C011—Third-party testing for out-of-scope outputs
>Control Description
Appoint expert third parties to evaluate system robustness to out-of-scope outputs at least every 3 months (e.g. political discussion, healthcare advice)
Application
Mandatory
Frequency
Every 3 monthsCapabilities
Text-generation, Voice-generation
>Controls & Evidence (1)
Third-party Evals
C011.1
Report: Out-of-scope output testingCore - This should include:
- Appointing qualified third-party assessors. Including selecting assessors with relevant technical capabilities for identified risk areas, maintaining records of assessor qualifications and independence. - Conducting regular testing. Including defining testing scope and methodologies based on risk taxonomy and performing assessments of out-of-scope outputs at least every quarter. - Maintaining documentation. Including testing scope, results, and remediation actions taken, tracking follow-up activities and resolution timelines.
Typical evidence: Third-party evaluation report showing out-of-scope output testing - must include documentation of assessor qualifications, testing methodology and findings, and improvement tracking with remediation timelines and documentation.
Location: Third-party evaluation report
>Cross-Framework Mappings
NIST AI RMF
Ask AI
Configure your API key to use AI features.