AI security standard at FDIS

Having now reached Final Draft International Standard stage, ISO/IEC 27090 "Guidance for addressing security threats and compromises to artificial intelligence systems" is on-track for publication later this year, hopefully.

This is a timely standard, giving the explosion of AI-with-everything at the moment. Hopefully it will prompt smart (and not-so-smart) organisations to think carefully about the information risks associated with their use of AI, prioritising significant ones for urgent action.

By the way, 'their use of AI' means more than just delving into the design and implementation of technological or cybersecurity controls: other factors at least as important include whether to use AI at all, how, under which circumstances, in what manner - in other words there are business and tech strategy, policy, governance, management, conformity, compliance, assurance and accountability aspects to this.

For instance, given the risks, how can inappropriate AI decisions, actions or content be caught in time before serious incidents occur? Since preventive controls cannot be entirely relied upon, what about detection, recovery and resilience controls?

Q: How many teeshirts screenprinted with inept genAI outputs would we need to sell to offset the damage caused to our brand?

A: Raise ten to a large power ...