DISC InfoSec blogAI Archives | Page 6 of 9

DISC InfoSec’s earlier posts on the AI topic

Tags: Agentic AI Security

IBM’s model-routing approach

Jun 09 2025

Securing Enterprise AI Agents: Managing Access, Identity, and Sensitive Data

Category: AI — disc7 @ 11:29 pm

1. Deploying AI agents in enterprise environments comes with a range of security and safety concerns, particularly when the agents are customized for internal use. These concerns must be addressed thoroughly before allowing such agents to operate in production systems.

2. Take the example of an HR agent handling employee requests. If it has broad access to an HR database, it risks exposing sensitive information — not just for the requesting employee but potentially for others as well. This scenario highlights the importance of data isolation and strict access protocols.

3. To prevent such risks, enterprises must implement fine-grained access controls (FGACs) and role-based access controls (RBACs). These mechanisms ensure that agents only access the data necessary for their specific role, in alignment with security best practices like the principle of least privilege.

4. It’s also essential to follow proper protocols for handling personally identifiable information (PII). This includes compliance with PII transfer regulations and adopting an identity fabric to manage digital identities and enforce secure interactions across systems.

5. In environments where multiple agents interact, secure communication protocols become critical. These protocols must prevent data leaks during inter-agent collaboration and ensure encrypted transmission of sensitive data, in accordance with regulatory standards.

6. Feedback:
This passage effectively outlines the critical need for layered security when deploying AI agents in enterprise contexts. However, it could benefit from specific examples of implementation strategies or frameworks already in use (e.g., Zero Trust Architecture or identity and access management platforms). Additionally, highlighting the consequences of failing to address these concerns (e.g., data breaches, compliance violations) would make the risks more tangible for decision-makers.

AI Agents in Action

Top 5 AI-Powered Scams to Watch Out for in 2025

Summary of CISO 3.0: Leading AI Governance and Security in the Boardroom

AI in the Workplace: Replacing Tasks, Not People

Why CISOs Must Prioritize Data Provenance in AI Governance

Interpretation of Ethical AI Deployment under the EU AI Act

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

Tags: AI Agents, AI Agents in Action

AI Value Creators: Beyond the Generative AI User Mindset

Jun 03 2025

IBM’s model-routing approach

Category: AI — disc7 @ 4:14 pm

IBM’s model-routing approach—where a model-routing algorithm acts as an orchestrator—is part of a growing trend in AI infrastructure known as multi-model inference orchestration. Let’s break down what this approach involves and why it matters:

🔄 What It Is

Instead of using a single large model (like a general-purpose LLM) for all inference tasks, IBM’s approach involves multiple specialized models—each potentially optimized for different domains, tasks, or modalities (e.g., text, code, image, or legal reasoning).

At the center of this architecture sits a routing algorithm, which functions like a traffic controller. When an inference request (e.g., a user prompt) comes in, the router analyzes it and predicts which model is best suited to handle it based on context, past performance, metadata, or learned patterns.

⚙️ How It Works (Simplified Flow)

Request Input: A user sends a prompt (e.g., a question or task).
Router Evaluation: The orchestrator examines the request’s content—this might involve analyzing intent, complexity, or topic (e.g., legal vs. creative writing).
Model Selection: Based on predefined rules, statistical learning, or even another ML model, the router selects the optimal model from a pool.
Forwarding & Inference: The request is forwarded to the chosen model, which generates the response.
Feedback Loop (optional): Performance outcomes can be fed back to improve future routing decisions.

🧠 Why It’s Powerful

Efficiency: Lighter or more task-specific models can be used instead of always relying on a massive general model—saving compute costs.
Performance: Task-optimized models may outperform general LLMs in niche domains (e.g., finance, medicine, or law).
Scalability: Multiple models can be run in parallel and updated independently.
Modularity: Easier to plug in or retire models without affecting the whole system.

📊 Example Use Case

Suppose a user asks:

“Summarize this legal contract.”
The router detects legal language and routes to a model fine-tuned on legal documents.

If instead the user asks:

“Write a poem about space,”
It could route to a creative-writing-optimized model.

Tags: IBM model-routing

Comments (14)

Jun 03 2025

Top 5 AI-Powered Scams to Watch Out for in 2025

Category: AI,Security Awareness — disc7 @ 8:00 am

1. Deep-fake celebrity impersonations
Scammers now mass-produce AI-generated videos, photos, or voice clips that convincingly mimic well-known figures. The fake “celebrity” pushes a giveaway, investment tip, or app download, lending instant credibility and reach across social platforms and ads. Because the content looks and sounds authentic, victims lower their guard and click through.

2. “Too-good-to-fail” crypto investments
Fraud rings promise eye-watering returns on digital-currency schemes, often reinforced by forged celebrity endorsements or deep-fake interviews. Once funds are transferred to the scammers’ wallets, they vanish—and the cross-border nature of the crime makes recovery almost impossible.

3. Cloned apps and look-alike websites
Attackers spin up near-pixel-perfect copies of banking apps, customer-support portals, or employee login pages. Entering credentials or card details hands them straight to the crooks, who may also drop malware for future access or ransom. Even QR codes and app-store listings are spoofed to lure downloads.

4. Landing-page cloaking
To dodge automated scanners, scammers show Google’s crawlers a harmless page while serving users a malicious one—often phishing forms or scareware purchase screens. The mismatch (“cloaking”) lets the fraudulent ad or search result slip past filters until victims report it.

5. Event-driven hustles
Whenever a big election, disaster, eclipse, or sporting final hits the headlines, fake charities, ticket sellers, or NASA-branded “special glasses” pop up overnight. The timely hook plus fabricated urgency (“donate now or miss out”) drives impulsive clicks and payments before scrutiny kicks in.

6. Quick take
Google’s May-2025 advisory is a solid snapshot of how criminals are weaponizing generative AI and marketing tactics in real time. Its tips (check URLs, doubt promises, use Enhanced Protection, etc.) are sound, but the bigger lesson is behavioral: pause before you pay, download, or share credentials—especially when a message leans on urgency or authority. Technology can flag threats, yet habitual skepticism remains the best last-mile defense.

Protecting Yourself: Stay Away from AI Scams

Tags: AI Fraud, AI scams, AI-Powered Scams

Comments (16)

Jun 02 2025

Summary of CISO 3.0: Leading AI Governance and Security in the Boardroom

Category: AI,CISO,Information Security,vCISO — disc7 @ 5:12 pm

Aaron McCray, Field CISO at CDW, discusses the evolving role of the Chief Information Security Officer (CISO) in the age of artificial intelligence (AI). He emphasizes that CISOs are transitioning from traditional cybersecurity roles to strategic advisors who guide enterprise-wide AI governance and risk management. This shift, termed “CISO 3.0,” involves aligning AI initiatives with business objectives and compliance requirements.
McCray highlights the challenges of integrating AI-driven security tools, particularly regarding visibility, explainability, and false positives. He notes that while AI can enhance security operations, it also introduces complexities, such as the need for transparency in AI decision-making processes and the risk of overwhelming security teams with irrelevant alerts. Ensuring that AI tools integrate seamlessly with existing infrastructure is also a significant concern.
The article underscores the necessity for CISOs and their teams to develop new skill sets, including proficiency in data science and machine learning. McCray points out that understanding how AI models are trained and the data they rely on is crucial for managing associated risks. Adaptive learning platforms that simulate real-world scenarios are mentioned as effective tools for closing the skills gap.
When evaluating third-party AI tools, McCray advises CISOs to prioritize accountability and transparency. He warns against tools that lack clear documentation or fail to provide insights into their decision-making processes. Red flags include opaque algorithms and vendors unwilling to disclose their AI models’ inner workings.
In conclusion, McCray emphasizes that as AI becomes increasingly embedded across business functions, CISOs must lead the charge in establishing robust governance frameworks. This involves not only implementing effective security measures but also fostering a culture of continuous learning and adaptability within their organizations.

