// Trust & Security Report
Fortinet, Inc.
FortiAI - AI-driven security platform comprising three main components: FortiAI-Protect (real-time threat detection and AI governance), FortiAI-Assist (generative AI for SOC automation), and FortiAI-Secure (AI infrastructure and LLM data protection)
Certifications held
17
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on fortinet.com“Managed FortiGate Service is certified in both ISO 27001 and SOC2 Type 2. Additionally, as part of SOC 2 Type II audit, Fortinet worked with an independent auditor to achieve an additional level of certification against an expanded control set, including control alignment against the HIPAA Security Rule.”
Verify on fortinet.com“Managed FortiGate Service is certified in both ISO 27001 and SOC2 Type 2. SOCaaS is certified in both ISO27001 and SOC 2.”
Verify on trust.fortinet.com“Listed as a certified standard in Fortinet's Trust Resource Center certifications and compliance standards”
Verify on trust.fortinet.com“Listed as a certified standard in Fortinet's Trust Resource Center certifications and compliance standards”
Verify on fortinet.com“Fortinet supports and complies with GDPR. For certain Fortinet services where Fortinet acts as a processor, a data processing agreement is available upon request.”
Verify on fortinet.com“Fortinet worked with an independent auditor to achieve SOC 2 Type II certification against an expanded control set, including control alignment against the HIPAA Security Rule. FortiCare Support System, FortiEDR System and MDR Services, FortiWeb Cloud, FortiSIEM Cloud, and FortiClient Cloud have SOC 2 Type II reports with HIPAA compliance coverage.”
Verify on trust.fortinet.com“CSA STAR Registry listed among Fortinet's certifications and compliance standards in Trust Resource Center”
Verify on fortinet.com“Common Criteria - An international standard (ISO/IEC 15408) operated by 17 certificate authorizing nations and accepted by 31 nations”
Verify on fortinet.com“FIPS standards - Standards and guidelines for federal computer systems developed by the National Institute of Standards and Technology (NIST)”
Verify on trust.fortinet.com“ISO 9001:2015 listed among Fortinet's certified standards”
Verify on fortinet.com“DoDIN APL listed among Fortinet's government and defense certifications”
Verify on fortinet.com“NSA CSfC listed among Fortinet's government and defense certifications”
Verify on fortinet.com“TAA Compliance listed among Fortinet's government certifications”
Verify on fortinet.com“ISMAP listed among Fortinet's cloud and regional standards certifications”
Verify on fortinet.com“TISAX listed among Fortinet's cloud and regional standards certifications”
Verify on trust.fortinet.com“EU CRA listed among Fortinet's certifications in Trust Resource Center”
Verify on trust.fortinet.com“IEC 62443 listed among Fortinet's certifications”
> Show 1 unconfirmed / not-held certifications
source: fortinet.comFortinet has added a new AI Governance card on their Trust Portal and published 'Fortinet Principles for Responsible Artificial Intelligence Use and Development', indicating alignment with ISO 42001:2023 principles. However, no formal ISO 42001 certification is claimed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region support available; customers can specify geographic location for data storage to comply with local data regulations like GDPR
FortiAI explicitly does NOT use customer data to train its AI models. Models are trained on Fortinet's own threat intelligence dataset. Fortinet implements multiple safeguards including: (1) customer data is not exposed or provided access to the GenAI engine, (2) data used in GenAI assistant queries is not permitted to train the LLM, (3) queries are processed locally where possible to prevent data leaving the network, (4) sensitive information is blocked or masked before reaching the language model.
// Security controls
Data isolation
Customer data isolation enforced; customer data not exposed to other customers or to AI training systems
fortinet.comThreat intelligence foundation
AI models trained on Fortinet's global threat intelligence dataset (world's largest and most diverse threat intelligence datasets)
fortinet.comGlobal data centers
Multi-region cloud infrastructure with optional data residency choices
docs.fortinet.com// Products & data scope
data: Network traffic, file behavior, shadow AI detection, prompt monitoring
Real-time threat blocking using deep learning. Detects emerging threats, prioritizes responses with contextual risk assessment, minimizes false positives. Discovers and categorizes AI applications in use and their risk levels. Blocks unauthorized prompts. Does not train on customer data.
data: Security events, incident investigation, threat hunting queries
Guides and optimizes SOC analyst experience using generative AI. Automatically interprets security events, generates summaries, impact assessments, and remediation recommendations. Automates security tasks (policy updates, configuration corrections). Offers choice of OpenAI or Microsoft Azure OpenAI LLMs. Available cloud or on-premises deployment. Keeps customer data private; does not expose data or permit GenAI engine to use customer data for training.
data: AI models, LLM data, AI workloads, cloud AI applications
Secures AI infrastructure from network-based threats. Prevents data leakage from large language models. Monitors cloud AI workloads for unusual behavior. Integrates multiple security components: real-time threat protection, application-layer security, cloud-native workload protection, data loss prevention. Available as part of Fortinet Security Fabric.
// What to watch
- FortiAI products do not have explicit product-level SOC 2 or ISO 27001 certifications listed on product pages. The certifications listed apply to Fortinet as a company and to specific services (Managed FortiGate Service, SOCaaS, FortiEDR, etc.) but not explicitly to FortiAI platform itself. Fortinet relies on company-level certifications but should clarify which FortiAI services inherit or are covered under specific audit reports.
- ISO/IEC 42001 (AI Management System): Fortinet discusses alignment with AI governance principles and published 'Principles for Responsible Artificial Intelligence Use and Development' but does NOT hold a formal ISO 42001 certification. This is correctly marketed as a governance commitment rather than a certification.
- PCI DSS: Fortinet provides tools and solutions to help achieve PCI DSS compliance (FortiDLP policy templates, FortiGate hardening guides) but does not claim FortiAI or other specific products are formally PCI DSS certified.
- HIPAA coverage for FortiAI: The published HIPAA compliance applies to specific Fortinet products (FortiCare, FortiEDR, FortiWeb Cloud, FortiSIEM Cloud, FortiClient Cloud) with BAA available, but no explicit mention of FortiAI products being HIPAA-covered in published documentation.
// At a glance
Pricing model
Not disclosed on product pages; likely subscription-based with per-appliance or per-seat pricing common for Fortinet products
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Fortinet, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.fortinet.com