InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
The New Identity Perimeter: Machines, Agents, and the Trust Problem
Identity security is entering a fundamentally new phase — one where protecting access is no longer just about people, but about the full ecosystem of entities, human and non-human, that touch enterprise data and systems. Delinea CPO Phil Calvin, in conversation with OWASP contributor Chris Hughes, frames this shift as the defining security challenge of the current era: the question is no longer simply “who is this person?” but “what entity is accessing my environment, and should it be trusted?”
For decades, identity and access management was human-centric — authenticate the right person, grant the right role, audit the right session. But machines, APIs, bots, and now AI agents have become digital actors in their own right: they authenticate, access sensitive data, execute workflows, and make decisions, often at speeds and scales that no human workforce can match. The identity model that worked for employee directories was never designed for this. The implicit assumption that identity equals person is now a dangerous architectural debt.
For every human identity in a modern enterprise, there may be dozens of machine identities — automatically created, rarely tracked, and frequently left behind when projects end or architectures change. Cloud-native environments, microservices, and CI/CD pipelines have turned this into an explosion of unmanaged credentials. Attackers have adapted accordingly: compromised machine credentials have become one of the most reliable initial access vectors in major breaches precisely because no one is watching them.
Agentic AI has accelerated this problem dramatically. Unlike prior-generation AI that produced text or recommendations, agentic systems give LLMs the ability to take real actions — logging into systems, calling APIs, executing workflows, and making decisions about data and security operations. Each agent carries credentials, tokens, and entitlements. Each is, in identity security terms, a non-human principal with real privileges. The velocity is what makes this dangerous: a single employee deploying an AI agent could unknowingly multiply their effective access tenfold, spawning a cluster of high-privilege entities operating semi-autonomously under their account.
Visibility remains the hardest unsolved problem. Most enterprises today cannot confidently answer how many non-human identities exist in their environment, what privileges those identities hold, which are tied to AI agents or automation frameworks, or where credentials are embedded in code or stored insecurely. Discovery — continuous, cross-environment inventory of every key, token, secret, and agent — is the mandatory first step before governance is even possible. You cannot right-size what you cannot see.
Governance of machine entitlements is uniquely difficult because, unlike humans, machines don’t push back against excessive access. Engineers over-provision credentials to ensure workflows don’t break, and those permissions persist indefinitely. As AI agents acquire greater autonomy, this over-privilege problem compounds. The corrective posture is least privilege enforced through automation: remove standing credentials, rotate secrets continuously, vault sensitive machine secrets, and integrate policy enforcement directly into deployment pipelines — not as a retrofit, but as a native control.
AI occupies a dual role in this threat landscape. On the offensive side, adversaries are already using AI to automate reconnaissance, craft convincing phishing campaigns, and exploit leaked credentials faster than human security teams can respond. On the defensive side, AI can enhance visibility into identity behavior, detect anomalous privilege patterns, and accelerate response. The practical implication is that defenders must use AI to govern AI — building intelligence into the identity security lifecycle itself, not just deploying it as a perimeter tool.
Calvin’s framing is directionally correct and overdue, but I’d argue it still understates the severity of what’s coming. The identity sprawl problem he describes with service accounts is a known, relatively static challenge. Agentic AI identity sprawl is qualitatively different — it’s dynamic. Agents spin up sub-agents, delegate tasks across tool chains, and accumulate context and credentials across sessions in ways that no PAM (Privileged Access Management) tool designed for human workflows was architected to handle.
The piece’s five-step framework (discover, classify, least privilege, automate, monitor) is sound hygiene, but it treats agentic identity as an extension of the existing machine identity problem. I’d push back on that. An agentic AI system operating inside an enterprise isn’t just another service account — it’s a decision-making principal that may legitimately need broad access to do its job, and the challenge is ensuring that breadth of access is contextually constrained and auditable in real time, not just provisioned conservatively at deployment.
From an AI governance standpoint — which is where ISO 42001 and the NIST AI RMF come in — what’s missing from this conversation is the accountability layer. Least privilege and credential rotation are necessary but not sufficient. Organizations also need to be able to answer: What decision did this agent make? On whose authority? With what information? And can that be audited after the fact? That’s not a PAM problem. That’s an AI governance problem. The two disciplines need to converge, and most enterprises are running them in completely separate silos with no shared control framework.
Architecting Secure Enterprise AI Agents: A Practitioner’s Guide to Building AI That Earns Trust
The enterprise AI landscape has fundamentally shifted. We’ve moved beyond chatbots that answer questions to autonomous agents that perceive context, reason over goals, and take action through real tools and services. But here’s the uncomfortable truth that IBM’s recent guide (verified by Anthropic) makes crystal clear: the way we build these agents cannot be the way we built traditional software. The old playbook doesn’t just need updating—it needs rethinking from the ground up. As someone who works in AI governance daily, I find this distinction isn’t academic; it’s the difference between an agent that creates value and one that creates liability.
