Drift + accuracy monitoring
Demonstrate that the organization continuously monitors production systems and models for unauthorized or unintended drift from approved baselines, with alerting and remediation processes in place to address detected deviations.
Description
What this control does
Drift and accuracy monitoring detects unintended changes to deployed configurations, code, infrastructure, or AI/ML model behavior over time. This control establishes automated comparison mechanisms that measure deviations from approved baselines—such as configuration files, security policies, model prediction accuracy, or system behavior—and alert when drift exceeds defined thresholds. It is critical for maintaining operational integrity, preventing security regressions, and ensuring that deployed systems continue to perform as validated during testing and approval stages.
Control objective
What auditing this proves
Demonstrate that the organization continuously monitors production systems and models for unauthorized or unintended drift from approved baselines, with alerting and remediation processes in place to address detected deviations.
Associated risks
Risks this control addresses
- Unauthorized configuration changes bypass approval workflows and introduce security vulnerabilities or compliance violations
- Infrastructure as Code (IaC) templates diverge from deployed infrastructure, creating undocumented attack surface and hindering incident response
- Machine learning models degrade in accuracy due to data drift or poisoning, producing incorrect security decisions or business outcomes
- Production application code differs from version control repository due to hotfixes or unauthorized manual changes, preventing reproducible builds and vulnerability tracking
- Security policy enforcement mechanisms silently fail or weaken over time without detection, leaving systems unprotected
- Cloud resource configurations drift from hardened baselines due to manual console changes, exposing sensitive data or creating privilege escalation paths
- Compliance-required settings revert to insecure defaults after system updates or patches without automated verification
Testing procedure
How an auditor verifies this control
- Inventory all systems, environments, and models subject to drift monitoring requirements, including infrastructure, applications, cloud resources, and ML models.
- Obtain and review the documented baseline definitions or golden configurations for each monitored system, including version control references, approved IaC templates, and model performance thresholds.
- Examine drift detection tool configurations to verify scanning frequency, comparison logic, threshold settings, and alert routing for each baseline type.
- Select a sample of production systems and execute drift detection scans or retrieve recent automated scan results comparing current state to approved baselines.
- Review drift detection logs and alert history for the past 90 days to identify detected deviations, false positives, and alert response times.
- Interview DevOps and security personnel to confirm alert triage procedures and validate that detected drift triggers change control review or remediation workflows.
- Test the alerting mechanism by introducing a known configuration change to a non-production system and verifying that drift detection triggers within the defined SLA.
- Examine remediation records for past drift alerts to confirm that unauthorized changes were either corrected or formally approved through change management processes.
Where this control is tested