AI security standard at FDIS

Having now reached Final Draft International Standard stage, ISO/IEC 27090 "Guidance for addressing security threats and compromises to artificial intelligence systems" is on-track for publication later this year, hopefully.

This is a timely standard, giving the explosion of AI-with-everything at the moment. Hopefully it will prompt smart (and not-so-smart!) organisations to think carefully about the information risks associated with their use of AI, prioritising the most significant risks for urgent action.

By the way, 'their use of AI' means more than just delving into the design and implementation of technological or cybersecurity controls: other factors at least as important include whether to use AI at all, how, under which circumstances, in what manner - in other words there are business and tech strategy, policy, governance, management, conformity, compliance, assurance and accountability aspects to this. Whereas ISO/IEC 27090 mostly concerns cybersecurity (meaning technological controls addressing deliberate attacks), there are numerous (more than 100!) cited references to standards, academic studies and guidance addressing other aspects.

For instance, given the risks, how can inappropriate AI decisions, actions or content be caught in time before serious incidents occur? Since preventive controls cannot be entirely relied upon, what about detection, recovery and resilience controls?

Q: How many teeshirts screenprinted with amusing but inept genAI outputs would we need to sell to offset the damage caused to our brand by AI-related incidents?

A: Raise ten to a large power ...