«Enhancing Cloud Security: CSA Global and Swiss Chapter’s Initiatives in AI and Supply Chain Risk Management»

The Cloud Security Alliance (CSA) Swiss Chapter is representing the CSA global organisation. It is spear-heading several global research initiatives to improve and fortify information security and data protection in cloud-based services, underlying platforms and infrastructure. With a strong focus on Artificial Intelligence (AI) and supply chain security, the CSA is driving innovation and setting new standards in these critical areas. In the following, key CSA activities are outlined:

CSA Artificial Intelligence (AI) Safety Initiative

The premier coalition of trusted experts to develop and deliver essential AI guidance and tools that empower organizations of all sizes to deploy AI solutions that are safe, responsible, and compliant. With vendor-neutral research, training and certificates, our global footprint of industry experts, chapters, webinars and conferences, CSA is uniquely positioned to offer authoritative AI best practices and tools:

The CSA AI Control Matrix (AICM)

AICM is a vendor-agnostic framework for cloud-based AI systems. Organizations can use AICM to develop, implement, and operate AI technologies in a secure and responsible manner. Developed by industry experts, AICM builds on CSA’s Cloud Control Matrix and incorporates the latest AI security best practices.

AICM contains 243 control objectives distributed across 18 security domains and analyzed by five critical pillars, including Control Type, Control Applicability and Ownership, Architectural Relevance, LLM Lifecycle Relevance, and Threat Category. It maps to leading standards, including ISO 42001, ISO 27001, NIST AI RMF 1.0, and BSI AIC4.

The CSA STAR for AI Program

STAR for AI provides a security controls framework, AI safety pledge, and certification program tailored for AI systems. It delivers a transparent, expert-driven, and consensus-based mechanism for organizations to assess, demonstrate, and ensure AI trustworthiness.

Building on the world’s most complete cloud assurance program with over 3,400 assessments globally, CSA’s STAR Registry is expanding to include AI services. STAR for AI draws from the Cloud Controls Matrix to offer an authoritative foundation for measuring and communicating AI assurance.


Whether you’re an AI model, platform, orchestrator or application provider—or a cloud or SaaS provider—STAR for AI equips you with what you need to showcase alignment with recognized AI controls, build credible and transparent AI security programs, and validate the AI services you use or provide.

Trusted AI Safety Expert (TAISE) Certificate

As AI transforms every industry, professionals need to be trained in governance, risk management, and AI security. The CSA and Northeastern University have partnered to build the Trusted AI Safety Expert (TAISE) certificate, equipping professionals with the skills to develop, deploy, and govern AI responsibly, setting a new standard for AI leadership.

Supply Chain Risk Management

Supply chain data protection and information security is another core focus of the CSA. Effective risk and compliance management for processing sensitive data across the supply chain is crucial. The CSA addresses several common misconceptions, or «hypes», in this area:

Hype 1: Artificial Intelligence Does Compliance: While AI can validate the completeness and consistency of responses and evidence, it is essential to manually audit compliance with core regulatory and jurisdictional requirements.


Hype 2: ISO Certificates or SOC Attestations offer Full Cloud Security Compliance: These certifications are configurable and may not address specific cloud native challenges and some regulatory requirements. The CSA STAR Level 2 provides a more robust solution.

Hype 3: Periodic Assessments Are Sufficient: Continuous monitoring with real-time transparency and assigned accountabilities across the entire supply chain are necessary to ensure resilience.

Hype 4: I Can Buy Continuous Monitoring: Full integration of incident reporting, real-time log accessibility, and visibility across the service provider and their supply chain are essential. Join the Cloud Security Alliance CAR Initiative: «Compliance Automation Revolution»

Hype 5: My Service Providers Know and Control Their Supply Chain Risk: The depth of the Supply Chain entails resilience, concentration and data controllership issues. Attacks target the weakest link in the Supply Chain, the lower the awareness and barriers to entrance, the wider the blast radius. Contracts must reflect risk control and compliance requirements, including a legally enforceable Right to Audit clause. Join the CSA Cyber Threat Psychology research project.

The EATO Framework: Attestation of XaaS information security compliance for processing of highly regulated data

XaaS Providers may be certified according to ISO 27001 or may have a SOC 2 Type 2 attestation. Neither of these reflect the tight regulatory requirements applicable when processing sensitive data. The CSA Star Level 2 program is a further step-up strengthening the control over information security, the EATO extension to CSA STAR Level 2 tightens compliance further to meet requirements of global tight regulatory standards for data of highest protection levels:

- EATO targets Anything-as-a-Service (XaaS) providers with their entire Supply Chain processing highly regulated data.


