About HAIAMM

What is HAIAMM?

The Human Assisted Intelligence Assurance Maturity Model (HAIAMM) provides a comprehensive framework for organizations designing and implementing AI to automate workflows and augment capabilities, what we call Human Assisted Intelligence (HAI).

HAIAMM addresses the governance, building, verification, and operations of HAI systems with foundational practices to ensure trust, safety, and security.

Why HAIAMM?

Traditional security frameworks (ISO 27001, NIST CSF) weren't designed for Human Assisted Intelligence deployments. HAIAMM fills this gap by providing:

Key Features (v3.0)

Version History

VersionDateChanges
v3.0 CURRENT 2026-05-14 Subject reframing, AI/HAI as subject, not tool, The subject of every (domain × practice × level) cell is now the AI/HAI systems, data, infrastructure, workflows, endpoints, and vendor tools the organization builds, consumes, or operates. AI-as-security-tool framing (AI-SOC, AI-DLP, AI vendor scoring) retired
216 canonical cells, 6 domains × 12 practices × 3 levels, each authored to the canonical template (Practice Overview → per-level Objective/Dependencies/Outcomes/Activities/Outcome Metrics/Process Metrics/Effectiveness Metrics/Success Criteria → trailer with Pitfalls and Maturity Questions)
72 one-pagers at full conformance, Vendors, Software, Data, Infrastructure, Processes, Endpoints, all 12 practices each
HAI-specific threat taxonomy, EA (Excessive Agency), AGH (Agent Goal Hijack), TM (Tool Misuse), RA (Rogue Agents) elevated from footnote to first-class category, threaded through TA → SA → ST → ML
Vendors as a first-class domain with shadow AI reduction as the primary L1 outcome, full 12-practice, 3-level treatment for vendor-provided AI and AI-embedded SaaS
MITRE ATLAS canonical, elevated from "one reference" to the canonical adversarial-ML reference; ATLAS tactics TA0001-TA0014 walked per archetype in TA; AML.M00xx mitigations referenced in SA; AWS per-cloud threat-model template authored (Azure/GCP pending)
Outcome metrics by default, every level prescribes outcome metrics with baseline, target, and source. No activity without a metric
Risk-tier-driven calibration, SM L2 produces a risk-tier rubric and tier-treatment matrix in each domain; every other L2 cell inherits
Priority compliance map, EU AI Act (Art. 9/12/14/15/26/50, Annex III), NIST AI RMF + Playbook (GOVERN/MAP/MEASURE/MANAGE), GDPR (Art. 22/28/32/33, 44-49), ISO/IEC 42001, ISO/IEC 27001 (A.5/A.8), SOC 2 CC9.2, plus HIPAA/PCI-DSS/FINRA/SEC/HHS-FDA/NYDFS Part 500/OCC/NYC LL 144/CO SB-21-169/FCRA/EEOC/FERPA/COPPA
72 questionnaires rewritten to v3.0 with outcome-metrics scoring
v3.0 Handbook (PDF), full practitioner reference available for download
v2.0 2025 Assessment methodology, Comprehensive questionnaire-based assessment (OpenSAMM v1.0 methodology), scoring, 5-phase process, industry benchmarks
Threat Intelligence, Elevated to foundational capability across all 6 domains (consumption → analysis → production)
Prompt Injection Security (Arcanum PI Taxonomy by Jason Haddix, CC BY 4.0) integrated across 15 practice one-pagers: 13 attack intents, 18 techniques, 20 evasion methods
Critical HAI Assurance: 4 agentic AI risks (EA/AGH/TM/RA), “Least Agency Principle” governance, 21 new practice-domain combinations, 47 new assessment questions, 95% OWASP alignment (LLM Top 10 2025 & Agentic Top 10 2026)
Note: v2.0 framed AI as a security tool (AI doing SAST/DLP/SOC/vendor scoring). This subject framing is retired in v3.0.
v1.02024Initial framework release, 12 practices, 6 domains, 3 maturity levels, 72 practice-domain combinations

License & Contributing

HAIAMM is open source. Visit the GitHub repository to contribute or submit issues. The complete HAIAMM Handbook v3.0 (PDF), Executive Summary, and Model Master Document are available on the downloads page.

Framework Alignment

ISO 27001

Information security management alignment.

NIST CSF

Cybersecurity Framework risk management.

NIST AI RMF

AI Risk Management Framework governance.

OpenSAMM

Software assurance maturity model methodology.

OWASP LLM Top 10

95% coverage of LLM application risks.

OWASP Agentic Top 10

95% coverage of agentic AI risks.