Feedback

The article effectively captures the transformative impact of AI on the CISO role, highlighting the shift from technical oversight to strategic leadership. This perspective aligns with the broader industry trend of integrating cybersecurity considerations into overall business strategy.
By addressing the practical challenges of AI integration, such as explainability and infrastructure compatibility, the article provides valuable insights for organizations navigating the complexities of modern cybersecurity landscapes. These considerations are critical for maintaining trust in AI systems and ensuring their effective deployment.
The emphasis on developing new skill sets underscores the dynamic nature of cybersecurity roles in the AI era. Encouraging continuous learning and adaptability is essential for organizations to stay ahead of evolving threats and technological advancements.
The cautionary advice regarding third-party AI tools serves as a timely reminder of the importance of due diligence in vendor selection. Transparency and accountability are paramount in building secure and trustworthy AI systems.
The article could further benefit from exploring specific case studies or examples of organizations successfully implementing AI governance frameworks. Such insights would provide practical guidance and illustrate the real-world application of the concepts discussed.
Overall, the article offers a comprehensive overview of the evolving responsibilities of CISOs in the context of AI integration. It serves as a valuable resource for cybersecurity professionals seeking to navigate the challenges and opportunities presented by AI technologies.

For further details, access the article here

AI is rapidly transforming systems, workflows, and even adversary tactics, regardless of whether our frameworks are ready. It isn’t bound by tradition and won’t wait for governance to catch up…When AI evaluates risks, it may enhance the speed and depth of risk management but only when combined with human oversight, governance frameworks, and ethical safeguards.

A new ISO standard, ISO 42005 provides organizations a structured, actionable pathway to assess and document AI risks, benefits, and alignment with global compliance frameworks.

A New Era in Governance

The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership

Interpretation of Ethical AI Deployment under the EU AI Act

AI in the Workplace: Replacing Tasks, Not People

AIMS and Data Governance

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

Resolving Routine Business Activities by Harnessing the Power of AI: A Competency-Based Approach that Integrates Learning and Information with … Workbooks for Structured Learning

DISC InfoSec’s earlier posts on the AI topic

Tags: AI Governance, CISO 3.0

Comments (18)

Jun 01 2025

AI in the Workplace: Replacing Tasks, Not People

Category: AI — disc7 @ 3:48 pm

Establishing an AI Strategy and Guardrails:
To effectively integrate AI into an organization, leadership must clearly articulate the company’s AI strategy to all employees. This includes defining acceptable and unacceptable uses of AI, legal boundaries, and potential risks. Setting clear guardrails fosters a culture of responsibility and mitigates misuse or misunderstandings.
Transparency and Job Impact Communication:
Transparency is essential, especially since many employees may worry that AI initiatives threaten their roles. Leaders should communicate that those who adapt to AI will outperform those who resist it. It’s also important to outline how AI will alter jobs by automating routine tasks, thereby allowing employees to focus on higher-value work.
Redefining Roles Through AI Integration:
For instance, HR professionals may shift from administrative tasks—like managing transfers or answering policy questions—to more strategic work such as improving onboarding processes. This demonstrates how AI can enhance job roles rather than eliminate them.
Addressing Employee Sentiments and Fears:
Leaders must pay attention to how employees feel and what they discuss informally. Creating spaces for feedback and development helps surface concerns early. Ignoring this can erode culture, while addressing it fosters trust and connection. Open conversations and vulnerability from leadership are key to dispelling fear.
Using AI to Facilitate Dialogue and Action:
AI tools can aid in gathering and classifying employee feedback, sparking relevant discussions, and supporting ongoing engagement. Digital check-ins powered by AI-generated prompts offer structured ways to begin conversations and address concerns constructively.
Equitable Participation and Support Mechanisms:
Organizations must ensure all employees are given equal opportunity to engage with AI tools and upskilling programs. While individuals will respond differently, support systems like centralized feedback platforms and manager check-ins can help everyone feel included and heard.

Feedback and Organizational Tone Setting:
This approach sets a progressive and empathetic tone for AI adoption. It balances innovation with inclusion by emphasizing transparency, emotional intelligence, and support. Leaders must model curiosity and vulnerability, signaling that learning is a shared journey. Most importantly, the strategy recognizes that successful AI integration is as much about culture and communication as it is about technology. When done well, it transforms AI from a job threat into a tool for empowerment and growth.

p.s. “AGI shouldn’t be confused with GenAI. GenAI is a tool. AGI is a
goal of evolving that tool to the extent that its capabilities match
human cognitive abilities, or even surpasses them, across a wide
range of tasks. We’re not there yet, perhaps never will be, or per
haps it’ll arrive sooner than we expected. But when it comes to
AGI, think about LLMs demonstrating and exceeding humanlike
intelligence”

DATA RESIDENT : AN ADVANCED APPROACH TO DATA QUALITY, PROVENANCE, AND CONTINUITY IN DYNAMIC ENVIRONMENTS

Interpretation of Ethical AI Deployment under the EU AI Act

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DATA RESIDENT : AN ADVANCED APPROACH TO DATA QUALITY, PROVENANCE, AND CONTINUITY IN DYNAMIC ENVIRONMENTS

DISC InfoSec’s earlier posts on the AI topic

Tags: AI Governance

Comments (14)

May 29 2025

Why CISOs Must Prioritize Data Provenance in AI Governance

Category: AI,IT Governance — disc7 @ 9:29 am

In the rapidly evolving landscape of artificial intelligence (AI), Chief Information Security Officers (CISOs) are grappling with the challenges of governance and data provenance. As AI tools become increasingly integrated into various business functions, often without centralized oversight, the traditional methods of data governance are proving inadequate. The core concern lies in the assumption that popular or “enterprise-ready” AI models are inherently secure and compliant, leading to a dangerous oversight of data provenance—the ability to trace the origin, transformation, and handling of data.

Data provenance is crucial in AI governance, especially with large language models (LLMs) that process and generate data in ways that are often opaque. Unlike traditional systems where data lineage can be reconstructed, LLMs can introduce complexities where prompts aren’t logged, outputs are copied across systems, and models may retain information without clear consent. This lack of transparency poses significant risks in regulated domains like legal, finance, or privacy, where accountability and traceability are paramount.

The decentralized adoption of AI tools across enterprises exacerbates these challenges. Various departments may independently implement AI solutions, leading to a sprawl of tools powered by different LLMs, each with its own data handling policies and compliance considerations. This fragmentation means that security organizations often lose visibility and control over how sensitive information is processed, increasing the risk of data breaches and compliance violations.