The core problem is what the guide calls the shift “from deterministic to probabilistic.” Traditional software follows predictable paths: the same input produces the same output every time. AI agents don’t work this way. Feed an identical prompt to the same agent twice and you may get two different responses. This single characteristic cascades into everything else. You can’t simply deploy an agent to production after it passes staging tests, because “passing” is no longer a binary state. The guide introduces a powerful reframing here: we’re moving from “code-first to evaluation-first.” A technically perfect implementation can produce terrible agent behavior, while a messy prompt might work beautifully. Success depends not on clean code but on systematic measurement of what the agent actually does.
To address this, the guide proposes the Agent Development Lifecycle (ADLC)—essentially DevSecOps reimagined for the agentic era. It organizes work into six interconnected phases: Plan, Code and Build, Test and Release, Deploy, Operate, and Monitor. What makes it different from traditional DevSecOps are two new “inner loops.” The Experimentation Loop sits between Build and Test, using evaluation frameworks to improve agent behavior during development. The Runtime Optimization Loop runs continuously in production, balancing agent quality against operational cost. These loops exist because agents inject “stochastic control logic” into systems that previously ran on rigid, predictable rules.
So how do you actually build a secure AI agent? Start with the Plan phase by defining a narrow, measurable use case and establishing your KPIs before writing a single line of code—accuracy, latency, trust scores, safety thresholds. Crucially, decide your “acceptable agency”: exactly what the agent can and cannot do autonomously. In the Code and Build phase, implement your prompts, memory strategies, and orchestration logic while treating every integration as a tool exposed through the Model Context Protocol (MCP). Keep these tools least-privilege, versioned, and well-documented. Issue every agent its own identity so that every action is traceable and auditable, and instrument observability hooks from the start to capture reasoning traces, tool calls, and outputs.
Security cannot be an afterthought bolted on at the end—it must be woven into the architecture. The guide emphasizes sandboxing as a foundational control, not an optional feature. Because agents often execute dynamically generated code and interact with diverse tools, an unconstrained agent that gets compromised can reach far beyond its intended scope. Run agents inside lightweight isolation frameworks (Firecracker, gVisor, container security profiles) to enforce hard boundaries and prevent lateral movement. Complement this with an MCP Gateway that acts as a single, policy-enforced entry point: it handles authentication, authorization, rate limiting, and applies policy-as-code rules across all your agents and tools. This layered approach—infrastructure isolation plus gateway governance—creates genuine defense in depth.
The Test phase demands behavioral validation, not just traditional unit tests. Run structured evaluations against benchmarks, measure governance metrics like hallucination rate and bias, and deploy guardrails throughout the lifecycle. Use techniques like “LLM-as-a-Judge” alongside human-in-the-loop review, and perform red teaming to surface vulnerabilities before they reach production. Only after an agent passes these gates should it be certified in a governed catalog. During Deployment, roll out progressively, design for resilience against outages and cyberattacks, and always include a kill-switch to disable the agent in emergencies. Then in Operate and Monitor, track real-time accuracy, latency, and cost while watching for the unique threats agents face: memory poisoning, tool misuse, and “intent breaking” where attackers hijack an agent’s purpose through manipulated prompts.
Governance ties the entire framework together and is where my own field intersects most directly with this work. The guide advocates for a governed catalog that records each agent’s purpose, owners, capabilities, risk posture, and data-handling policies—with immutable audit trails linking evaluation results, red team reports, and approvals. This isn’t bureaucracy for its own sake. As agents proliferate, organizations face “agent sprawl” and “shadow AI,” where ungoverned agents drift from policy undetected. The catalog, combined with rigorous version control and Software Bills of Materials (SBOMs) for tools, prompts, and code, gives enterprises the evidence trail they need to satisfy auditors and regulators. Every release should pass through prerelease checks, promotion gates, and runtime attestations.
The real-world examples in the guide validate the framework’s necessity. A healthcare payer maintaining HIPAA compliance had to synthesize ground-truth data because they couldn’t access historical records, then deploy a fully managed compliant stack rather than standard SaaS. A telecommunications firm struggled to track “tens of agent variants” without proper experiment tracking. A major bank recognized that while traditional security protects source code, AI agents require security across data access, embeddings, prompts, and RAG pipelines—with specialized scanning for prompt injection, jailbreaks, and model poisoning. These aren’t hypothetical risks; they’re the lived experience of enterprises deploying agents at scale in regulated industries today.
My perspective: Having spent considerable time in AI governance and ISO 42001 implementation, I believe this guide captures something the industry has been slow to accept: agentic AI is not a more powerful version of traditional automation—it’s a different category of system that demands a different discipline. What strikes me most is how naturally the ADLC aligns with emerging governance standards like ISO 42001 and the EU AI Act. The emphasis on acceptable agency, human oversight, auditability, and continuous monitoring isn’t just good engineering; it’s the operational backbone of regulatory compliance. My one caution is that frameworks like this can intimidate organizations into either over-engineering or analysis paralysis. The guide’s own advice—find the simplest solution, sometimes don’t build an agent at all, start with single-agent systems—is the wisest counsel in the entire document. The winning formula isn’t maximum autonomy; it’s the right amount of autonomy, tightly governed, continuously evaluated, and always reversible. Build agents that earn trust through transparency and control, and the business value follows. Build them for sophistication alone, and you’re constructing tomorrow’s compliance nightmare.
DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.
The Delay Trap: Why the EU AI Act Postponement Is the Most Dangerous Gift Your Compliance Program Ever Received
Brussels just handed enterprises sixteen extra months. Most of them are about to spend it accumulating governance debt.
On May 7, 2026, EU legislators reached a provisional agreement on the Digital Omnibus on AI — the first substantive amendment to the AI Act since its adoption. The headline: obligations for standalone high-risk AI systems under Annex III, originally biting on August 2, 2026, are deferred to December 2, 2027. High-risk AI embedded in regulated products under Annex I slips further, to August 2, 2028.
Across boardrooms, you could hear the exhale. Budget lines earmarked for AI Act readiness are already being quietly reallocated. Steering committees that met biweekly are moving to quarterly. “We have until the end of 2027” is becoming the most repeated sentence in European compliance.
It’s also the most dangerous one.
The deadline moved. Nothing else did.
Here’s what the delay did not change: your AI footprint. The recruitment screening model your HR team piloted last quarter. The credit decisioning logic your fintech partner embedded in your onboarding flow. The agentic workflows your engineering org is wiring into production right now, this week, without waiting for Brussels to finish its paperwork.
The AI Act’s timeline was political. Your risk accumulation is operational. Those two clocks were never synchronized, and the Omnibus just desynchronized them further. Every month between now and December 2027, your organization will deploy more AI, embed it deeper into consequential decisions, and entangle it with more vendors — while the regulatory pressure that was forcing executive attention quietly deflates.
I’ve spent two decades watching organizations respond to compliance deadlines, from SOX to GDPR to ISO certification cycles. The pattern is depressingly consistent: a moved deadline doesn’t extend the runway. It deletes the urgency, the program decays, and eighteen months later the organization restarts from a worse position than where it paused — because the environment kept getting more complex while the program stood still.
That’s governance debt with a compounding interest rate. And the AI version compounds faster than anything we’ve seen, because AI adoption doesn’t pause when your governance program does.
Three reasons “we’ll restart in 2027” is a fiction
First, the delay isn’t even law yet. The May 7 agreement is provisional. Formal adoption and publication in the Official Journal are still pending. The April trilogue round collapsed before this one succeeded, which tells you how fragile the politics are. Until the amendment is in the Official Journal, August 2, 2026 remains the legally operative date — and several obligations, including transparency requirements and enforcement structures, were never part of the deferral conversation at all. Organizations planning against a deadline that hasn’t been enacted are practicing compliance by press release.
Second, the EU was never your only regulator. Colorado’s AI Act, the expanding patchwork of US state AI legislation, sector regulators sharpening their AI expectations, and — most immediately — your customers’ procurement teams. Enterprise buyers are not waiting for December 2027 to ask how you govern AI. They’re asking now, in security questionnaires, in vendor risk assessments, in contract language. I watched this dynamic play out firsthand taking a client through ISO 42001 certification: the commercial pressure to demonstrate AI governance arrived well ahead of any regulatory enforcement date. The market is enforcing faster than the regulators.
Third, the legislators themselves told you why they delayed. The deferral exists because harmonised standards, notified bodies, and compliance tooling weren’t ready — not because the obligations got lighter. The requirements in Articles 9 through 17 are coming intact: risk management systems, data governance, technical documentation, logging, human oversight, accuracy and robustness. Sixteen months is not generous for building those capabilities from a standing start. It’s barely adequate for organizations that keep moving. For organizations that pause and restart in mid-2027? It’s a guaranteed fire drill, executed against finalized standards, with every consultancy and notified body in Europe simultaneously overbooked.
What the sixteen months are actually for
The organizations that will look smart in December 2027 are treating this window as exactly what the legislators intended: time to build properly instead of compliance theater under deadline pressure.
That means doing the unglamorous foundational work now. Inventory your AI systems — including the shadow AI your business units deployed without telling anyone, and the AI capabilities your vendors switched on inside products you already license. Classify against Annex III honestly, not optimistically. Stand up the risk management and data governance machinery that Article 9 and Article 10 will demand, because those capabilities take quarters to mature, not weeks.
And anchor it in a management system, not a project plan. This is where ISO 42001 earns its relevance. A certifiable AI management system gives you a regulation-agnostic backbone: the same governance infrastructure satisfies EU AI Act obligations, Colorado’s requirements, NIST AI RMF alignment, and the procurement questionnaires landing in your inbox this quarter. Projects end when deadlines move. Management systems persist because they’re wired into how the organization operates. That structural difference is precisely what separates the companies that will coast through December 2027 from the ones that will panic through it.
The Digital Omnibus came with an explicit expectation attached: implementation efforts should already be underway. That wasn’t diplomatic filler. It was the legislators telling you how they’ll view organizations that show up in late 2027 with nothing built.
