Zero Days

Agentic AI: Navigating Risks and Security Challenges

Artificial Intelligence: The Next Battlefield in Cybersecurity

AI and The Future of Cybersecurity: Navigating the New Digital Battlefield

“Whether you’re a technology professional, policymaker, academic, or simply a curious reader, this book will arm you with the knowledge to navigate the complex intersection of AI, security, and society.”

AI Governance Is a Boardroom Imperative—The SEC Just Raised the Stakes on AI Hype

How AI Is Transforming the Cybersecurity Leadership Playbook

Previous AI posts

IBM’s model-routing approach

Top 5 AI-Powered Scams to Watch Out for in 2025

Summary of CISO 3.0: Leading AI Governance and Security in the Boardroom

AI in the Workplace: Replacing Tasks, Not People

Why CISOs Must Prioritize Data Provenance in AI Governance

Interpretation of Ethical AI Deployment under the EU AI Act

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

Digital Ethics in the Age of AI

DISC InfoSec’s earlier posts on the AI topic

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Tags: Age of Invisible Machines:, Invisible AI Threats

Sustainable Content: How to Measure and Mitigate the Carbon Footprint of Digital Data

Sep 13 2025

How AI system provider can build data center which are deeply decarbonized data center

Category: AI,Information Security — disc7 @ 10:32 am

Here’s a layered diagram showing how an AI system provider can build a deeply decarbonized data center — starting from clean energy supply at the outer layer down to handling residual emissions at the core.

AI data centers are the backbone of modern artificial intelligence—but they come with a growing list of side effects that are raising eyebrows across environmental, health, and policy circles. Here’s a breakdown of the most pressing concerns:

⚡ Environmental & Energy Impacts

Massive energy consumption: AI workloads require high-performance computing, which dramatically increases electricity demand. This strains local grids and often leads to reliance on fossil fuels.
Water usage for cooling: Many data centers use evaporative cooling systems, consuming millions of gallons of water annually—especially problematic in drought-prone regions.
Carbon emissions: Unless powered by renewables, data centers contribute significantly to greenhouse gas emissions, undermining climate goals

An AI system provider can build a deeply decarbonized data center by designing it to minimize greenhouse gas emissions across its full lifecycle—construction, energy use, and operations. Here’s how:

Power Supply (Clean Energy First)
- Run entirely on renewable electricity (solar, wind, hydro, geothermal).
- Use power purchase agreements (PPAs) or direct renewable energy sourcing.
- Design for 24/7 carbon-free energy rather than annual offsets.
Efficient Infrastructure
- Deploy high-efficiency cooling systems (liquid cooling, free-air cooling, immersion).
- Optimize server utilization (AI workload scheduling, virtualization, consolidation).
- Use energy-efficient chips/accelerators designed for AI workloads.
Sustainable Building Design
- Construct facilities with low-carbon materials (green concrete, recycled steel).
- Maximize modular and prefabricated components to cut waste.
- Use circular economy practices for equipment reuse and recycling.
Carbon Capture & Offsets (Residual Emissions)
- Where emissions remain (backup generators, construction), apply carbon capture or credible carbon removal offsets.
Water & Heat Management
- Implement closed-loop water cooling to minimize freshwater use.
- Recycle waste heat to warm nearby buildings or supply district heating.
Smart Operations
- Apply AI-driven energy optimization to reduce idle consumption.
- Dynamically shift workloads to regions/times where renewable energy is abundant.
Supply Chain Decarbonization
- Work with hardware vendors committed to net-zero manufacturing.
- Require carbon transparency in procurement.

👉 In short: A deeply decarbonized AI data center runs on clean energy, uses ultra-efficient infrastructure, minimizes embodied carbon, and intelligently manages workloads and resources.

Energy Efficient Algorithms and Green Data Centers for Sustainable Computing

🏘️ Societal & Equity Concerns

Disproportionate impact on marginalized communities: Many data centers are built in areas with existing environmental burdens, compounding risks for vulnerable populations.
Land use and displacement: Large-scale facilities can disrupt ecosystems and push out local residents or businesses.
Transparency issues: Communities often lack access to information about the risks and benefits of hosting data centers, leading to mistrust and resistance.

🔋 Strategic & Policy Challenges

Energy grid strain: The rapid expansion of AI infrastructure is pushing governments to consider controversial solutions like small modular nuclear reactors.
Regulatory gaps: Current zoning and environmental regulations may not be equipped to handle the scale and speed of AI data center growth.