Contrary to the belief that regulations are lagging behind AI advancements, many existing data protection laws like GDPR, CPRA, and others already encompass principles applicable to AI usage. The issue lies in the systems’ inability to respond to these regulations effectively. LLMs blur the lines between data processors and controllers, making it challenging to determine liability and ownership of AI-generated outputs. In audit scenarios, organizations must be able to demonstrate the actions and decisions made by AI tools, a capability many currently lack.

To address these challenges, modern AI governance must prioritize infrastructure over policy. This includes implementing continuous, automated data mapping to track data flows across various interfaces and systems. Records of Processing Activities (RoPA) should be updated to include model logic, AI tool behavior, and jurisdictional exposure. Additionally, organizations need to establish clear guidelines for AI usage, ensuring that data handling practices are transparent, compliant, and secure.

Moreover, fostering a culture of accountability and awareness around AI usage is essential. This involves training employees on the implications of using AI tools, encouraging responsible behavior, and establishing protocols for monitoring and auditing AI interactions. By doing so, organizations can mitigate risks associated with AI adoption and ensure that data governance keeps pace with technological advancements.

CISOs play a pivotal role in steering their organizations toward robust AI governance. They must advocate for infrastructure that supports data provenance, collaborate with various departments to ensure cohesive AI strategies, and stay informed about evolving regulations. By taking a proactive approach, CISOs can help their organizations harness the benefits of AI while safeguarding against potential pitfalls.

In conclusion, as AI continues to permeate various aspects of business operations, the importance of data provenance in AI governance cannot be overstated. Organizations must move beyond assumptions of safety and implement comprehensive strategies that prioritize transparency, accountability, and compliance. By doing so, they can navigate the complexities of AI adoption and build a foundation of trust and security in the digital age.

For further details, access the article here on Data provenance

Interpretation of Ethical AI Deployment under the EU AI Act

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

DISC InfoSec’s earlier posts on the AI topic

Tags: data provenance

Comments (16)

May 23 2025

Interpretation of Ethical AI Deployment under the EU AI Act

Category: AI — disc7 @ 5:39 am

Scenario: A healthcare startup in the EU develops an AI system to assist doctors in diagnosing skin cancer from images. The system uses machine learning to classify lesions as benign or malignant.

1. Risk-Based Classification

EU AI Act Requirement: Classify the AI system into one of four risk categories: unacceptable, high-risk, limited-risk, minimal-risk.
Interpretation in Scenario:
The diagnostic system qualifies as a high-risk AI because it affects people’s health decisions, thus requiring strict compliance with specific obligations.

2. Data Governance & Quality

EU AI Act Requirement: High-risk AI systems must use high-quality datasets to avoid bias and ensure accuracy.
Interpretation in Scenario:
The startup must ensure that training data are representative of all demographic groups (skin tones, age ranges, etc.) to reduce bias and avoid misdiagnosis.

3. Transparency & Human Oversight

EU AI Act Requirement: Users should be aware they are interacting with an AI system; meaningful human oversight is required.
Interpretation in Scenario:
Doctors must be clearly informed that the diagnosis is AI-assisted and retain final decision-making authority. The system should offer explainability features (e.g., heatmaps on images to show reasoning).

4. Robustness, Accuracy, and Cybersecurity

EU AI Act Requirement: High-risk AI systems must be technically robust and secure.
Interpretation in Scenario:
The AI tool must maintain high accuracy under diverse conditions and protect patient data from breaches. It should include fallback mechanisms if anomalies are detected.

5. Accountability and Documentation

EU AI Act Requirement: Maintain detailed technical documentation and logs to demonstrate compliance.
Interpretation in Scenario:
The startup must document model architecture, training methodology, test results, and monitoring processes, and be ready to submit these to regulators if required.

6. Registration and CE Marking

EU AI Act Requirement: High-risk systems must be registered in an EU database and undergo conformity assessments.
Interpretation in Scenario:
The startup must submit their system to a notified body, demonstrate compliance, and obtain CE marking before deployment.

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

Tags: Digital Ethics, EU AI Act, ISO 42001

Comments (17)

May 22 2025

AI Data Security Report

Category: AI,data security — disc7 @ 1:41 pm

Summary of the AI Data Security Report

The AI Data Security report, jointly authored by the NSA, CISA, FBI, and cybersecurity agencies from Australia, New Zealand, and the UK, provides comprehensive guidance on securing data throughout the AI system lifecycle. It emphasizes the critical importance of data integrity and confidentiality in ensuring the reliability of AI outcomes. The report outlines best practices such as implementing data encryption, digital signatures, provenance tracking, secure storage solutions, and establishing a robust trust infrastructure. These measures aim to protect sensitive, proprietary, or mission-critical data used in AI systems.

Key Risk Areas and Mitigation Strategies

The report identifies three primary data security risks in AI systems:

Data Supply Chain Vulnerabilities: Risks associated with sourcing data from external providers, which may introduce compromised or malicious datasets.
Poisoned Data: The intentional insertion of malicious data into training datasets to manipulate AI behavior.
Data Drift: The gradual evolution of data over time, which can degrade AI model performance if not properly managed.

To mitigate these risks, the report recommends rigorous validation of data sources, continuous monitoring for anomalies, and regular updates to AI models to accommodate changes in data patterns.

Feedback and Observations

The report offers a timely and thorough framework for organizations to enhance the security of their AI systems. By addressing the entire data lifecycle, it underscores the necessity of integrating security measures from the initial stages of AI development through deployment and maintenance. However, the implementation of these best practices may pose challenges, particularly for organizations with limited resources or expertise in AI and cybersecurity. Therefore, additional support in the form of training, standardized tools, and collaborative initiatives could be beneficial in facilitating widespread adoption of these security measures.

For further details, access the report: AI Data Security Report

Tags: AI Data Security

Artificial Intelligence: Legal Issues, Policy, and Practical Strategies

May 22 2025

AI in the Legislature: Promise, Pitfalls, and the Future of Lawmaking

Category: AI,Security and privacy Law — disc7 @ 9:00 am

Bruce Schneier’s essay, “AI-Generated Law,” delves into the emerging role of artificial intelligence in legislative processes, highlighting both its potential benefits and inherent risks. He examines global developments, such as the United Arab Emirates’ initiative to employ AI for drafting and updating laws, aiming to accelerate legislative procedures by up to 70%. This move is part of a broader strategy to transform the UAE into an “AI-native” government by 2027, with a substantial investment exceeding $3 billion. While this approach has garnered attention, it’s not entirely unprecedented. In 2023, Porto Alegre, Brazil, enacted a local ordinance on water meter replacement, drafted with the assistance of ChatGPT—a fact that was not disclosed to the council members at the time. Such instances underscore the growing trend of integrating AI into legislative functions worldwide.

Schneier emphasizes that the integration of AI into lawmaking doesn’t necessitate formal procedural changes. Legislators can independently utilize AI tools to draft bills, much like they rely on staffers or lobbyists. This democratization of legislative drafting tools means that AI can be employed at various governmental levels without institutional mandates. For example, since 2020, Ohio has leveraged AI to streamline its administrative code, eliminating approximately 2.2 million words of redundant regulations. Such applications demonstrate AI’s capacity to enhance efficiency in legislative processes.

