All news with #ai risk management tag

🔒 GitHub is shifting low-impact bug bounty payouts from cash to swag and asking researchers to stop submitting low-quality or out-of-scope reports. The company says a sharp rise in submissions—exacerbated by generative AI tools—has produced many reports that don’t show meaningful security impact. GitHub welcomes AI-assisted research but requires human validation of AI-generated findings and will exclude certain report types from rewards. The change aims to speed triage and prioritize substantive vulnerabilities.

⚠️ On May 15 the UK government, the Financial Conduct Authority and the Bank of England issued a joint warning about cybersecurity threats from frontier AI. They noted models can outperform skilled practitioners at greater speed, scale and lower cost, amplifying risks to firms, customers and financial stability. The statement urges firms to strengthen governance, vulnerability management, third-party controls, protection and response capabilities and points to NCSC resources and prior resilience guidance.

🔒 CISOs are shifting from a primarily technical control function to strategic business partners as AI reshapes risk, operations, and product delivery. Leaders such as Barry Hensley, Shaun Khalfan, and Jeff Trudeau stress publishing AI security frameworks, embedding security early in development, and aligning controls to business outcomes. They warn of AI-enabled threats — including advanced phishing, voice/video impersonation, and automated vulnerability discovery — and call for continuous controls, stronger identity and data governance, and near-real-time patching. Growing board engagement and changing reporting lines reflect the elevated role of security in enterprise strategy.

🛡️ CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other partners, released guidance to help organizations adopt agentic AI systems safely. The guide identifies key security challenges and risks and offers actionable steps for designing, deploying, and operating these systems. It emphasizes risk management, alignment with existing cybersecurity frameworks, and strengthened oversight to help security teams, developers, and decision-makers implement practical governance and controls.

🔍 Demos often hide the operational friction that causes many AI initiatives to stall once they move into production. What succeeds in a controlled presentation—clean data, crafted prompts, and fast isolated responses—rarely maps to fragmented security and IT environments with noisy inputs, latency constraints, and numerous edge cases. Teams that validate tools against real workflows, measure accuracy and latency under load, prioritize deep integration, clarify cost models, and embed governance early are far more likely to turn a promising demo into sustained production value.

🔒 AI adoption is now a boardroom expectation, and Pentera’s AI Security and Exposure Report 2026 reports that every CISO surveyed already uses AI across their organizations. The piece argues that fully agentic systems, while powerful and adaptive, introduce probabilistic variability that undermines repeatable, measurable security validation. A hybrid approach—deterministic orchestration for consistent attack chains combined with AI for adaptive payloads and environmental interpretation—provides guardrails while preserving realism. This anchoring enables reliable retesting and continuous exposure validation without sacrificing contextual intelligence.

🔍 CISOs should treat AI outputs as drafts, keep humans in the loop for high‑stakes decisions, and demand traceability from vendors before accepting compliance or control assessments. The story cites practitioners who stress-test models for consistency, measure hallucination and drift rates over time, and validate AI findings against scanners and penetration testing. It warns against automated regulatory mapping without technical verification and emphasizes audit trails, human signoff, and vendor proof as essential controls.

🤖 Early this year, enterprises began experimenting with autonomous, agentic tools such as Anthropic’s Claude Cowork and the open-source OpenClaw, which can access apps, files and the web to execute multi-step workflows on users’ behalf. Proponents highlight large efficiency gains and the ability to offload routine IT tasks to non-technical staff, while security researchers warn of misalignment, prompt‑injection flaws and unintended destructive actions. IT leaders are advised to permit controlled experimentation, enforce strict permissions and monitoring, and invest in clean operational context to reduce amplified mistakes and limit shadow‑AI risk.

🚨 New ISACA research finds that 56% of IT and cybersecurity professionals cannot say how quickly they could shut down AI systems after a cyber-attack or security incident. The global survey of over 3,400 security and digital professionals found just 32% believe they could halt compromised AI within an hour, and 7% expect it would take longer. Respondents reported confusion over AI ownership, with many unsure who is accountable, limited human oversight of AI actions, and mixed confidence in their organisation's ability to investigate and explain serious AI incidents.

🤖 Insurers are reshaping cyber policies as AI proliferates in business operations. Many carriers are tightening language, adding exclusions, and requiring evidence of active controls rather than relying on checkbox attestations. At the same time, firms that deploy AI-driven defenses and continuous monitoring can receive premium discounts. Brokers and policyholders must clarify AI usage and coverage before renewals to avoid gaps.

