< ciso
brief />
Tag Banner

All news with #ai governance tag

298 articles · page 4 of 15

AI agent governance: observability is essential

🛡️ CIOs rushing to deploy AI agents without visibility risk major failures; experts warn that observability and governance are required. Many organizations treat agents like RPA and set-and-forget systems, but agents operate in model runtimes and need end-to-end tracing, least-privilege permissions, and human-in-the-loop checks. Vendors and cloud providers offer tools, yet governance can become a bottleneck if it’s not scalable and actionable.
read more →

GCHQ warns businesses: urgent cyber action on AI

⚠️ Anne Keast-Butler, director of GCHQ, urged UK businesses to treat cybersecurity as national defence during the agency's first annual lecture at Bletchley Park on May 27. She warned that rapid AI development narrows the window to stay ahead of threats and called on boardrooms to act now. GCHQ plans a machine-speed national cyber defence using agentic AI within five years while urging adoption of basic controls and quantum-resistant cryptography.
read more →

AI-Enabled Sanctions Evasion Raises Governance Risks

🛡️ New RUSI research warns that adversaries, notably North Korea and Iran, are moving from AI-assisted to AI-enabled sanctions evasion and proliferation financing. The report highlights AI’s ability to mass-produce fraudulent documents, automate shell-company administration, and analyze blockchain flows to evade detection. Experts urge enterprises to adopt behavior-based analytics, defensive AI, stronger identity verification and updated training to counter these evolving threats.
read more →

UK firms boost cyber budgets amid rising AI risks

🔒 More than two-thirds of UK businesses plan to increase cybersecurity spending over the next 12 months as AI adoption and geopolitical uncertainty reshape budgets. The Q1 2026 Barclays Business Prosperity Index found 68% of leaders expect higher cyber investment and 46% say new technologies raise their exposure. Large firms have led the increase, with average cyber spend hitting £505,000 so far in 2026, and cloud, cyber and AI account for 44% of planned tech budgets.
read more →

CERT‑In issues 12‑hour patch expectation for AI era

🛡️ New guidance from India's CERT-In urges organizations to remediate actively exploited internet-facing vulnerabilities within 12 hours, citing AI-driven acceleration of reconnaissance and exploitation. The document, published on May 25, maps how generative AI, LLMs and autonomous agents speed up vulnerability discovery, phishing and malware creation. It sets tiered timelines for remediation, recommends using the KEV catalog and EPSS for prioritization, and advises interim mitigations when patches are unavailable.
read more →

Embed AI Governance into Release Infrastructure

🚦The author argues that traditional post-hoc compliance reviews fail for AI because AI systems change continuously. Drawing on research into Chinese and EU approaches, the piece recommends embedding governance into CI/CD pipelines so model cards, data lineage and risk evaluations are generated and enforced as deployment gates. It also urges treating agent identity as first-class security control and positioning compliance as operational release infrastructure rather than a review layer.
read more →

AI Becomes SOC Imperative to Counter Emerging Threats

🛡️ Security professionals at DTX argued that integrating AI into SOCs is now essential to counter autonomous attacker tooling and AI-accelerated threats. Panelists stressed sustaining core cyberdefence fundamentals—system hardening, patching, access control and monitoring—before deploying AI, and preserving human oversight to manage model risk. They noted role shifts toward validation, prompt engineering and GRC, and urged rigorous testing and SDLC-like deployment controls.
read more →

Detecting and Blocking Unsanctioned AI in the Enterprise

🔍 While many organizations intentionally deploy AI to improve productivity, unsanctioned AI is proliferating faster — employees install tools or vendors embed assistants into existing apps. The article defines four AI categories and maps specific detection techniques to each, covering DNS, web gateways/NGFW, EPP/EDR, application and browser controls, and SSPM/identity governance. It flags OAuth consent as a high-risk channel and summarizes admin steps for Microsoft Entra, Google Admin, Salesforce, and ServiceNow to block or restrict app access.
read more →

NCSC Guidance: Securing Agentic AI Deployments and Risks

🔒 The UK’s National Cyber Security Centre (NCSC) has published new guidance for organisations considering the adoption of agentic AI, summarising a wider report produced with Five Eyes partners. It flags the heightened risk from agent autonomy and complexity, including excessive access, unpredictable behaviour and actions that can outpace human review. The NCSC advises incremental deployment with tightly bounded pilots, clear ownership, ongoing monitoring and meaningful human oversight, and points organisations to industry best practice such as ETSI EN 304 223.
read more →

AI Hallucinations Introduce Critical Security Risks

⚠️ AI hallucinations—confident but incorrect outputs—are increasingly driving risky decisions in critical infrastructure and cybersecurity operations, exploiting human trust in authoritative-sounding responses. A 2025 AA-Omniscience benchmark of 40 models found most systems were more likely to offer a confident wrong answer on difficult questions, underscoring that AI outputs must be treated as potential vulnerabilities until vetted. Effective controls include enforced human review before sensitive actions, treating training data as a security asset, strict least-privilege for AI systems, and prompt-engineering training to reduce ambiguous inputs.
read more →

ICO issues five-step guidance on AI-driven cyber risk

🔐 The ICO has published a five-step guide urging organisations to prepare for AI-enhanced cyber threats, including deepfake social engineering, adaptive malware and automated exploitation. It points readers to the NCSC's updated Cyber Assessment Framework and expects baseline adoption of Cyber Essentials and the UK Cyber Governance Code. The guidance emphasises robust patching, MFA, least‑privilege, supply‑chain vetting, DPIAs for high‑risk AI and human oversight of AI-enabled defences.
read more →