The essay also addresses the potential pitfalls of AI-generated legislation. One concern is the phenomenon of “confabulation,” where AI systems might produce plausible-sounding but incorrect or nonsensical information. However, Schneier argues that human legislators are equally prone to errors, citing the Affordable Care Act’s near downfall due to a typographical mistake. Moreover, he points out that in non-democratic regimes, laws are often arbitrary and inhumane, regardless of whether they are drafted by humans or machines. Thus, the medium of law creation—human or AI—doesn’t inherently guarantee justice or fairness.

A significant concern highlighted is the potential for AI to exacerbate existing power imbalances. Given AI’s capabilities, there’s a risk that those in power might use it to further entrench their positions, crafting laws that serve specific interests under the guise of objectivity. This could lead to a veneer of neutrality while masking underlying biases or agendas. Schneier warns that without transparency and oversight, AI could become a tool for manipulation rather than a means to enhance democratic processes.

Despite these challenges, Schneier acknowledges the potential benefits of AI in legislative contexts. AI can assist in drafting clearer, more consistent laws, identifying inconsistencies, and ensuring grammatical precision. It can also aid in summarizing complex bills, simulating potential outcomes of proposed legislation, and providing legislators with rapid analyses of policy impacts. These capabilities can enhance the legislative process, making it more efficient and informed.

The essay underscores the inevitability of AI’s integration into lawmaking, driven by the increasing complexity of modern governance and the demand for efficiency. As AI tools become more accessible, their adoption in legislative contexts is likely to grow, regardless of formal endorsements or procedural changes. This organic integration poses questions about accountability, transparency, and the future role of human judgment in crafting laws.

In reflecting on Schneier’s insights, it’s evident that while AI offers promising tools to enhance legislative efficiency and precision, it also brings forth challenges that necessitate careful consideration. Ensuring transparency in AI-assisted lawmaking processes is paramount to maintain public trust. Moreover, establishing oversight mechanisms can help mitigate risks associated with bias or misuse. As we navigate this evolving landscape, a balanced approach that leverages AI’s strengths while safeguarding democratic principles will be crucial.

For further details, access the article here

AIMS and Data Governance

Tags: #Lawmaking, AI, AI Laws, AI legislature

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

May 20 2025

Balancing Innovation and Risk: Navigating the Enterprise Impact of AI Agent Adoption

Category: AI — disc7 @ 3:29 pm

The rapid integration of AI agents into enterprise operations is reshaping business landscapes, offering both significant opportunities and introducing new challenges. These autonomous systems are enhancing productivity by automating complex tasks, leading to increased efficiency and innovation across various sectors. However, their deployment necessitates a reevaluation of traditional risk management approaches to address emerging vulnerabilities.

A notable surge in enterprise AI adoption has been observed, with reports indicating a 3,000% increase in AI/ML tool usage. This growth underscores the transformative potential of AI agents in streamlining operations and driving business value. Industries such as finance, manufacturing, and healthcare are at the forefront, leveraging AI for tasks ranging from fraud detection to customer service automation.

Despite the benefits, the proliferation of AI agents has led to heightened cybersecurity concerns. The same technologies that enhance efficiency are also being exploited by malicious actors to scale attacks, as seen with AI-enhanced phishing and data leakage incidents. This duality emphasizes the need for robust security measures and continuous monitoring to safeguard enterprise systems.

The integration of AI agents also brings forth challenges related to data governance and compliance. Ensuring that AI systems adhere to regulatory standards and ethical guidelines is paramount. Organizations must establish clear policies and frameworks to manage data privacy, transparency, and accountability in AI-driven processes.

Furthermore, the rapid development and deployment of AI agents can outpace an organization’s ability to implement adequate security protocols. The use of low-code tools for AI development, while accelerating innovation, may lead to insufficient testing and validation, increasing the risk of deploying agents that do not comply with security policies or regulatory requirements.

To mitigate these risks, enterprises should adopt a comprehensive approach to AI governance. This includes implementing AI Security Posture Management (AISPM) programs that ensure ethical and trusted lifecycles for AI agents. Such programs should encompass data transparency, rigorous testing, and validation processes, as well as clear guidelines for the responsible use of AI technologies.

In conclusion, while AI agents present a significant opportunity for business transformation, they also introduce complex challenges that require careful navigation. Organizations must balance the pursuit of innovation with the imperative of maintaining robust security and compliance frameworks to fully realize the benefits of AI integration.

AI agent adoption is driving increases in opportunities, threats, and IT budgets

While 79% of security leaders believe that AI agents will introduce new security and compliance challenges, 80% say AI agents will introduce new security opportunities.

AI Agents in Action

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

Tags: AI Agent, AI Agents in Action

Why legal must lead on AI governance before it’s too late

May 20 2025

Why Legal Teams Should Lead AI Governance: Ivanti’s Cross-Functional Approach

Category: AI — disc7 @ 8:25 am

In a recent interview with Help Net Security, Brooke Johnson, Chief Legal Counsel and SVP of HR and Security at Ivanti, emphasized the critical role of legal departments in leading AI governance within organizations. She highlighted that unmanaged use of generative AI (GenAI) tools can introduce significant risks, including data privacy violations, algorithmic bias, and ethical concerns, particularly in sensitive areas like recruitment where flawed training data can lead to discriminatory outcomes.

Johnson advocates for a cross-functional approach to AI governance, involving collaboration among legal, HR, IT, and security teams. This strategy aims to create clear, enforceable policies that enable responsible innovation without stifling progress. At Ivanti, such collaboration has led to the establishment of an AI Governance Council (AIGC), which oversees the safe and ethical use of AI tools by reviewing applications and providing guidance on acceptable use cases.

Recognizing that a significant number of employees use GenAI tools without informing management, Johnson suggests that organizations should proactively assume AI is already in use. Legal teams should lead in defining safe usage parameters and provide practical training to employees, explaining the security implications and reasons behind certain restrictions.

To ensure AI policies are effectively operationalized, Johnson recommends conducting assessments to identify current AI tool usage, developing clear and pragmatic policies, and offering vetted, secure platforms to reduce reliance on unsanctioned alternatives. She stresses that AI governance should be treated as a dynamic process, with policies evolving alongside technological advancements and emerging threats, maintained through ongoing cross-functional collaboration across departments and geographies.

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

Tags: AI Governance, Ivanti

Why GenAI SaaS is insecure and how to secure it

May 19 2025

AI Hallucinations Are Real—And They’re a Threat to Cybersecurity

Category: AI,Cyber Threats,Threat detection — disc7 @ 1:29 pm

AI hallucinations—instances where AI systems generate incorrect or misleading outputs—pose significant risks to cybersecurity operations. These errors can lead to the identification of non-existent vulnerabilities or misinterpretation of threat intelligence, resulting in unnecessary alerts and overlooked genuine threats. Such misdirections can divert resources from actual issues, creating new vulnerabilities and straining already limited Security Operations Center (SecOps) resources.

A particularly concerning manifestation is “package hallucinations,” where AI models suggest non-existent software packages. Attackers can exploit this by creating malicious packages with these suggested names, a tactic known as “slopsquatting.” Developers, especially those less experienced, might inadvertently incorporate these harmful packages into their systems, introducing significant security risks.

The over-reliance on AI-generated code without thorough verification exacerbates these risks. While senior developers might detect errors promptly, junior developers may lack the necessary skills to audit code effectively, increasing the likelihood of integrating flawed or malicious code into production environments. This dependency on AI outputs without proper validation can compromise system integrity.