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Tags: AI data center, sustainable

ISO/IEC 42001: The Global Standard for Responsible AI Governance, Risk, and Compliance

Sep 12 2025

SANS “Own AI Securely” Blueprint: A Strategic Framework for Secure AI Integration

Category: AI,AI Governance,Information Security — disc7 @ 1:58 pm

The SANS Institute has unveiled its “Own AI Securely” blueprint, a strategic framework designed to help organizations integrate artificial intelligence (AI) securely and responsibly. This initiative addresses the growing concerns among Chief Information Security Officers (CISOs) about the rapid adoption of AI technologies without corresponding security measures, which has created vulnerabilities that cyber adversaries are quick to exploit.

A significant challenge highlighted by SANS is the speed at which AI-driven attacks can occur. Research indicates that such attacks can unfold more than 40 times faster than traditional methods, making it difficult for defenders to respond promptly. Moreover, many Security Operations Centers (SOCs) are incorporating AI tools without customizing them to their specific needs, leading to gaps in threat detection and response capabilities.

To mitigate these risks, the blueprint proposes a three-part framework: Protect AI, Utilize AI, and Govern AI. The “Protect AI” component emphasizes securing models, data, and infrastructure through measures such as access controls, encryption, and continuous monitoring. It also addresses emerging threats like model poisoning and prompt injection attacks.

The “Utilize AI” aspect focuses on empowering defenders to leverage AI in enhancing their operations. This includes integrating AI into detection and response systems to keep pace with AI-driven threats. Automation is encouraged to reduce analyst workload and expedite decision-making, provided it is implemented carefully and monitored closely.

The “Govern AI” segment underscores the importance of establishing clear policies and guidelines for AI usage within organizations. This includes defining acceptable use, ensuring compliance with regulations, and maintaining transparency in AI operations.

Rob T. Lee, Chief of Research and Chief AI Officer at SANS Institute, advises that CISOs should prioritize investments that offer both security and operational efficiency. He recommends implementing an adoption-led control plane that enables employees to access approved AI tools within a protected environment, ensuring security teams maintain visibility into AI operations across all data domains.

In conclusion, the SANS AI security blueprint provides a comprehensive approach to integrating AI technologies securely within organizations. By focusing on protection, utilization, and governance, it offers a structured path to mitigate risks associated with AI adoption. However, the success of this framework hinges on proactive implementation and continuous monitoring to adapt to the evolving threat landscape.

Sorce: CISOs brace for a new kind of AI chaos

What are main requirements for Internal audit of ISO 42001 AIMS

ISO 42001: The AI Governance Standard Every Organization Needs to Understand

Turn Compliance into Competitive Advantage with ISO 42001

ISO 42001 Readiness: A 10-Step Guide to Responsible AI Governance

Aligning with ISO 42001:2023 and/or the EU Artificial Intelligence (AI) Act

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

Trust Me – ISO 42001 AI Management System

ISO/IEC 42001:2023 – from establishing to maintain an AI management system

Agentic AI: Navigating Risks and Security Challenges

Artificial Intelligence: The Next Battlefield in Cybersecurity

AI and The Future of Cybersecurity: Navigating the New Digital Battlefield

AI Governance Is a Boardroom Imperative—The SEC Just Raised the Stakes on AI Hype

How AI Is Transforming the Cybersecurity Leadership Playbook

Previous AI posts

IBM’s model-routing approach

Top 5 AI-Powered Scams to Watch Out for in 2025

Summary of CISO 3.0: Leading AI Governance and Security in the Boardroom

AI in the Workplace: Replacing Tasks, Not People

Why CISOs Must Prioritize Data Provenance in AI Governance

Interpretation of Ethical AI Deployment under the EU AI Act

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

Digital Ethics in the Age of AI

DISC InfoSec’s earlier posts on the AI topic

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Tags: SANS AI security blueprint

What are main requirements for Internal audit of ISO 42001 AIMS

Sep 11 2025

ISO/IEC 42001: The Global Standard for Responsible AI Governance, Risk, and Compliance

Category: AI,AI Governance,ISO 42001 — disc7 @ 4:22 pm

Artificial Intelligence (AI) has transitioned from experimental to operational, driving transformations across healthcare, finance, education, transportation, and government. With its rapid adoption, organizations face mounting pressure to ensure AI systems are trustworthy, ethical, and compliant with evolving regulations such as the EU AI Act, Canada’s AI Directive, and emerging U.S. policies. Effective governance and risk management have become critical to mitigating potential harms and reputational damage.

ISO 42001 isn’t just an additional compliance framework—it serves as the integration layer that brings all AI governance, risk, control monitoring and compliance efforts together into a unified system called AIMS.