- Is grown from practice in multiple global institutions amalgamating their assessment, remediation, consultancy, and attestation framework.

- Is CSA Cloud Control Matrix based with augmented controls and auditing guidance covering tight regulatory requirements.

- Plugs into the CSA STAR Framework as a Level 2 «extended» attestation.

- With mandatory remediation and re-audit of findings before attestation.

- Applies a subscription based model with shared funding saving cost.

The CSA Compliance Automation Revolution (CAR)

CAR’s mission is to modernize the entire compliance ecosystem through automation, integration, and data-driven assurance, introducing continuous, automated, and scalable assurance, by embracing «as code» practices, and enabling real-time, evidence-based trust:

Automate Compliance (Automated Evidence Collection and Sharing): Develop methods and tools to automatically gather compliance evidence and share them in a standardized machine-readable format, specifically Open Security Controls Assessment Language (OSCAL). Evidence should be collected continuously from systems (logs, configurations, runtime metrics), aggregated in real-time, translated into OSCAL, and shared.


Automation will drastically reduce manual audits, improve accuracy – evidence is captured at the source, leaving less room for error or omission, proving compliance posture at any time with minimal effort.

Shift Compliance Left (Compliance by Design): Embed compliance checks early in development—as part of system design and CI/CD pipelines, rather than a painful afterthought.

Harmonize Regulatory Frameworks: CAR will work to standardize controls, evidence and mappings across redundant and conflicting regulations (leveraging CSA’s Cloud Controls Matrix) so that companies can comply with many requirements at once rather than piecemeal, enabling «write once, comply with many.»

Harmonization means a control tested for one framework can satisfy others, eliminating duplicate work. Regulators can gain mutual recognition of equivalent standards. By reducing fragmentation, we make compliance efforts more efficient for service providers and more transparent for customers and regulators.

Drive Risk Quantification: The CAR initiative will prioritize developing standardized metrics for control effectiveness, assurance levels and models to quantify security and compliance risk in objective terms, enabling true risk management and facilitating that compliance efforts are proportionate to the actual risks – offering the right level of assurance for the criticality of a service. It also allows business and technical leaders to make data-driven decisions on where to invest in security improvements, linking directly to risk reduction outcomes.

These core goals define the scope of CAR’s effort. Achieving them will involve developing open standards, reference architectures, and best practices. For example, CAR will explore common control libraries and machine-readable regulations to support automation, as well as continuous audit processes that regulators can eventually embrace. Underlying is the principle of continuous assurance – enabling a shift from point-in-time certifications to ongoing, real-time confidence in security. By automating controls and evidence and aligning them with risk, we can provide assurance that keeps up with the speed of cloud innovation.

The Cyber Threat Psychology Research Project

Cybersecurity is not just a technical challenge – it is a psychological battleground. Understanding the psychology behind hacking is crucial, not only to anticipate the motivations and behaviors of attackers but also to recognize how human biases and cognitive vulnerabilities are exploited. Hackers leverage undermining, deception, poisoning of trust, bypassing technical safeguards by targeting the human element. From social engineering scams to large-scale disinformation campaigns, the most effective cyberattacks do not just break code – they break people’s perception of reality.

In an era where digital trust is constantly under siege, recognizing the psychological dimensions of hacking is key to prevention. Effective prevention requires a combination of awareness, psychological resilience, and strategic defense. This means equipping individuals to detect manipulation tactics, fostering critical thinking in online interactions, and developing environments where security-conscious behavior is the norm rather than the exception.


Our project aims at education and awareness at multiple levels:

- Empowering individuals to cultivate curiosity and social/emotional awareness, fostering mischievous vigilance that helps them recognize and resist hacking attempts.

- Raising public awareness to identify individuals in their personal environment who may be susceptible to hacking tendencies, to help them shift perspectives before crossing ethical lines.

- Advising organizational leadership on how to foster a security-conscious culture to mitigate psychological and social attack vectors.

We aim at strengthening the human fire­wall: communicate to strengthen awareness, mischievous vigilance, pattern recognition, social awareness.

The CSA Swiss Chapter also organizes round tables in Switzerland to meet onsite and discuss with the community.