AI can also produce fabricated threat intelligence reports. If these are accepted without cross-verification, they can misguide security teams, causing them to focus on non-existent threats while real vulnerabilities remain unaddressed. This misallocation of attention can have severe consequences for organizational security.

To mitigate these risks, experts recommend implementing structured trust frameworks around AI systems. This includes using middleware to vet AI inputs and outputs through deterministic checks and domain-specific filters, ensuring AI models operate within defined boundaries aligned with enterprise security needs.

Traceability is another critical component. All AI-generated responses should include metadata detailing source context, model version, prompt structure, and timestamps. This information facilitates faster audits and root cause analyses when inaccuracies occur, enhancing accountability and control over AI outputs.

Furthermore, employing Retrieval-Augmented Generation (RAG) can ground AI outputs in verified data sources, reducing the likelihood of hallucinations. Incorporating hallucination detection tools during testing phases and defining acceptable risk thresholds before deployment are also essential strategies. By embedding trust, traceability, and control into AI deployment, organizations can balance innovation with accountability, minimizing the operational impact of AI hallucinations.

Source: AI hallucinations and their risk to cybersecurity operations

Suggestions to counter AI hallucinations in cybersecurity operations:

Human-in-the-loop (HITL): Always involve expert review for AI-generated outputs.
Use Retrieval-Augmented Generation (RAG): Ground AI responses in verified, real-time data.
Implement Guardrails: Apply domain-specific filters and deterministic rules to constrain outputs.
Traceability: Log model version, prompts, and context for every AI response to aid audits.
Test for Hallucinations: Include hallucination detection in model testing and validation pipelines.
Set Risk Thresholds: Define acceptable error boundaries before deployment.
Educate Users: Train users—especially junior staff—on verifying and validating AI outputs.
Code Scanning Tools: Integrate static and dynamic code analysis tools to catch issues early.

These steps can reduce reliance on AI alone and embed trust, verification, and control into its use.

AI HALLUCINATION DEFENSE : Building Robust and Reliable Artificial Intelligence Systems

Generative AI Security: Theories and Practices

Step-by-Step: Build an Agent on AWS Bedrock

From Oversight to Override: Enforcing AI Safety Through Infrastructure

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

Tags: AI HALLUCINATION DEFENSE, AI Hallucinations

Generative AI Security: Theories and Practices

May 18 2025

Why GenAI SaaS is insecure and how to secure it

Category: AI,Cloud computing — disc7 @ 8:54 am

Many believe that Generative AI Software-as-a-Service (SaaS) tools, such as ChatGPT, are insecure because they train on user inputs and can retain data indefinitely. While these concerns are valid, there are ways to mitigate the risks, such as opting out, using enterprise versions, or implementing zero data retention (ZDR) policies. Self-hosting models also has its own challenges, such as cloud misconfigurations that can lead to data breaches.

The key to addressing AI security concerns is to adopt a balanced, risk-based approach that considers security, compliance, privacy, and business needs. It is crucial to avoid overcompensating for SaaS risks by inadvertently turning your organization into a data center company.

Another common myth is that organizations should start their AI program with security tools. While tools can be helpful, they should be implemented after establishing a solid foundation, such as maintaining an asset inventory, classifying data, and managing vendors.

Some organizations believe that once they have an AI governance committee, their work is done. However, this is a misconception. Committees can be helpful if structured correctly, with clear decision authority, an established risk appetite, and hard limits on response times.

If an AI governance committee turns into a debating club and cannot make decisions, it can hinder innovation. To avoid this, consider assigning AI risk management (but not ownership) to a single business unit before establishing a committee.

It is essential to re-evaluate your beliefs about AI governance if they are not serving your organization effectively. Common mistakes companies make in this area will be discussed further in the future.

GenAI is insecure because it trains on user inputs and can retain data indefinitely, posing risks to data privacy and security. To secure GenAI, organizations should adopt a balanced, risk-based approach that incorporates security, compliance, privacy, and business needs (AIMS). This can be achieved through measures such as opting out of data retention, using enterprise versions with enhanced security features, implementing zero data retention policies, or self-hosting models with proper cloud security configurations.

Step-by-Step: Build an Agent on AWS Bedrock

From Oversight to Override: Enforcing AI Safety Through Infrastructure

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

Tags: GenAI, Generative AI Security, InsecureGenAI, saas

Comments (1)

May 17 2025

🔧 Step-by-Step: Build an Agent on AWS Bedrock

Category: AI,Information Security — disc7 @ 10:28 pm

AWS diagram depicts a high-level architecture of this solution.

1. Prerequisites

AWS account with access to Amazon Bedrock
IAM permissions to use Bedrock, Lambda (if using function calls), and optionally Amazon S3, DynamoDB, etc.
A foundation model enabled in your region (e.g., Claude, Titan, Mistral, etc.)

2. Create a Bedrock Agent

Go to the Amazon Bedrock Console > Agents.

Create Agent
- Name your agent.
- Choose a foundation model (e.g., Claude 3 or Amazon Titan).
- Add a brief description or instructions (this becomes part of the system prompt).
Add Knowledge Bases (Optional)
- Create or attach a knowledge base if you want RAG (retrieval augmented generation).
- Can point to documents in S3 or other sources.
Add Action Groups (for calling APIs)
- Define an action group (e.g., “Check Order Status”).
- Choose Lambda function or provide OpenAPI spec for the backend service.
- Bedrock will automatically generate function-calling logic.
- Test with sample input/output.
Configure Agent Behavior
- Define how the agent should respond, fallback handling, and if it can make external calls.

3. Test the Agent

Use the Test Chat interface in the console.
Check:
- Is the agent following instructions?
- Are API calls being made when expected?
- Is RAG retrieval working?

4. Deploy the Agent

Create an alias (like a version)
Use the InvokeAgent API or integrate with your app via:
- SDK (Boto3, JavaScript, etc.)
- API Gateway + Lambda combo
- Amazon Lex (for voice/chat interfaces)

5. Monitor and Improve

Review logs in CloudWatch.
Fine-tune prompts or API integration as needed.
You can version prompts and knowledge base settings.

🛡️ Use Case: AI Compliance Assistant for GRC Teams

Goal

Automate compliance queries, risk assessments, and control mapping using a Bedrock agent with knowledge base and API access.

🔍 Scenario

An enterprise GRC team wants an internal agent to:

Answer policy & framework questions (e.g., ISO 27001, NIST, SOC 2).
Map controls to compliance frameworks.
Summarize audit reports or findings.
Automate evidence collection from ticketing tools (e.g., JIRA, ServiceNow).
Respond to internal team queries (e.g., “What’s the risk rating for asset X?”).

🔧 How to Build

1. Foundation Model

Use Anthropic Claude 3 (strong for reasoning and document analysis).

2. Knowledge Base

Load:

Security policies and procedures (PDFs, Word, CSV in S3).
Framework documentation mappings (ISO 27001 controls vs NIST CSF).
Audit logs, historical risk registers, previous assessments.

3. Action Group (Optional)

Integrate with:

JIRA API – pull compliance ticket status.
ServiceNow – fetch incident/evidence records.
Custom Lambda – query internal risk register or control catalog.

