

Before — the published clause

Verbatim CSA clause text is owner-only at this tier.

AICM 1.1.0 · DSP-01 · Security and Privacy Policy and Procedures

After — the explainer answer

You need written policies and procedures that classify, protect, prepare, and handle data across its whole lifecycle. They have to line up with applicable laws and regulations, with relevant standards, and with the risk level of the data. Review and update them at least once a year.

Conditions

  • Cover the full data lifecycle, not just the active-use stage.
  • Must align with applicable laws, regulations, and standards.
  • Risk level of the data sets how much protection the policy demands.
  • Annual review minimum.
AICM 1.1.0 · DSP-01

The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.

Employee asks

When do we have to refresh our identity and access management policies?

Before — the published clause

Verbatim CSA clause text is owner-only at this tier.

AICM 1.1.0 · IAM-01 · Identity and Access Management Policy and Procedures

After — the explainer answer

IAM policies and procedures must be written down, approved, shared, and applied, and then reviewed and updated at least every year. Any significant change also triggers a refresh ahead of the annual cycle.

Conditions

  • Reviewed at least annually.
  • Reviewed sooner if anything significant changes (e.g. new system, vendor swap, role redesign).
AICM 1.1.0 · IAM-01

The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.

Employee asks

What does CCM say about its security training requirement, and how does AICM relate?

Before — the published clause

Verbatim CSA clause text is owner-only at this tier.

CCM 4.0.13 · HRS-11 · Security Awareness Training

After — the explainer answer

CCM v4.0.13 HRS-11 sets the foundational expectation: ongoing security awareness training for all personnel. AICM v1.1.0 keeps the same control id and adds AI-specific obligations — they are sibling controls, not the same control. Treat your existing CCM HRS-11 program as the baseline; layer the AICM additions for AI literacy on top. The two MUST NOT be blended into one answer.

Conditions

  • Foundational training requirement comes from CCM v4.0.13.
  • AI-specific layer comes from AICM v1.1.0 (same id, different scope).
  • Read each version on its own; do not paraphrase across them.
CCM 4.0.13 · HRS-11

The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.

Employee asks

At AISMM Level 3 (Defined), what does the Governance category actually require?

Before — the published clause

Verbatim CSA clause text is owner-only at this tier.

AISMM v3.7 · GOV-03.2 · Governance L3 · Authoritative AI deployment and application registry

After — the explainer answer

At AISMM Level 3 (Defined), Governance requires that the AI Council maintain an authoritative registry of AI deployments and applications. Each entry must link back to its approved use case and provider. This is the Level 3 bar — earlier levels do NOT clear it, and Level 4 / Level 5 add more on top.

Conditions

  • Specific to AISMM Level 3 (Defined) — do not claim it at L1 or L2.
  • Registry must be authoritative, not a sample or an inventory snapshot.
  • Each entry traces to an approved use case and an approved provider.
AISMM v3.7 · GOV-03.2

The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.

Why this matters. The published policy is the system of record. The explainer points to it; it never replaces it. The reader leaves with the rule and its source, never a basis to claim compliance.