Essay
Step-one deliverable: the AI Consensus Assessments Initiative Questionnaire (AI-CAIQ), pointed both ways — a Security, Trust, Assurance and Risk (STAR) for AI Level 1 submission for providers, a provider-evaluation pack for AI customers.
3 June 2026 · 5 min read · Binu Chacko
Situation
Self-assessment is where every program starts.
Complication
It is also where trust ends, unless there is a stated path to something a third party can hold.
The question
“What can I hand an external party, and when?”
The answer
The evidence ladder — self-assessed → measured → verified — and the specific artifact each rung produces.
The same questionnaire serves two audiences. If you provide AI services: a completed AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) prepared for a Security, Trust, Assurance and Risk (STAR) for AI Level 1 self-assessment registry submission. If you consume them: a provider-evaluation pack that turns supply-chain due diligence from a vibe into a question set.
The AI Consensus Assessments Initiative Questionnaire walks the same control spine as everything else in this practice — the 247 AI Controls Matrix (AICM) control objectives — as structured assessment questions. Because it shares that spine, your coverage assessment is most of the work: the questionnaire is the outward-facing form of answers you already evidenced inward.
Assurance you can hand to a stranger is worth more than confidence you keep in a drawer — as long as you never label self-assessment as certification.
Pointed the other way, the same questions grade your vendors. For each provider in your chain — the seats mapped in the SSRM ownership map — the pack asks for their answers and their evidence on the controls they own. A provider that cannot answer is itself a finding, and lands on the remediation roadmap as a supply-chain gap.
Re-attest on material change — a new model provider, a new orchestration layer, a scope change — not on the calendar alone. The artefact is a snapshot; the chain it describes is not.
Instruments: Cloud Security Alliance (CSA) AI-CAIQ v1.1.0 and the STAR for AI Level 1 submission process, used with attribution per CSA terms. The AI-CAIQ in this practice is the assessment input; submission to the registry is the provider’s own act.
← Newer essay
The Prioritised Remediation Roadmap
Older essay →
Operating the Platform: A Leverage Guide
Subscribe for the next essay.