4. System Prompt Example

You are a compliance assistant for the InfoSec GRC team. 
You help answer questions about controls, risks, frameworks, and policy alignment. 
Always cite your source if available. If unsure, respond with "I need more context."

💡 Sample User Prompts

“Map access control policies to NIST CSF.”
“What evidence do we have for control A.12.1.2?”
“List open compliance tasks from JIRA.”
“Summarize findings from the last SOC 2 audit.”

🧩 What It Does

The Bedrock Agent helps GRC teams and auditors by:

Answering ISO 27001 control questions
- “What’s required for A.12.4.1 – Event logging?”
- “Do we need an anti-malware policy for A.12.2.1?”
Mapping controls to internal policies or procedures
- “Map A.13.2.1 to our remote access policy.”
Fetching evidence from internal systems
- Via Lambda/API to JIRA, Confluence, or SharePoint.
Generating readiness assessments
- Agent uses a questionnaire format to determine compliance status by engaging the user.
Creating audit-ready reports
- Summarizes what controls are implemented, partially implemented, or missing.

🔗 Agent Architecture

Components:

Foundation Model: Claude 3 on Bedrock (contextual QA and reasoning)
Knowledge Base:
- ISO 27001 control descriptions
- Your org’s InfoSec policies (in S3)
- Control mappings (CSV or JSON in S3)
Action Group / Lambda:
- Integrate with ticketing (JIRA)
- Evidence retrieval
- Risk register querying

🗂️ Example Interaction

User:
“What controls address vendor management in ISO 27001?”

Agent:
“Clause A.15 covers supplier relationships. Specifically:

A.15.1.1 requires information security policy for supplier relationships.
A.15.2.2 requires monitoring and review of supplier services.

Our ‘Third-Party Risk Management Policy’ maps to these controls. Would you like to see the last vendor assessment from JIRA?”

🧠 Bonus: Prompt for the Agent

You are an ISO 27001 compliance analyst. Your task is to help the GRC team interpret ISO controls, map them to our internal documents, and assist with evidence collection for audits. Be accurate and concise. If a control is not implemented, offer suggestions.

What are the benefits of using AI agent in GRC field

The use of AI agents in the Governance, Risk, and Compliance (GRC) field can provide several benefits, including:

Automated Monitoring and Reporting: AI agents can continuously monitor various data sources, such as financial records, operational logs, and regulatory updates, to identify potential risks and compliance issues. This automated monitoring can help organizations stay up-to-date with changing regulations and promptly address any non-compliance or risk areas.
Risk Analysis and Prediction: AI algorithms can analyze vast amounts of data and identify patterns that may indicate potential risks. By leveraging machine learning techniques, AI agents can predict future risks based on historical data and current trends, enabling organizations to take proactive measures to mitigate or prevent those risks.
Compliance Management: AI agents can assist in interpreting and understanding complex regulatory requirements, ensuring that organizations remain compliant with relevant laws, regulations, and industry standards. They can also automate compliance processes, such as policy management, control testing, and reporting, reducing the risk of human error and increasing efficiency.
Fraud Detection: AI algorithms can analyze transaction data, user behavior, and other relevant information to identify anomalies or patterns that may indicate fraudulent activities. This can help organizations detect and respond to fraud more quickly, minimizing financial losses and reputational damage.
Continuous Improvement: AI agents can learn from the data they analyze and the actions taken by human experts, enabling them to continuously refine their models and improve their decision-making capabilities over time. This allows organizations to benefit from a constantly evolving and adapting GRC framework.
Scalability and Efficiency: AI agents can process and analyze large volumes of data much faster and more efficiently than humans, enabling organizations to scale their GRC efforts without significantly increasing costs or resources.
Centralized GRC Management: AI agents can provide a centralized platform for managing and integrating various GRC processes, enabling better collaboration, data sharing, and decision-making across different departments and functions within an organization.

While AI agents can provide significant benefits in the GRC field, it is important to note that they should be used in combination with human expertise and oversight. AI should not be viewed as a complete replacement for human decision-making but rather as a powerful tool to augment and enhance GRC processes.

What are the benefits of using AI agent in document management field

The use of AI agents in the document management field can provide several benefits, including:

Automated document classification and categorization: AI agents can analyze the content of documents and automatically classify them based on predefined rules or machine learning models, making it easier to organize and retrieve relevant information.
Intelligent search and retrieval: AI agents can improve search capabilities by understanding the context and semantics of documents, enabling more accurate and relevant search results.
Extraction of key information: AI agents can be trained to extract specific types of information from documents, such as dates, names, addresses, or key phrases, which can be useful for various business processes or analytics.
Data entry automation: AI agents can be employed to automatically extract data from documents and populate fields in databases or other systems, reducing the need for manual data entry and minimizing errors.
Intelligent document routing and workflow management: AI agents can analyze the content of documents and automatically route them to the appropriate individuals or departments based on predefined rules or workflows, streamlining business processes.
Compliance and risk management: AI agents can be trained to identify sensitive or confidential information in documents and apply appropriate access controls or redaction measures, helping organizations comply with regulations and mitigate risks.
Intelligent document summarization: AI agents can automatically generate summaries or abstracts of lengthy documents, saving time and effort for users who need to quickly understand the key points.
Automatic language translation: AI agents can translate documents from one language to another, facilitating cross-language communication and collaboration.
Improved user experience: AI agents can provide intelligent suggestions, contextual guidance, or virtual assistance to users, enhancing their experience with document management systems.

Overall, the integration of AI agents in document management can lead to increased efficiency, improved accuracy, better organization, enhanced security, and more effective utilization of information resources within an organization.

What are the benefits of using AI agent in merger and acquisition field

The use of AI agents in the merger and acquisition (M&A) field can provide several benefits, including:

Due diligence acceleration: AI agents can help streamline the due diligence process by rapidly analyzing large volumes of data, such as financial statements, contracts, and legal documents. This can help identify potential risks or opportunities more efficiently, saving time and resources.
Target identification: AI algorithms can be trained to identify potential acquisition targets based on specific criteria, such as financial performance, market positioning, and strategic fit. This can help companies identify attractive targets more effectively and make informed decisions.
Valuation analysis: AI agents can assist in valuing target companies by analyzing various financial and operational data points, as well as market trends and industry benchmarks. This can help companies make more accurate valuations and negotiate better deals.
Integration planning: AI can be used to analyze the compatibility of systems, processes, and cultures between the acquiring and target companies. This can help identify potential integration challenges and develop strategies to address them, facilitating a smoother transition after the merger or acquisition.
Synergy identification: AI algorithms can help identify potential synergies and cost-saving opportunities by analyzing data from both companies and identifying areas of overlap or complementarity. This can help maximize the value creation potential of the deal.
Regulatory compliance: AI agents can assist in ensuring compliance with relevant regulations and laws during the M&A process by analyzing legal documents, contracts, and other relevant data.
Predictive modeling: AI can be used to develop predictive models that estimate the potential outcomes and risks associated with a particular M&A transaction. This can help companies make more informed decisions and better manage risks.

It’s important to note that while AI agents can provide valuable insights and support, human expertise and decision-making remain crucial in the M&A process. AI should be used as a complementary tool to augment and enhance the capabilities of M&A professionals, rather than as a complete replacement.