The question for your next leadership meeting
Don’t ask “when is the deadline now?” Ask: “What did we deploy this quarter that we couldn’t explain to a regulator, a customer, or a courtroom?”
If the honest answer is “we’re not sure,” the EU just gave you sixteen months to find out. Spend them like the gift they are — or discover in 2027 that the delay trap was never about the deadline at all.
DISC InfoSec helps organizations build AI governance programs that survive deadline changes — ISO 42001 implementation, EU AI Act readiness, and NIST AI RMF alignment from a practitioner who has taken a client through certification, not just talked about it. Start with our free EU AI Act gap assessment at deurainfosec.com.
DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.
Corporate visibility has become a business requirement rather than a marketing choice. Organizations publish employee profiles, leadership pages, technical blogs, social links, and recruiting content to build trust, attract talent, and improve customer confidence. However, every piece of public information expands the organization’s attack surface and creates intelligence opportunities for adversaries. The challenge is no longer whether to be visible, but how to operate securely while visible.
Security risks from corporate visibility are primarily reconnaissance-driven. Public information allows threat actors to identify key employees, map reporting structures, discover technology stacks, and understand operational processes before ever touching the network perimeter. Modern attacks increasingly target people and workflows rather than infrastructure vulnerabilities, making visibility management a core risk management function rather than just a branding consideration.
Corporate websites typically expose much more than organizations realize. Common examples include employee names, job titles, leadership bios, headshots, email address patterns, social media links, customer references, technology disclosures in job postings, project announcements, and partner ecosystems. Even seemingly harmless details such as organizational charts or department structures help attackers prioritize targets and craft convincing attack paths. Exposure becomes particularly problematic when public data can be correlated with breached credential repositories or social media activity.
This information becomes weaponized through open-source intelligence (OSINT) aggregation. Attackers combine public corporate data with social media, breach datasets, and AI-assisted analysis to create personalized phishing campaigns, helpdesk impersonation attempts, credential attacks, and business email compromise scenarios. The effectiveness comes from context: an email referencing a real manager, recent project, conference appearance, or customer relationship appears legitimate because the attacker already understands the organization. Personalized phishing and social engineering campaigns consistently outperform generic attacks because they exploit trust rather than technical weaknesses.
The rise of generative AI significantly accelerates this process. What previously required days or weeks of manual reconnaissance can now be automated in hours. AI systems can scrape websites, correlate identities, summarize relationships, generate targeted phishing content, and even imitate communication styles. This lowers attacker costs while increasing scale, meaning organizations should assume adversaries can rapidly build highly accurate organizational profiles from publicly available information.
The 2023 attack against MGM Resorts International demonstrates how corporate visibility intersects with operational failure. Threat actors associated with Scattered Spider reportedly used publicly available employee information and social engineering techniques to impersonate staff members during helpdesk interactions. By manipulating identity verification processes, attackers gained elevated access that eventually disrupted casino operations, digital services, and hotel operations, creating an estimated $100 million business impact. The attack highlighted that the primary weakness was not public information itself, but weak verification controls around sensitive processes.
The lesson from MGM is that identity assurance matters more than secrecy. Many security practitioners and incident observers noted that helpdesk workflows, MFA recovery procedures, and privileged account processes became the real attack surface. Attackers exploited human workflows because those controls failed under realistic social engineering pressure. Organizations often invest heavily in technology stacks while underinvesting in identity proofing, helpdesk security, and process resilience.
Operating securely when visibility is unavoidable requires layered controls. Organizations should assume attackers already possess employee names, reporting structures, and technology information. Recommended controls include phishing-resistant MFA, stronger helpdesk identity verification, out-of-band approval processes, role-based exposure reviews, periodic OSINT assessments, monitoring for credential exposure, and security awareness programs focused specifically on personalized social engineering. Security programs should shift from “prevent exposure” to “operate securely despite exposure.”
My perspective as a security risk professional is that corporate risk in the AI era is shifting from perimeter defense toward identity, trust, and context protection. AI amplifies attacker capabilities by making reconnaissance, impersonation, and influence operations faster and cheaper. Organizations that still treat public visibility as a branding problem rather than a risk management problem are underestimating how quickly AI-enabled adversaries can build organizational intelligence. The future control objective is not reducing visibility to zero; it is building security architectures, governance processes, and human workflows that remain resilient when attackers already know who your people are, what technologies you use, and how your business operates.
DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.
Four risks, three frameworks, and what mapping ISO 27001, ISO 42001, and NIST 800-53r5 actually looks like in practice.
Most risk registers are built backwards. Someone exports a control list from a framework, generates a row for each control, and reverse-engineers a “risk” to justify it. The result looks comprehensive and tells you almost nothing useful. Auditors recognize it on sight.
A working risk register starts from the other direction — from the business issue. What could materially hurt the company? What’s the mechanism? What controls actually move the needle? Then the framework mapping comes in, and only as a way to evidence that the controls you already need are also the ones the standards expect.
This post walks through four risks. Four come from a live register at a SaaS platform serving M&A and financial services clients — ISO 42001 & ISO 27001 certified. The fourth is the risk almost every SMB is currently running without measuring, and the one I expect to dominate AI-era incident reports for the next two years.