To address these challenges, a structured governance, risk, and compliance (GRC) framework is essential. ISO/IEC 42001:2023 – the Artificial Intelligence Management System (AIMS) standard – provides organizations with a comprehensive approach to managing AI responsibly, similar to how ISO/IEC 27001 supports information security.

ISO/IEC 42001 is the world’s first international standard specifically for AI management systems. It establishes a management system framework (Clauses 4–10) and detailed AI-specific controls (Annex A). These elements guide organizations in governing AI responsibly, assessing and mitigating risks, and demonstrating compliance to regulators, partners, and customers.

One of the key benefits of ISO/IEC 42001 is stronger AI governance. The standard defines leadership roles, responsibilities, and accountability structures for AI, alongside clear policies and ethical guidelines. By aligning AI initiatives with organizational strategy and stakeholder expectations, organizations build confidence among boards, regulators, and the public that AI is being managed responsibly.

ISO/IEC 42001 also provides a structured approach to risk management. It helps organizations identify, assess, and mitigate risks such as bias, lack of explainability, privacy issues, and safety concerns. Lifecycle controls covering data, models, and outputs integrate AI risk into enterprise-wide risk management, preventing operational, legal, and reputational harm from unintended AI consequences.

Compliance readiness is another critical benefit. ISO/IEC 42001 aligns with global regulations like the EU AI Act and OECD AI Principles, ensuring robust data quality, transparency, human oversight, and post-market monitoring. Internal audits and continuous improvement cycles create an audit-ready environment, demonstrating regulatory compliance and operational accountability.

Finally, ISO/IEC 42001 fosters trust and competitive advantage. Certification signals commitment to responsible AI, strengthening relationships with customers, investors, and regulators. For high-risk sectors such as healthcare, finance, transportation, and government, it provides market differentiation and reinforces brand reputation through proven accountability.

Opinion: ISO/IEC 42001 is rapidly becoming the foundational standard for responsible AI deployment. Organizations adopting it not only safeguard against risks and regulatory penalties but also position themselves as leaders in ethical, trustworthy AI system. For businesses serious about AI’s long-term impact, ethical compliance, transparency, user trust ISO/IEC 42001 is as essential as ISO/IEC 27001 is for information security.

Most importantly, ISO 42001 AIMS is built to integrate seamlessly with ISO 27001 ISMS. It’s highly recommended to first achieve certification or alignment with ISO 27001 before pursuing ISO 42001.

Feel free to reach out if you have any questions.

ISO 42001: The AI Governance Standard Every Organization Needs to Understand

Turn Compliance into Competitive Advantage with ISO 42001

ISO 42001 Readiness: A 10-Step Guide to Responsible AI Governance

Aligning with ISO 42001:2023 and/or the EU Artificial Intelligence (AI) Act

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

Trust Me – ISO 42001 AI Management System

ISO/IEC 42001:2023 – from establishing to maintain an AI management system

Agentic AI: Navigating Risks and Security Challenges

Artificial Intelligence: The Next Battlefield in Cybersecurity

AI and The Future of Cybersecurity: Navigating the New Digital Battlefield

AI Governance Is a Boardroom Imperative—The SEC Just Raised the Stakes on AI Hype

How AI Is Transforming the Cybersecurity Leadership Playbook

Previous AI posts

IBM’s model-routing approach

Top 5 AI-Powered Scams to Watch Out for in 2025

Summary of CISO 3.0: Leading AI Governance and Security in the Boardroom

AI in the Workplace: Replacing Tasks, Not People

Why CISOs Must Prioritize Data Provenance in AI Governance

Interpretation of Ethical AI Deployment under the EU AI Act

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

ISO/IEC 42001:2023, First Edition: Information technology – Artificial intelligence – Management system

ISO 42001 Artificial Intelligence Management Systems (AIMS) Implementation Guide: AIMS Framework | AI Security Standards

Businesses leveraging AI should prepare now for a future of increasing regulation.

Digital Ethics in the Age of AI

DISC InfoSec’s earlier posts on the AI topic

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Tags: AI Governance, ISO 42001

Comments (3)

Sep 11 2025

UN Adopts First-Ever Global AI Resolution: A Framework for Trust and Responsibility

Category: AI,AI Governance — disc7 @ 12:57 pm

The United Nations has officially taken a historic step by adopting its first resolution on artificial intelligence. This marks the beginning of a global dialogue where nations acknowledge both the promise and the risks that AI carries.