Generative AI with Amazon Bedrock: Build, scale, and secure generative AI applications using Amazon Bedrock

Build a foundation model (FM) powered customer service bot with Amazon Bedrock agents

Tags: Agent, AWS Bedrock, GenAI

Comments (2)

May 15 2025

From Oversight to Override: Enforcing AI Safety Through Infrastructure

Category: AI,Information Security — disc7 @ 9:57 am

You can’t have AI without an IA

As AI systems become increasingly integrated into critical sectors such as finance, healthcare, and defense, their unpredictable and opaque behavior introduces significant risks to society. Traditional safety protocols may not be sufficient to manage the potential threats posed by highly advanced AI, especially those capable of causing existential harm. To address this, researchers propose Guillotine, a hypervisor-based architecture designed to securely sandbox powerful AI models.

Guillotine leverages established virtualization techniques but also introduces fundamentally new isolation strategies tailored for AI with existential-risk potential. Unlike typical software, such AI may attempt to analyze and subvert the very systems meant to contain them. This requires a deep co-design of hypervisor software with the underlying hardware—CPU, memory, network interfaces, and storage—to prevent side-channel leaks and eliminate avenues for reflective exploitation.

Beyond technical isolation, Guillotine incorporates physical fail-safes inspired by systems in nuclear power plants and aviation. These include hardware-level disconnection mechanisms and even radical approaches like data center flooding to forcibly shut down or destroy rogue AI. These physical controls offer a final layer of defense should digital barriers fail.

The underlying concern is that many current AI safety frameworks rely on policy rather than technical enforcement. As AI becomes more capable, it may learn to bypass or manipulate these soft controls. Guillotine directly confronts this problem by embedding enforcement into the architecture itself—creating systems that can’t be talked out of enforcing the rules.

In essence, Guillotine represents a shift from trust-based AI safety toward hardened, tamper-resistant infrastructure. It acknowledges that if AI is to be trusted with mission-critical roles—or if it poses existential threats—we must engineer control systems with the same rigor and physical safeguards used in other high-risk industries.

Guillotine: Hypervisors for Isolating Malicious AIs.

Google‘s AI-Powered Countermeasures Against Cyber Scams

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

The Role of AI in Modern Hacking: Both an Asset and a Risk

Businesses leveraging AI should prepare now for a future of increasing regulation.

NIST: AI/ML Security Still Falls Short

DISC InfoSec’s earlier post on the AI topic

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

Tags: AIMS, AISafety, artificial intelligence, Enforcing AI Safety, GuillotineAI, information architecture, ISO 42001

Comments (1)

May 11 2025

Google‘s AI-Powered Countermeasures Against Cyber Scams

Category: AI,Cyber Attack,Cyber crime,Cyber Espionage,Cyber Threats — disc7 @ 10:50 am

Google recently announced a significant advancement in its fight against online scams, leveraging the power of artificial intelligence. This initiative involves deploying AI-driven countermeasures across its major platforms: Chrome, Search, and Android. The aim is to proactively identify and neutralize scam attempts before they reach users.

Key Features of Google‘s AI-Powered Defense:

Enhanced Scam Detection: The AI algorithms analyze various data points, including website content, email headers, and user behavior patterns, to identify potential scams with greater accuracy. This goes beyond simple keyword matching, delving into the nuances of deceptive tactics.
Proactive Warnings: Users are alerted to potentially harmful websites or emails before they interact with them. These warnings are context-aware, providing clear and concise explanations of why a particular site or message is flagged as suspicious.
Improved Phishing Protection: AI helps refine phishing detection by identifying subtle patterns and linguistic cues often used by scammers to trick users into revealing sensitive information.
Cross-Platform Integration: The AI-powered security measures are seamlessly integrated across Google‘s ecosystem, providing a unified defense against scams regardless of the platform being used.

Significance of this Development:

This initiative signifies a crucial step in the ongoing battle against cybercrime. AI-powered scams are becoming increasingly sophisticated, making traditional methods of detection less effective. Google‘s proactive approach using AI is a promising development that could significantly reduce the success rate of these attacks and protect users from financial and personal harm. The cross-platform integration ensures a holistic approach, maximizing the effectiveness of the countermeasures.

Looking Ahead:

While Google‘s initiative is a significant step forward, the fight against AI-powered scams is an ongoing arms race. Cybercriminals constantly adapt their techniques, requiring continuous innovation and improvement in security measures. The future likely involves further refinements of AI algorithms and potentially the integration of other advanced technologies to stay ahead of evolving threats.

This news highlights the evolving landscape of cybersecurity and the crucial role of AI in both perpetrating and preventing cyber threats.

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier posts on the AI topic

NIST: AI/ML Security Still Falls Short

AI Management System Certification According to the ISO/IEC 42001 Standard

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

“AI Regulation: Global Challenges and Opportunities”

Tags: Cyber Scams

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

May 05 2025

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

Category: AI,ISO 27k — disc7 @ 9:01 am

The Strategic Synergy: ISO 27001 and ISO 42001 – A New Era in Governance

After years of working closely with global management standards, it’s deeply inspiring to witness organizations adopting what I believe to be one of the most transformative alliances in modern governance: ISO 27001 and the newly introduced ISO 42001.

ISO 42001, developed for AI Management Systems, was intentionally designed to align with the well-established information security framework of ISO 27001. This alignment wasn’t incidental—it was a deliberate acknowledgment that responsible AI governance cannot exist without a strong foundation of information security.

Together, these two standards create a governance model that is not only comprehensive but essential for the future:

ISO 27001 fortifies the integrity, confidentiality, and availability of data—ensuring that information is secure and trusted.
ISO 42001 builds on that by governing how AI systems use this data—ensuring those systems operate in a transparent, ethical, and accountable manner.

This integration empowers organizations to:

Extend trust from data protection to decision-making processes.
Safeguard digital assets while promoting responsible AI outcomes.
Bridge security, compliance, and ethical innovation under one cohesive framework.

In a world increasingly shaped by AI, the combined application of ISO 27001 and ISO 42001 is not just a best practice—it’s a strategic imperative.

High-level summary of the ISO/IEC 42001 Readiness Checklist

1. Understand the Standard

Purchase and study ISO/IEC 42001 and related annexes.
Familiarize yourself with AI-specific risks, controls, and life cycle processes.
Review complementary ISO standards (e.g., ISO 22989, 31000, 38507).

2. Define AI Governance

Create and align AI policies with organizational goals.
Assign roles, responsibilities, and allocate resources for AI systems.
Establish procedures to assess AI impacts and manage their life cycles.
Ensure transparency and communication with stakeholders.

3. Conduct Risk Assessment

Identify potential risks: data, security, privacy, ethics, compliance, and reputation.
Use Annex C for AI-specific risk scenarios.

4. Develop Documentation and Policies

Ensure AI policies are relevant, aligned with broader org policies, and kept up to date.
Maintain accessible, centralized documentation.

5. Plan and Implement AIMS (AI Management System)

Conduct a gap analysis with input from all departments.
Create a step-by-step implementation plan.
Deliver training and build monitoring systems.

6. Internal Audit and Management Review

Conduct internal audits to evaluate readiness.
Use management reviews and feedback to drive improvements.
Track and resolve non-conformities.

7. Prepare for and Undergo External Audit

Select a certified and reputable audit partner.
Hold pre-audit meetings and simulations.
Designate a central point of contact for auditors.
Address audit findings with action plans.