Updated AWS Guide: GRC for Responsible AI in FSI Updates

🔒 The updated AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption provides Financial Services customers practical GRC guidance for deploying AI responsibly. It covers governance, risk management, compliance, data and model management, and AI agent oversight, and maps these considerations to AWS capabilities. The guide highlights services such as Amazon Bedrock AgentCore, Bedrock Guardrails, Bedrock Agents, SageMaker Autopilot, and SageMaker Model Monitor. It complements existing AWS responsible AI and Well-Architected resources and is available on the AWS Whitepaper portal.
read more →

Cloud Infrastructure as the Foundation for Digital Health

🏥 The post argues that modern cloud infrastructure is the superior foundation for regulated Software as a Medical Device (SaMD), enabling faster innovation while meeting regulatory obligations. It outlines regulatory shifts in early 2026, including the FDA's QMSR alignment with ISO 13485 and the EU AI Act's applicability for high-risk systems. The author advocates Compliance as Code and describes three architectural planes—data, control, and evidence—on Google Cloud to deliver continuous audit readiness. It also highlights AI-driven monitoring and a shared fate model between cloud providers and manufacturers.
read more →

G7 Issues Minimum SBOM Elements for AI Supply Chains

🔍 A G7 Cybersecurity Working Group paper published on 12 May defines minimum elements for software bills of materials (SBOMs) tailored to AI systems, aiming to boost transparency across AI supply chains. It outlines seven clusters — Metadata, System Level Properties, Models, Dataset Properties, Key Performance Indicators, Infrastructure and Security Properties — to guide producers and users. The guidance stresses clusters are non-mandatory, that SBOMs alone are insufficient, and recommends linking SBOMs to vulnerability, advisory and tooling ecosystems.
read more →

CISA's AI SBOM Guidance Expands Supply‑Chain Oversight

🔍 The US Cybersecurity and Infrastructure Security Agency (CISA), working with G7 cyber partners, released supplemental minimum elements for an AI software bill of materials to document models, datasets, software components, providers, licenses, and other dependencies. The guidance extends traditional SBOM concepts into AI and is positioned to support procurement and vendor-risk assessments while remaining non‑exhaustive and non‑mandatory. Security teams should press vendors for model provenance, training and update practices, and runtime controls, but must recognize AI SBOMs provide visibility rather than assurance.
read more →

AWS Approach to Enabling AI Sovereignty in Cloud Globally

🔒 AWS outlines its approach to AI sovereignty, emphasizing customer control over data, deployment location, and access across the AI stack. It highlights infrastructure choices—AWS AI Factories, Outposts, Local Zones, Dedicated Local Zones, and the AWS European Sovereign Cloud—to meet regulatory and operational needs. AWS emphasizes technical protections like the AWS Nitro System, identity controls (IAM and Amazon Bedrock AgentCore Identity), and certifications such as ISO/IEC 42001 to reinforce transparency and trust.
read more →

Agentic AI: The Next Blindspot for Security Teams and Risk

🔐 Agentic AI is already operating across enterprises, executing tasks and taking actions often without meaningful security involvement. Security teams must develop hands‑on fluency — build and test agents, understand integrations like the Model Context Protocol, and enforce scoped configurations — because policy alone won't close the gap. The piece distinguishes three agent classes (productivity, MCP‑connected vendor agents, and custom user agents) and emphasizes configuration, access scoping, and training such as SANS SEC545 to reduce exposure.
read more →

CISOs Step into AI Spotlight: Risk, Governance and Trust

🔒 CISOs are shifting from a primarily technical control function to strategic business partners as AI reshapes risk, operations, and product delivery. Leaders such as Barry Hensley, Shaun Khalfan, and Jeff Trudeau stress publishing AI security frameworks, embedding security early in development, and aligning controls to business outcomes. They warn of AI-enabled threats — including advanced phishing, voice/video impersonation, and automated vulnerability discovery — and call for continuous controls, stronger identity and data governance, and near-real-time patching. Growing board engagement and changing reporting lines reflect the elevated role of security in enterprise strategy.
read more →

Architecting Resilient Foundations for the Agentic Era

🔐 At Google Cloud Next, Google outlined a resilient, scalable, and secure foundation to accelerate public sector adoption of the agentic era, highlighting infrastructure, data, and security innovations. Key infrastructure announcements include the AI Hypercomputer with eighth-generation TPUs (TPU 8t for training, TPU 8i for inference) and Virgo Networking, plus Google Distributed Cloud bringing Gemini to where data resides. On data, an AI-native architecture features Knowledge Catalog (FedRAMP High, DoD IL4 & IL5) and a cross-cloud Lakehouse to ground agents in trusted context. Security advances combine Google Threat Intelligence with Wiz, authorize Cloud Armor and Model Armor, and add defensive agents to protect models and sensitive data.
read more →

Eight Principles for Reskilling the SOC for Agentic AI

🤖 DXC Technology, Accenture, and other organizations are actively retraining SOC teams to integrate agentic AI by embedding vendor experts and building secure sandboxes. CISOs emphasize top-down leadership, rapid experimentation, and formal learning tracks to shift mindsets and roles. Governance, humans-in-the-loop, and clear escalation and audit paths are required while agents take on L1/L2 tasks.
read more →