The resolution represents a shared framework, where countries have reached consensus on guiding principles for AI. Although the agreement is not legally binding, it establishes a moral and political foundation for responsible development.

At the core of the resolution is a call for the safe and ethical use of AI. The aim is to ensure that technology enhances human life rather than diminishing it, emphasizing values over unchecked advancement.

Human rights and privacy protection are highlighted as non-negotiable priorities. The resolution reinforces the idea that individuals must remain at the center of technological progress, with strong safeguards against misuse.

It also underscores the importance of transparency and accountability. Algorithms that influence decisions in critical areas—such as healthcare, employment, and governance—must be explainable and subject to oversight.

International collaboration is another pillar of the framework. Nations are urged to work together on standards, share research, and avoid fragmented approaches that could widen global inequalities in technology.

The resolution recognizes that AI is not merely about innovation; it is about shaping trust, power, and human values. However, questions remain about whether such frameworks can keep pace with the speed at which AI is evolving.

Why it matters: These mechanisms will help anticipate risks, set standards, and make sure AI serves humanity – not the other way around.

Read more: https://lnkd.in/epxFHkaC

My Opinion:
This resolution is a significant milestone, but it is only a starting point. While it sets a common direction, enforcement and adaptability remain challenges. If nations treat this as a foundation for actionable policies and binding agreements in the future, it could help balance innovation with safeguards. Without stronger mechanisms, however, the risks of bias, misinformation, and economic upheaval may outpace the protections envisioned.

The AI Governance Flywheel illustrates how standards, regulations, and governance practices interlock to drive a self-reinforcing cycle of continuous improvement.

Exploring AI security, privacy, and the pressing regulatory gaps—especially relevant to today’s fast-paced AI landscape

What are main requirements for Internal audit of ISO 42001 AIMS

The Dutch AI Act Guide: A Practical Roadmap for Compliance

Embedding AI Oversight into GRC: Building Trust, Compliance, and Accountability

Responsible AI in the Age of Generative Models: Governance, Ethics and Risk Management

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

Tags: Framework for Trust and Responsibility, Global AI Resolution, UN

North Korean Tech Workers Infiltrating Companies Around World

Sep 10 2025

Inside the North Korean IT Worker Infiltration: A Growing Threat to U.S. Corporations

Category: Cyber crime — disc7 @ 3:28 pm

– Scale of the Threat
Recent investigations confirm that North Korea’s IT worker infiltration program has become one of the most persistent and large-scale cyber threats to U.S. companies. Between 2020 and 2022, more than 300 firms—including several Fortune 500 organizations—unknowingly hired North Korean developers. In the last year alone, the number of affected companies grew by 220%, highlighting the exponential expansion of the scheme.

– Confirmed Incidents
CrowdStrike documented 304 incidents tied to North Korean IT workers in 2024, with activity intensifying toward the year’s end. Federal investigators have tied facilitators to over $5 million in illicit profits, while broader UN estimates suggest the program generates up to $600 million annually for Pyongyang. These efforts not only fuel the North Korean economy but also fund weapons development.

– Global Scale and Persistence
Experts believe thousands of North Korean IT workers are active worldwide. The FBI’s June 2025 operations seized 137 laptops across 14 states, yet analysts describe this as a “whack-a-mole” problem. Despite arrests and seizures, new identities and facilitators quickly replace disrupted operations, allowing the scheme to continue nearly unabated.

– Use of AI and Deepfakes
AI has transformed infiltration tactics. Workers now employ advanced tools to falsify identity documents, enhance professional photos, and create real-time deepfakes for video interviews. This allows one operator to impersonate multiple synthetic personas, applying for and interviewing with several companies simultaneously.

– Operational Efficiency with AI
North Korean operatives have further automated job applications, building tools to track positions, forge identities, and submit applications at scale. Scripts enable a single individual to hold down six or seven jobs simultaneously, while AI voice tools mask accents or alter gender presentation to avoid suspicion. Microsoft uncovered repositories containing detailed playbooks and image libraries supporting these efforts.

– Advanced Evasion Tactics
To avoid detection, these workers often claim technical issues during interviews, such as broken webcams, and rely on VPNs to disguise their true locations. They particularly exploit companies with Bring Your Own Device (BYOD) policies, as these environments are harder to secure. Security experts demonstrated how even a novice could fabricate a convincing synthetic identity within just over an hour.

– Expanding Geographic Reach
While U.S. firms remain the primary target, the infiltration campaign is spreading across Europe and Asia. Google has identified attempts in Germany and Portugal, while researchers warn of increased targeting of European defense contractors and government entities. This shift underscores the global dimension of the threat.