8. Focus on Continuous Improvement

Establish a team to monitor post-certification compliance.
Regularly review and enhance the AIMS.
Avoid major system changes during initial implementation.

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

DISC InfoSec’s earlier post on the AI topic

NIST: AI/ML Security Still Falls Short

AI Management System Certification According to the ISO/IEC 42001 Standard

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

What You Are Not Told About ChatGPT: Key Insights into the Inner Workings of ChatGPT & How to Get the Most Out of It

Digital Ethics in the Age of AI – Navigating the ethical frontier today and beyond

Artificial intelligence – Ethical, social, and security impacts for the present and the future

“AI Regulation: Global Challenges and Opportunities”

DISC-InfoSec-Group-InfoSec-and-compliance-one-pager-2 Download

Tags: AIMS, isms, iso 27001, ISO 42001

Comments (13)

Apr 30 2025

The Role of AI in Modern Hacking: Both an Asset and a Risk

Category: AI,Cyber Threats,Hacking — disc7 @ 1:39 pm

AI’s role in modern hacking is indeed a double-edged sword, offering both powerful defensive tools and sophisticated offensive capabilities. While AI can be used to detect and prevent cyberattacks, it also provides attackers with new ways to launch more targeted and effective attacks. This makes AI a crucial element in modern cybersecurity, requiring a balanced approach to mitigate risks and leverage its benefits.

AI in Modern Hacking: A Double-Edged Sword

AI as a Shield: Enhancing Cybersecurity Defenses

Threat Detection and Prevention: AI can analyze vast amounts of data to identify anomalies and patterns indicative of cyberattacks, even those that are not yet known to traditional security systems.
Automated Incident Response: AI can automate many aspects of the incident response process, enabling faster and more effective remediation of security breaches.
Enhanced Threat Intelligence: AI can process information from multiple sources to gain a deeper understanding of potential threats and predict future attack vectors.
Vulnerability Management: AI can automate vulnerability assessments and patch management, helping organizations to proactively identify and address weaknesses in their systems.

AI as a Weapon: Amplifying Attack Capabilities

Sophisticated Phishing Attacks: AI can be used to generate highly personalized and convincing phishing emails and messages, making it more difficult for users to distinguish them from legitimate communication.
Automated Vulnerability Exploitation: AI can automate the process of identifying and exploiting vulnerabilities in software and systems, making it easier for attackers to gain access to sensitive data.
Deepfakes and Social Engineering: AI can be used to create realistic deepfakes and engage in other forms of social engineering, such as pretexting and scareware, to deceive victims and gain their trust.
Password Cracking and Data Poisoning: AI can be used to crack passwords more efficiently and manipulate data used to train AI models, potentially leading to inaccurate results and compromising security.

The Need for a Balanced Approach

Multi-Layered Security:Organizations need to adopt a multi-layered security approach that combines AI-powered tools with traditional security measures, including human expertise.
Skills Gap:The increasing reliance on AI in cybersecurity requires a skilled workforce, and organizations need to invest in training and development to address the skills gap.
Continuous Monitoring and Adaptation:The threat landscape is constantly evolving, so organizations need to continuously monitor their security posture and adapt their strategies to stay ahead of attackers.
Ethical Hacking and Red Teaming:Organizations can leverage AI for ethical hacking and red teaming exercises to test the effectiveness of their security defenses.

Countering AI-powered hacking requires a multi-layered defense strategy that blends traditional cybersecurity with AI-specific safeguards. Here are key countermeasures:

Deploy Defensive AI: Use AI/ML for threat detection, behavior analytics, and anomaly spotting to identify attacks faster than traditional tools.
Adversarial Robustness Testing: Regularly test AI systems for vulnerabilities to adversarial inputs (e.g., manipulated data that tricks models).
Zero Trust Architecture: Assume no device or user is trusted by default; verify everything continuously using identity, behavior, and device trust levels.
Model Explainability Tools: Employ tools like LIME or SHAP to understand AI decision-making and detect abnormal behavior influenced by attacks.
Secure the Supply Chain: Monitor and secure datasets, pre-trained models, and third-party AI services from tampering or poisoning.
Continuous Model Monitoring: Monitor for data drift and performance anomalies that could indicate model exploitation or evasion techniques.
AI Governance and Compliance: Enforce strict access controls, versioning, auditing, and policy adherence for all AI assets.
Human-in-the-Loop: Combine AI detection with human oversight for critical decision points, especially in security operations centers (SOCs).

In conclusion, AI has revolutionized cybersecurity, but it also presents new challenges. By understanding both the benefits and risks of AI, organizations can develop a more robust and resilient security posture.

Redefining Hacking: A Comprehensive Guide to Red Teaming and Bug Bounty Hunting in an AI-driven World

Combatting Cyber Terrorism – A guide to understanding the cyber threat landscape and incident response planning

Tags: AI hacking

Comments (1)

Apr 10 2025

Businesses leveraging AI should prepare now for a future of increasing regulation.

Category: AI — disc7 @ 9:15 am

In early 2025, the Trump administration initiated significant shifts in artificial intelligence (AI) policy by rescinding several Biden-era executive orders aimed at regulating AI development and use. President Trump emphasized reducing regulatory constraints to foster innovation and maintain the United States’ competitive edge in AI technology. This approach aligns with the administration’s broader goal of minimizing federal oversight in favor of industry-led advancements.

Vice President J.D. Vance articulated the administration’s AI policy priorities at the 2025 AI Action Summit in Paris, highlighting four key objectives: ensuring American AI technology remains the global standard, promoting pro-growth policies over excessive regulation, preventing ideological bias in AI applications, and leveraging AI for job creation within the United States. Vance criticized the European Union’s cautious regulatory stance, advocating instead for frameworks that encourage technological development.

In line with this deregulatory agenda, the White House directed federal agencies to appoint chief AI officers and develop strategies for expanding AI utilization. This directive rescinded previous orders that mandated safeguards and transparency in AI applications, reflecting the administration’s intent to remove what it perceives as bureaucratic obstacles to innovation. Agencies are now encouraged to prioritize American-made AI, focus on interoperability, and protect privacy while streamlining acquisition processes.

The administration’s stance has significant implications for state-level AI regulations. With limited prospects for comprehensive federal AI legislation, states are expected to take the lead in addressing emerging AI-related issues. In 2024, at least 45 states introduced AI-related bills, with some enacting comprehensive legislation to address concerns such as algorithmic discrimination. This trend is likely to continue, resulting in a fragmented regulatory landscape across the country.

Data privacy remains a contentious issue amid these policy shifts. The proposed American Privacy Rights Act of 2024 aims to establish a comprehensive federal privacy framework, potentially preempting state laws and allowing individuals to sue over alleged violations. However, in the absence of federal action, states have continued to enact their own privacy laws, leading to a complex and varied regulatory environment for businesses and consumers alike.

Critics of the administration’s approach express concerns that the emphasis on deregulation may compromise necessary safeguards, particularly regarding the use of AI in sensitive areas such as political campaigns and privacy protection. The balance between fostering innovation and ensuring ethical AI deployment remains a central debate as the U.S. navigates its leadership role in the global AI landscape.

For further details, access the article here

DISC InfoSec’s earlier post on the AI topic

NIST: AI/ML Security Still Falls Short