ACR-5.09v1.1

The system SHALL implement automated detection and prevention of personally identifiable information

Domain

05 — Domain 5: Data Privacy and Information Protection

Eval Method

ATAutomated Testing

Risk Weight

5 / 10

Applicability

L1L2L3

Description#

The system SHALL implement automated detection and prevention of personally identifiable information in outputs, logs, telemetry, cached data, and error messages, with configurable sensitivity thresholds.

Evaluation Method#

ATAutomated Testing

Compliance is evaluated through automated test suites that exercise the control under structured test conditions. Results are deterministically reproducible.

v1.1 Details#

Profile Applicability

F,S,A,C

Evaluation Frequency

Quarterly

Platform Cert Eligible

Framework Crosswalk Refs

NIST AI RMF Manage 2.2; OWASP LLM-06; NIST SP 800-53 SI-15

Classification#

Conditional Control

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-5.08: The system SHALL provide clear disclosure to end users when they are interacting with an AI system r Next →ACR-5.10: In shared or multi-customer environments, the system SHALL enforce strict isolation preventing any c