📊 Boards receive regular CISO briefings—typically quarterly—but those interactions are often short and surface-level. A recent IANS/Artico Search/The CAP Group study of more than 650 CISOs found most updates are time-boxed to ~30 minutes, and only 30% of boards describe relationships as strong and collaborative. Directors want more forward-looking, operational insight on threats—especially those driven by AI—and fewer passive status reports. CISOs with extended airtime report deeper, strategy-focused engagement.

🛡️ This contributed piece from The Hacker News (Mar 06, 2026) outlines how MSPs and MSSPs can adopt AI-powered risk management to scale cybersecurity services. It argues a risk-first model shifts providers from one-off, technical fixes to continuous, business-focused protection that drives recurring revenue. The article highlights six common barriers—manual assessments, missing remediation roadmaps, compliance complexity, lack of business context, talent shortages, and unmanaged third-party risk—and recommends sourcing platforms that deliver automated assessments, dynamic risk registers, and actionable remediation plans to accelerate onboarding, improve compliance mapping, and create upsell opportunities.

🔐 Large language models (LLMs) are reshaping security operations as productivity tools, embedded components and attacker targets. The article argues organizations should treat LLMs as high-impact systems: define outcomes, model threats and assume models can be wrong or manipulated. Early deployments should focus on narrow, advisory workflows (for example, alert triage, investigation copilots and detection engineering) and always treat model output as untrusted. Practical controls include retrieval-augmented generation, scoped credentials and human-gated actions to limit the model's blast radius.

🔐 Shannon — a fully autonomous AI penetration testing tool from Keygraph — has raised warnings because it requires access to source code, repository layout, and AI API keys, creating substantial exposure risks. Organizations should evaluate scoping, data retention, and whether findings will be used to improve secure development practices or treated as a quick fix. Vendor responses vary, illustrated by recent detection-focused updates from Anthropic, underscoring the need for careful risk assessment before adopting agentic pentesting tools.

⚠️ Agentic AI is shifting from assistance to autonomous action, creating new risk vectors that can exponentially multiply the impact of errors or breaches. Organizations must adopt governance by design—defining approved use cases, data access, mandatory controls, and clear accountability—so agents operate within known limits. IT teams should lead deployment, policy, and third‑party oversight, while investing in targeted training and resilience planning to protect both systems and staff.

⚠️ Agentic AI systems introduce acute governance and security challenges because autonomous agents can plan, execute tools, and process sensitive data without human oversight. The OWASP Foundation's Top 10 catalog identifies threats such as goal hijack, tool misuse, privilege abuse, supply chain compromise, RCE, memory poisoning, insecure inter-agent communication, cascading failures, human-trust exploitation, and rogue agents, each with examples and mitigations. Kaspersky condenses those findings and emphasizes a layered, near-Zero Trust defense: least autonomy and privilege, short-lived credentials, human-in-the-loop for critical actions, execution isolation, intent gates, continuous logging, behavioral monitoring, supply chain controls, and targeted training.

🔒 Cybercriminals now operate like businesses—highly specialized, service-oriented, and ROI-driven—using models such as RaaS and initial access brokers to scale attacks. This industrialization, amplified by AI and automation, forces a shift from reactive detection to proactive prevention and identity-first controls. CISOs must prioritize governance, supply-chain resilience, defensive automation, and strategic partnerships to manage risk amid talent and budget shortfalls.

🛡️ Ransomware groups are increasingly threatening victims with regulatory complaints in addition to data leaks, citing alleged violations of rules such as GDPR. Security vendors including Akamai report the tactic has grown over the past two years and is used by gangs like Anubis and Ransomhub to pressure high-compliance sectors such as healthcare. Experts warn AI accelerates the process by quickly identifying 'material' issues and producing legally framed complaints, tightening deadlines and raising stakes for victims.

🖼️ Fraudsters are using AI and large language models to create highly convincing fake invoices, appraisal certificates and certificates of authenticity for artworks, making forgeries harder to detect. Brokers and appraisers, including Marsh, report that chatbots can invent plausible experts and documentation or hallucinate false references that owners accept as real. Insurers and valuation firms are now deploying AI-based metadata analysis and anomaly detection to flag manipulated provenance and guide human review.

🔐 This article examines the security and governance challenges of generative AI and outlines practical steps organizations can take to reduce risk. It highlights model limitations such as hallucinations and underscores the continued need for human oversight for high‑stakes decisions. The author reviews prominent standards including NIST AI RMF, AICM and CSA Model Risk Management, and stresses cloud shared‑responsibility, cross‑team governance, and targeted workforce training as core mitigations.