CIA+EFT Framework

Term: CIA+EFT Framework

The CIA+EFT framework is an integrated AI Security model that extends the traditional CIA triad (Confidentiality, Integrity, Availability) with three AI-specific dimensions, Explainability, Fairness and Traceability, giving organisations one coherent vocabulary for assessing risk across both classical security and AI-specific failure modes.

Why it matters

UK boards are being asked to sign off AI deployments without a shared language for the risks involved. Technical teams report on classical security controls; governance teams write AI policy against ISO 42001 or the EU AI Act; and the seam between them rarely has a named owner. CIA+EFT closes that seam by treating model behaviour as a security concern alongside data and infrastructure.

It matters because AI systems fail in ways traditional security cannot detect. A model can be perfectly confidential, have intact training data and 99.9% availability, yet still produce biased outputs, unexplained decisions or silent drift that breaches regulatory obligations. Without an integrated framework, those failures sit outside the CISO’s remit and outside the DPO’s remit, so no one owns them until a regulator or customer asks.

For regulated UK sectors, NHS trusts, local authorities, professional services firms, the framework also gives boards a defensible position. Each CIA+EFT dimension maps onto specific ISO 42001 controls and EU AI Act obligations, so assurance work done against the framework produces evidence usable in audit, procurement and regulatory response.

How it works in practice

The six dimensions are assessed together against each AI system in scope. Confidentiality, Integrity and Availability address data and infrastructure: who can access the model and its training data, whether inputs and weights have been tampered with and whether the service stays up. Explainability asks whether the organisation can justify a given output to a customer, regulator or affected individual. Fairness asks whether outcomes are equitable across protected groups and use cases. Traceability asks whether the organisation can reconstruct what the model did, with what inputs, under which version, at a specific point in time.

In a typical assessment we work through each production or near-production AI system and score the six dimensions against named controls. A procurement chatbot might score well on Confidentiality and Availability but fail Explainability because no one can articulate why it declined a supplier. A clinical triage tool might pass Integrity checks but fail Fairness because outcome rates differ by demographic. A Copilot deployment might pass five dimensions but fail Traceability because prompt and response logs are not retained.

The output is a gap register tied to owners, controls and evidence. That register is what boards use to prioritise remediation and what auditors use to verify AI governance maturity.

Related terms: CIA Triad, AI Explainability, AI Fairness, AI Traceability, AI Governance.