Risk 1 — Outdated Spring Framework and Spring Security
The business issue. The core application is running on Spring Framework 5.3.39 and Spring Security 5.8.16. Both are end-of-OSS-support. Both are missing fixes for high and critical CVEs that have been public for over a year. The framework underlies every authenticated request the platform serves, so the blast radius of any successful exploit is the entire customer base.
Contributing risk factors. Framework upgrades are the kind of work that gets deferred because nothing visibly breaks when you skip a quarter — until something does. Contributing factors typically include: engineering capacity prioritized toward customer-visible features, breaking-change risk in major Spring upgrades, dependency entanglement with libraries that pin to older Spring versions, and the absence of a configuration-as-code baseline that would make environment-by-environment upgrades safer to attempt.
How it relates across domains.
InfoSec: Direct exposure. Spring4Shell-class vulnerabilities and Spring Security authentication-bypass CVEs are not theoretical — they have working exploits, EDR signatures, and threat-actor playbooks.
Privacy: Indirect but real. An authentication bypass against a platform processing M&A diligence rooms means unauthorized access to highly sensitive personal and corporate data. GDPR Article 32 (security of processing) becomes the relevant hook.
Compliance: Indefensible at audit. “We are running a framework with known unpatched critical CVEs” is not a position you want to be in during a customer security questionnaire or an ISO 27001 surveillance audit.
AI governance: Tangential. But worth noting: if AI features depend on the same framework, the AI system’s confidentiality and integrity properties inherit the framework’s weaknesses. ISO 42001 expects you to know that.
Compensating controls already in place. CrowdStrike EDR, WAF, network segmentation, MFA, session controls. These reduce — but do not eliminate — exposure. They buy time. They are not a substitute for the upgrade.
Risk 2 — Hidden or Backdoor Functionality in Major Vendor Software
The business issue. Major vendor software in the stack (Apache Tomcat as one example, but the category is broader) could contain undocumented functionality — whether maliciously inserted, accidentally shipped, or buried in a dependency three layers deep. Recent industry events have made this category move from “theoretical supply-chain hand-wringing” to “the thing your insurance carrier asks about by name.”
Contributing risk factors. Vendor opacity. Lack of reproducible builds. Incomplete or absent SBOMs for transitive dependencies. The economic reality that even diligent vendor management cannot inspect code you do not have. The increasing sophistication of nation-state actors targeting widely deployed open-source components as a force multiplier.
How it relates across domains.
InfoSec: Detection is the only realistic primary control. You will not prevent this at the source — you will catch it through behavioral monitoring, anomaly detection, and network segmentation that limits what a compromised component can reach.
Privacy: If the compromised component handles personal data, you are looking at notification obligations under GDPR Article 33/34 and U.S. state breach laws. Processor relationships (Article 28) make this messier — you may be on the hook for a sub-processor’s exposure.
Compliance: Supply-chain assurance is one of the fastest-growing audit focus areas across ISO 27001:2022 (A.5.19–A.5.22), SOC 2, and regulator guidance. “We trusted the vendor” is not an acceptable answer anymore.
AI governance: If AI components or models come from third-party vendors — and most do, somewhere in the pipeline — supply-chain integrity extends to model weights, training datasets, and inference infrastructure. ISO 42001 A.10 (third-party and customer relationships) is the natural home for this.
Compensating controls already in place. Vendor management program, SBOM where available, CrowdStrike EDR for behavioral detection, network segmentation, Sumo Logic for anomaly detection, monitoring of third-party security research feeds.
Risk 3 — AI Feature Produces Misleading or Biased Output in Customer Use
The business issue. AI features in production — for example, financial, healthcare, or M&A document summarization and redaction recommendations — could produce outputs that are misleading, biased, or wrong in ways customers cannot easily detect. In a high-stakes diligence context, a confidently incorrect summary or a missed redaction is not a minor UX (User Experience) issue. It is a trust event, potentially a liability event, and depending on jurisdiction a regulatory event.
Contributing risk factors. Model limitations (every model has them; vendors do not always disclose them in operational terms). Training data quality and representativeness. Insufficient human-in-the-loop review for high-stakes outputs. Lack of structured output validation. The general gap between how AI systems are marketed and how they behave under tail-case inputs.
How it relates across domains.
InfoSec: Indirect. The risk is not confidentiality or integrity of the system — it is integrity of the output. This is the category where pure infosec frameworks run out of language and AI-specific governance has to take over.
Privacy: Direct under GDPR. Article 22 (automated decision-making), Articles 13–14 (transparency obligations), Article 5 (accuracy and fairness principles), and Article 35 (DPIA threshold) all engage when AI output materially affects an individual or a transaction.
Compliance: ISO 42001 is the primary frame. The 27001 hooks are thin and forcing them dilutes the analysis — bias and misleading output is genuinely a 42001-domain risk and should be scored there.
