AC-2

Account Management

Access Control

The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts.

High PriorityAI-Relevant Control

Purpose

Ensure that only authorized users have access to AI systems and that account lifecycle is properly managed.

AI Relevance

Critical for managing access to AI models, training data, and inference services. Ensures only authorized users can access sensitive AI resources.

Implementation Guidance

Implement automated account management systems with approval workflows, regular access reviews, and automated deprovisioning for terminated users.

Assessment

Review account creation/deletion logs, verify approval workflows, test account deprovisioning processes, and audit access reviews.

Requirements

  • 1Identify account types (individual, group, system, application, guest, anonymous, and temporary)
  • 2Establish conditions for group membership
  • 3Identify authorized users of the information system and specify access authorizations
  • 4Require approvals by authorized personnel to create accounts
  • 5Create, enable, modify, disable, and remove accounts in accordance with organizational policy
  • 6Monitor the use of information system accounts
  • 7Notify account managers when temporary accounts are no longer required
  • 8Deactivate temporary or expired accounts within a defined time period
  • 9Disable accounts within a defined time period when users terminate or are transferred
  • 10Archive information to preserve evidence of former account activity

Related Controls

AC-3: Access EnforcementIA-2: Identification and Authentication (Organizational Users)IA-4: IA-4IA-5: IA-5

References

NIST SP 800-53 Rev 5NIST AI RMF

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →