All news with #ai governance tag

🛡️ Security professionals at DTX argued that integrating AI into SOCs is now essential to counter autonomous attacker tooling and AI-accelerated threats. Panelists stressed sustaining core cyberdefence fundamentals—system hardening, patching, access control and monitoring—before deploying AI, and preserving human oversight to manage model risk. They noted role shifts toward validation, prompt engineering and GRC, and urged rigorous testing and SDLC-like deployment controls.

🔍 While many organizations intentionally deploy AI to improve productivity, unsanctioned AI is proliferating faster — employees install tools or vendors embed assistants into existing apps. The article defines four AI categories and maps specific detection techniques to each, covering DNS, web gateways/NGFW, EPP/EDR, application and browser controls, and SSPM/identity governance. It flags OAuth consent as a high-risk channel and summarizes admin steps for Microsoft Entra, Google Admin, Salesforce, and ServiceNow to block or restrict app access.

🔒 The UK’s National Cyber Security Centre (NCSC) has published new guidance for organisations considering the adoption of agentic AI, summarising a wider report produced with Five Eyes partners. It flags the heightened risk from agent autonomy and complexity, including excessive access, unpredictable behaviour and actions that can outpace human review. The NCSC advises incremental deployment with tightly bounded pilots, clear ownership, ongoing monitoring and meaningful human oversight, and points organisations to industry best practice such as ETSI EN 304 223.

⚠️ AI hallucinations—confident but incorrect outputs—are increasingly driving risky decisions in critical infrastructure and cybersecurity operations, exploiting human trust in authoritative-sounding responses. A 2025 AA-Omniscience benchmark of 40 models found most systems were more likely to offer a confident wrong answer on difficult questions, underscoring that AI outputs must be treated as potential vulnerabilities until vetted. Effective controls include enforced human review before sensitive actions, treating training data as a security asset, strict least-privilege for AI systems, and prompt-engineering training to reduce ambiguous inputs.

🔐 The ICO has published a five-step guide urging organisations to prepare for AI-enhanced cyber threats, including deepfake social engineering, adaptive malware and automated exploitation. It points readers to the NCSC's updated Cyber Assessment Framework and expects baseline adoption of Cyber Essentials and the UK Cyber Governance Code. The guidance emphasises robust patching, MFA, least‑privilege, supply‑chain vetting, DPIAs for high‑risk AI and human oversight of AI-enabled defences.

🔒 The updated AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption provides Financial Services customers practical GRC guidance for deploying AI responsibly. It covers governance, risk management, compliance, data and model management, and AI agent oversight, and maps these considerations to AWS capabilities. The guide highlights services such as Amazon Bedrock AgentCore, Bedrock Guardrails, Bedrock Agents, SageMaker Autopilot, and SageMaker Model Monitor. It complements existing AWS responsible AI and Well-Architected resources and is available on the AWS Whitepaper portal.

🏥 The post argues that modern cloud infrastructure is the superior foundation for regulated Software as a Medical Device (SaMD), enabling faster innovation while meeting regulatory obligations. It outlines regulatory shifts in early 2026, including the FDA's QMSR alignment with ISO 13485 and the EU AI Act's applicability for high-risk systems. The author advocates Compliance as Code and describes three architectural planes—data, control, and evidence—on Google Cloud to deliver continuous audit readiness. It also highlights AI-driven monitoring and a shared fate model between cloud providers and manufacturers.

🔍 A G7 Cybersecurity Working Group paper published on 12 May defines minimum elements for software bills of materials (SBOMs) tailored to AI systems, aiming to boost transparency across AI supply chains. It outlines seven clusters — Metadata, System Level Properties, Models, Dataset Properties, Key Performance Indicators, Infrastructure and Security Properties — to guide producers and users. The guidance stresses clusters are non-mandatory, that SBOMs alone are insufficient, and recommends linking SBOMs to vulnerability, advisory and tooling ecosystems.

🔍 The US Cybersecurity and Infrastructure Security Agency (CISA), working with G7 cyber partners, released supplemental minimum elements for an AI software bill of materials to document models, datasets, software components, providers, licenses, and other dependencies. The guidance extends traditional SBOM concepts into AI and is positioned to support procurement and vendor-risk assessments while remaining non‑exhaustive and non‑mandatory. Security teams should press vendors for model provenance, training and update practices, and runtime controls, but must recognize AI SBOMs provide visibility rather than assurance.

🔒 AWS outlines its approach to AI sovereignty, emphasizing customer control over data, deployment location, and access across the AI stack. It highlights infrastructure choices—AWS AI Factories, Outposts, Local Zones, Dedicated Local Zones, and the AWS European Sovereign Cloud—to meet regulatory and operational needs. AWS emphasizes technical protections like the AWS Nitro System, identity controls (IAM and Amazon Bedrock AgentCore Identity), and certifications such as ISO/IEC 42001 to reinforce transparency and trust.