AI governance: This is the canonical ISO 42001 risk. Clause 8.3 (AI system impact assessment), Annex A.6.2.4 (system validation), A.7.4 (data quality), A.9.2 (operation), A.6.2.6 (system monitoring) — the entire 42001 spine engages here.
Compensating controls already in place. ISO 42001 AI management system controls, AI feature review and approval process, human-in-the-loop for high-stakes outputs, customer disclosure of AI use, model performance monitoring, output validation in QA, AI impact assessment process where threshold is met.
Risk 4 — Uncontrolled Data Exposure Through Shadow AI and Connected AI Tools
This is the most prolific AI security risk facing SMBs today, and it is almost universally underweighted on the registers I see. Most SMBs are running it actively, right now, without measuring it.
The business issue. Employees use consumer AI tools — ChatGPT free tier, Gemini, personal Claude accounts, AI meeting note-takers, AI browser extensions, AI plug-ins inside Slack and Notion and Chrome — to do real work. They paste customer data, source code, draft contracts, financial records, internal communications, and partner data into systems the company has no contractual relationship with, no DPA from, no visibility into, and often no acceptable use policy covering.
The connected AI tools half of this risk is the more dangerous one. A sanctioned AI meeting notetaker plugged into the corporate calendar. An AI sales assistant connected to the CRM. An AI coding agent with repository access. An AI feature that a SaaS vendor turned on in their latest release without prompting a fresh security review. Each of these has authenticated access to substantial corporate data. Each was typically procured department-by-department without going through vendor risk review, security review, or a DPIA. The aggregate data exposure is much larger than any individual decision-maker realized when they clicked “enable.”
Contributing risk factors. No AI acceptable use policy, or one that exists but is not enforced. No technical controls — no CASB, no DLP that recognizes AI endpoints, no browser-level AI gating. Consumer AI free tiers without enterprise-grade data protections (training opt-out, retention controls, audit logs). Procurement workflows that do not catch “this SaaS tool also has AI features now,” which by 2026 describes nearly every SaaS tool in the stack. BYOD environments where the company has no visibility into what is running. The general pace at which vendors are shipping AI features faster than security teams can review them.
How it relates across domains.
InfoSec: This is data exfiltration through user behavior rather than through exploit. The “attacker” is well-intentioned employees getting work done. That makes it the hardest category for traditional security tooling — there is no malware signature, no anomalous network destination if the AI tool runs in a sanctioned browser, no exfil pattern that EDR catches. Detection has to come from policy, awareness, DLP that understands AI endpoints, and vendor management.
Privacy: This is the heaviest privacy exposure on the register. Sending PII or customer data to an AI tool the company has no DPA with is a probable subprocessor violation under GDPR Article 28 and a likely CCPA issue. Purpose limitation (Article 5(1)(b)) and accuracy (Article 5(1)(d)) both engage. If the AI tool retains data for training, you have lost control of customer information you contractually promised to protect — and you may not be able to get it back.
Compliance: B2B SaaS customer contracts increasingly carry explicit subprocessor lists, data residency clauses, and prohibitions on sending customer data to AI training. Shadow AI usage breaks every one of those simultaneously. SOC 2 CC9.2 (vendor management) and ISO 27001 A.5.19–A.5.22 are the audit hooks. For regulated customers (financial services, healthcare), this can be a contract termination event.
AI governance: ISO 42001 covers this even when the AI is being used informally rather than deployed as a product. A.9.3 (responsible use) and A.5.2–A.5.5 (AI policy framework) apply to ad-hoc internal usage. This is exactly the gap that catches SMBs without an AI management system in place.
A note on the SMB profile specifically. Enterprises have legal, procurement, and security teams that can absorb some of this risk through process. SMBs typically do not. The 30-person SaaS company where everyone has admin on their own laptop and procures their own SaaS tools is the canonical Shadow AI environment. Most don’t know what data is being sent where, and most have no realistic path to find out without first putting policy and tooling in place. The good news: this is the risk where the early-stage investments — an AI AUP, vendor inventory, awareness training, browser-level controls — produce disproportionate residual-risk reduction.
Compensating controls in a mature program. AI acceptable use policy, AI vendor inventory, AI-aware DLP, browser-level controls or CASB enforcement on AI endpoints, awareness training that names specific tools and specific behaviors, procurement gates that flag AI features in new and renewing contracts, periodic spot-checks of connected AI integrations across the SaaS estate.
The Control Matrix
The table below maps each risk to the controls that actually do the work — not every control that could conceivably touch the risk, just the ones that move residual exposure. The NIST column is split: 800-53r5 for the technical and operational risks where it has strong native coverage, NIST AI RMF for the AI-specific risks where 800-53 underperforms.
A.10.2 (allocation of responsibilities), A.10.3 (suppliers) — plus B.8 processor controls where Organization’s acts as processor
800-53r5: SR-3 (supply chain controls and processes), SR-6 (supplier assessments and reviews), SR-11 (component authenticity), RA-5 (vulnerability scanning), SI-2 (flaw remediation), SI-4 (system monitoring), AU-6 (audit record review, analysis, and reporting)
AI feature produces misleading or biased output
A.5.34 (privacy and PII protection) — and intentionally light here; this is a 42001 risk
A.6.2.4 (system validation), A.6.2.5 (system requirements), A.6.2.6 (system monitoring), A.6.2.8 (system documentation), A.7.2 (data for AI systems), A.7.4 (data quality), A.7.5 (data provenance), A.8.2 (responsible AI), A.8.3 (AI system impact assessment), A.9.2 (responsible use), A.5.2–A.5.5 (AI policy and governance)
NIST AI RMF: GOVERN-3.2 (AI risk roles and responsibilities), MAP-2.3 (system capabilities and limitations characterized), MEASURE-2.11 (fairness and bias evaluation), MANAGE-4.1 (post-deployment monitoring) — paired with 800-53r5 SA-11, RA-3, PM-31 as proxy controls
Shadow AI / connected AI tool data exposure
A.5.10 (acceptable use of information), A.5.14 (information transfer), A.5.19–A.5.22 (supplier relationships, applied to AI vendors), A.6.3 (information security awareness, education, and training), A.8.3 (information access restriction), A.8.12 (data leakage prevention — legitimate use here), A.8.16 (monitoring activities), A.5.34 (privacy and PII protection)
A.5.2–A.5.5 (AI policy framework), A.6.1.2 (AI objectives — including unsanctioned use boundaries), A.9.2 (responsible use), A.9.3 (use of AI systems), A.10.4 (customers — for downstream data flow impact)
800-53r5: AC-20 (use of external information systems), AC-21 (information sharing), AT-2 (literacy training and awareness), PL-4 (rules of behavior), SC-7 (boundary protection), SI-4 (system monitoring), CA-9 (internal system connections). NIST AI RMF: GOVERN-3.2 (roles and responsibilities), MAP-4.1 (third-party AI considerations), MANAGE-3.1 (AI risks and benefits documented)
A few things worth noticing about this matrix.
First, the AI bias row is intentionally light on ISO 27001. Forcing A.8.12 (DLP) or similar onto an AI bias risk is the kind of stretch that auditors notice and that practitioners do to make registers look symmetrical. Different risks live in different frameworks for a reason.
Second, A.8.12 (DLP) finally finds a legitimate home in the Shadow AI row. That control was the wrong fit for AI output bias, but it is exactly right for AI input leakage. Same control number, completely different risk story — which is part of why control-first registers fail.
Third, the Shadow AI row pulls from all three frameworks at near-equal weight. It is simultaneously a supplier risk, an awareness risk, a boundary-protection risk, an AI-governance risk, and a privacy risk. That cross-cutting profile is part of why it is hard for any single team to own — and part of why it sits unaddressed on so many registers.
Fourth, the supply-chain row pulls A.5.23 (cloud services) and SR-11 (component authenticity) explicitly. These have moved from “nice to have” to “expected” in the last twelve months as the audit community has caught up to the reality of modern dependency graphs.
A Practitioner’s Perspective on Mapping Business Risks to Frameworks
Six things I’ve learned doing this work at the implementation end rather than the consulting-deck end.
Start from the risk, not the control. Every register I have inherited that started from a control list is unusable. The ones that started from “what could materially hurt the business” are the ones that survive contact with an auditor and with reality. Frameworks are evidence, not source material. Shadow AI is the cleanest illustration of this principle in the current threat landscape — start from controls and you map it to DLP and call it done. Start from the business issue and you discover it is a policy gap, a vendor management gap, a training gap, a technical controls gap, and a privacy gap simultaneously. The controls are the answer. They are not the question.
Resist the urge to map everything to everything. A clean register has some empty cells. An AI bias risk genuinely does not have strong ISO 27001 coverage, and pretending otherwise dilutes both the risk analysis and the framework. If a column is light, write that down. Auditors prefer honesty over symmetry.
Use the right framework for the risk. NIST 800-53r5 is excellent for infrastructure and operational controls and underperforms on AI-specific risks. NIST AI RMF is purpose-built for the AI risks and has no opinion about your patching cadence. ISO 27001:2022 and ISO 42001 are designed to interlock — let them. The temptation to force one framework to cover everything is the single most common mistake I see in mid-market registers.
Compensating controls are real, but they are not the destination. Every one of the risks above has compensating controls in place. CrowdStrike, WAFs, segmentation, monitoring, human review, awareness training. These reduce velocity and impact. They do not eliminate the underlying issue. A register that scores residual risk as “low” because compensating controls exist — without a plan to remediate the root cause — is telling you a story about itself, not about the risk.
Score the risk the SMB is actually running, not the one the framework imagines. Shadow AI is the canonical example. Most SMB registers either omit it entirely or score it at moderate residual on the strength of an AUP nobody enforces. The honest score reflects what would happen if a customer audited the actual data flows tomorrow. That is usually a different number — and the gap between the two numbers is the value the security function is failing to deliver.