🔐 Agentic AI is already operating across enterprises, executing tasks and taking actions often without meaningful security involvement. Security teams must develop hands‑on fluency — build and test agents, understand integrations like the Model Context Protocol, and enforce scoped configurations — because policy alone won't close the gap. The piece distinguishes three agent classes (productivity, MCP‑connected vendor agents, and custom user agents) and emphasizes configuration, access scoping, and training such as SANS SEC545 to reduce exposure.

🔒 CISOs are shifting from a primarily technical control function to strategic business partners as AI reshapes risk, operations, and product delivery. Leaders such as Barry Hensley, Shaun Khalfan, and Jeff Trudeau stress publishing AI security frameworks, embedding security early in development, and aligning controls to business outcomes. They warn of AI-enabled threats — including advanced phishing, voice/video impersonation, and automated vulnerability discovery — and call for continuous controls, stronger identity and data governance, and near-real-time patching. Growing board engagement and changing reporting lines reflect the elevated role of security in enterprise strategy.

🔐 At Google Cloud Next, Google outlined a resilient, scalable, and secure foundation to accelerate public sector adoption of the agentic era, highlighting infrastructure, data, and security innovations. Key infrastructure announcements include the AI Hypercomputer with eighth-generation TPUs (TPU 8t for training, TPU 8i for inference) and Virgo Networking, plus Google Distributed Cloud bringing Gemini to where data resides. On data, an AI-native architecture features Knowledge Catalog (FedRAMP High, DoD IL4 & IL5) and a cross-cloud Lakehouse to ground agents in trusted context. Security advances combine Google Threat Intelligence with Wiz, authorize Cloud Armor and Model Armor, and add defensive agents to protect models and sensitive data.

🤖 DXC Technology, Accenture, and other organizations are actively retraining SOC teams to integrate agentic AI by embedding vendor experts and building secure sandboxes. CISOs emphasize top-down leadership, rapid experimentation, and formal learning tracks to shift mindsets and roles. Governance, humans-in-the-loop, and clear escalation and audit paths are required while agents take on L1/L2 tasks.

🔁 BASF created a digital twin of its complex two‑year agricultural supply chain using AlphaEvolve on Google Cloud. The evolutionary AI began from a seeded planning program and ingested three years of historical production, inventory, and demand data to autonomously evolve planning logic. Resulting algorithms closely mirrored historical inventory and production behavior, improving accuracy by over 80% versus the seed and producing human‑readable rules to support planners.

🔒 AWS published a practical compliance guide, ISO/IEC 42001:2023 on AWS, to help organizations design and operate an Artificial Intelligence Management System (AIMS) using AWS services. The guide maps ISO 42001 clauses 4–10 and the Annex A controls to AWS services and architectural patterns, and it explains scoping, shared responsibility, and audit readiness. It highlights automation, evidence collection, monitoring, and responsible AI features to reduce effort in preparing for certification.

🤖 At Google Cloud Next '26, Google introduced the Gemini Enterprise Agent Platform to help teams build, deploy, scale, govern, and optimize autonomous AI agents in production. The series highlights long-running state management in Agent Runtime, a layered Agent Governance Stack, orchestration patterns in the Agent Development Kit (ADK), integration standards, and prebuilt blueprints in Agent Garden.

🛡️ New ISACA research finds AI tools are widely used in organizations, but governance is lagging. Ninety percent of digital trust professionals say employees use AI, yet only 38% report a formal, comprehensive AI policy while 25% have none at all. The poll highlights rising Shadow AI risks, with 56% unsure how long it would take to halt an AI system and only 20% having shutdown procedures, increasing exposure to data breaches and privacy failures.

🛡️ The White House is privately discussing whether advanced AI models that could enable cyberattacks should undergo government-led or formal pre-release reviews before public deployment. The talks were prompted by Anthropic’s Mythos, which the company says has identified thousands of high-severity vulnerabilities, and by comparable capabilities from other labs. Officials are weighing options including formal vetting and targeted testing for higher-risk systems. No policy has been finalized and no timeline has been set.

🔒 A joint advisory from CISA and international partners urges organizations to treat agentic AI cautiously, enforcing strong authentication, Secure by Design principles, and staged rollouts. The guidance stresses least privilege, inventories of agent capabilities, and protections against prompt injection and data exposure. It also recommends continuous monitoring with human-in-the-loop controls, DevSecOps practices, and regular incident-response testing to reduce privilege creep, tool misuse, and other emergent risks.