The capability-governance gap is the real risk category. Every one of these four risks is a version of the same problem: technical capability has outrun the governance and operational practices needed to keep it safe. The Spring stack is more complex than the upgrade process can keep up with. The supply chain is deeper than the vendor management program can see. The AI feature is more capable than the output validation can verify. The AI tools employees use are more numerous and more powerful than any inventory the company maintains. The frameworks are useful because they force you to close that gap — not because the controls themselves are magic.
A risk register is a forcing function. It makes you write down what you know, what you do not know, and what you are doing about it. The frameworks are the language you write it in. The business issues are what you are writing about. Get that order right and the register starts doing real work. Get it wrong and you have a document that satisfies no one — not the auditor, not the board, not the engineers who are supposed to fix the problem.
Written from the implementation seat. If you are working through similar risks on your own register — especially Shadow AI, which most SMBs are running unmeasured — DISC InfoSec does this work for B2B SaaS and financial services organizations. vCISO, vCAIO, ISO 42001 and ISO 27001 implementation, AI governance. Reach out: hd@deurainfosec.com.
DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.
Managing AI Risk: A Practical Approach to Secure, Responsible, and Effective AI Adoption
Artificial Intelligence is transforming how organizations operate, compete, and innovate. From automating business workflows to enhancing cybersecurity detection and accelerating decision-making, AI offers enormous opportunities. Yet alongside these benefits comes a rapidly expanding landscape of risks that organizations can no longer ignore.
Books like Managing AI Risk help leaders understand that AI implementation is not simply a technology project — it is a governance, security, compliance, and business resilience challenge.
Organizations are rushing to deploy generative AI, large language models (LLMs), autonomous agents, and AI-powered analytics. Unfortunately, many businesses are adopting AI faster than they can govern it.
Today’s AI risks include:
Data leakage through public AI tools
Hallucinations and inaccurate outputs
Prompt injection attacks
AI model manipulation and poisoning
Bias and discrimination in automated decisions
Intellectual property and copyright exposure
Regulatory non-compliance
Shadow AI usage by employees
Lack of transparency and explainability
Overreliance on AI-generated decisions
Cybersecurity teams are now facing a new reality where attackers also use AI to automate phishing, malware development, social engineering, and vulnerability discovery. AI has become both a defensive tool and an offensive weapon.
This creates a critical challenge for leadership: how can organizations embrace AI innovation while still maintaining trust, security, compliance, and operational control?
A Practical and Sensible Approach to AI Implementation
Successful AI adoption requires more than experimentation. Organizations need a structured and practical framework that balances innovation with governance.
A sensible AI strategy should include:
1. AI Governance First
Before deploying AI systems, organizations must establish governance policies defining:
Acceptable AI usage
Risk ownership
Data handling requirements
Human oversight responsibilities
Vendor assessment criteria
Ethical AI principles
Without governance, AI deployments quickly become fragmented and difficult to control.
2. Risk-Based AI Deployment
Not all AI systems carry the same level of risk. Organizations should classify AI use cases based on:
Business impact
Sensitivity of data
Regulatory exposure
Customer impact
Automation level
High-risk AI systems require stronger validation, monitoring, and approval processes.
3. Continuous Security and Monitoring
AI systems are not “set and forget” technologies. Organizations must continuously monitor:
Model drift
Data quality
Security vulnerabilities
User misuse
Adversarial attacks
Compliance violations
AI security must become part of enterprise cybersecurity and GRC programs.
Why an Artificial Intelligence Management System (AIMS) Matters
One of the most important emerging concepts in AI governance is the Artificial Intelligence Management System (AIMS).
An AIMS provides organizations with a formal structure for managing AI responsibly across the enterprise. Similar to how ISO 27001 supports information security management, AI governance frameworks such as International Organization for Standardization ISO/IEC 42001 are helping organizations operationalize AI governance and risk management.
An effective AIMS helps organizations:
Establish AI accountability
Standardize AI governance processes
Improve regulatory readiness
Reduce operational risk
Build stakeholder trust
Align AI initiatives with business objectives
As regulators worldwide continue introducing AI laws and compliance requirements, organizations without structured AI governance will face increasing operational and legal challenges.
The Future of AI and Risk Management
The future of AI risk management will revolve around resilience, transparency, and adaptive governance.
In the coming years, organizations will move beyond basic AI experimentation into enterprise-scale AI ecosystems involving autonomous agents, decision automation, AI copilots, and machine-driven business operations. This evolution will dramatically increase both efficiency and risk exposure.
My perspective is that future AI governance will become deeply integrated with cybersecurity, privacy, enterprise risk management, and compliance functions. AI risk management will no longer be optional — it will become a core business discipline.
We will also see:
Increased global AI regulations
AI security becoming a dedicated cybersecurity domain
Greater emphasis on explainable and auditable AI
Mandatory AI risk assessments
Expansion of third-party AI assurance programs
AI governance becoming part of board-level oversight
Organizations that succeed will not necessarily be the ones adopting AI the fastest, but the ones implementing AI responsibly, securely, and strategically.
At DISC InfoSec, we believe organizations must approach AI with both innovation and discipline. Effective AI governance is not about slowing down adoption — it is about enabling sustainable, trustworthy, and resilient AI transformation.
DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.