– Ongoing Growth and Risk
Given the program’s profitability and limited deterrent effect from current law enforcement actions, experts predict the scale will continue to expand through 2025 and beyond. Unless detection and remediation strategies significantly improve, American corporations remain at heightened risk of unknowingly funding a hostile regime and exposing sensitive systems to exploitation.

Impact on American Corporations

For U.S. companies, this threat poses financial, reputational, and security risks. Businesses are not only losing money to fraudulent workers but also risking insider threats, data theft, and compliance failures. The infiltration erodes trust in remote hiring practices and creates vulnerabilities in supply chains. Corporations also face potential regulatory and legal consequences if they are found to be indirectly funding sanctioned regimes.

Remediation Steps

Stronger Identity Verification: Companies must adopt multi-layered background checks, including biometric verification and in-person identity validation when possible.
AI Detection Tools: Organizations should deploy AI-based tools to detect deepfakes and synthetic identities in interviews.
Vendor & Hiring Controls: Stricter controls on third-party recruiters and facilitators are needed to prevent disguised hires.
BYOD Policy Reassessment: Firms should limit or phase out BYOD for sensitive roles, requiring managed corporate devices.
Continuous Monitoring: Security teams must monitor for unusual work patterns, such as one user holding multiple jobs or logging in from inconsistent geographies.
Regulatory Compliance: Businesses should align with OFAC and DOJ guidelines to avoid sanctions violations and demonstrate due diligence in hiring.

North Korean Spies Are Infiltrating U.S. Companies Through IT Jobs

Tech companies have a big remote worker problem: North Korean operatives

Tags: North Korean IT Worker Infiltration, Threat to U.S. Corporations

Spinning the AI Flywheel™ (Mastering AI Strategy): How to Discover, Build, Deploy and Scale AI for Lasting Business Impact (ARTIFICIAL INTELLIGENCE – AI)

Sep 10 2025

The AI Governance Flywheel illustrates how standards, regulations, and governance practices interlock to drive a self-reinforcing cycle of continuous improvement.

Category: AI,AI Governance,FlyWheel — disc7 @ 9:25 am

The AI Governance Flywheel is a practical framework your organization can adopt to align standards, regulations, and governance processes in a dynamic cycle of continuous improvement.

It shows how standards, regulations, and governance practices reinforce each other in a cycle of continuous improvement.

AI Governance Flywheel

1. Standards & Frameworks

ISO/IEC 42001 (AI Management System)
ISO/IEC 23894 (AI Risk Management)
EU AI Act
NIST AI RMF
OECD AI Principles

➡️ Provide structure, terminology, and baseline practices.

2. Regulations & Policies

EU AI Act
U.S. Executive Order on AI (2023)
China AI Regulations
National/sectoral guidelines (healthcare, finance, defense)

➡️ Drive compliance requirements and enforce responsible AI.

3. Governance & Controls

AI Ethics Boards
Risk Assessment & Mitigation
AI Transparency & Explainability
Data Governance & Privacy (GDPR, CCPA)

➡️ Ensure AI use is aligned with business values, laws, and trust.

4. Implementation & Operations

AI System Lifecycle Management
Model Monitoring & Auditing
Bias/Fairness Testing
Incident Response for AI Risks

➡️ Embed governance in day-to-day AI operations.

5. Continuous Improvement

Internal & external audits
Feedback loops from incidents/regulators
Updating models, policies, and controls
Staff training and culture building

➡️ Enhances trust, reduces risks, and prepares for evolving standards/regulations.

📌 The flywheel keeps spinning:
Standards → Regulations → Governance → Operations → Improvement → back to Standards.

Exploring AI security, privacy, and the pressing regulatory gaps—especially relevant to today’s fast-paced AI landscape

What are main requirements for Internal audit of ISO 42001 AIMS

The Dutch AI Act Guide: A Practical Roadmap for Compliance

Embedding AI Oversight into GRC: Building Trust, Compliance, and Accountability

Responsible AI in the Age of Generative Models: Governance, Ethics and Risk Management

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

Anthropic CEO says proposed 10-year ban on state AI regulation ‘too blunt’ in NYT op-ed

Tags: AI Governance FlyWheel

Comments (1)

Sep 09 2025

Exploring AI security, privacy, and the pressing regulatory gaps—especially relevant to today’s fast-paced AI landscape

Category: AI,AI Governance,Information Security — disc7 @ 12:44 pm

Featured Read: “Securing the AI Frontier: Urgent Ethical and Regulatory Imperatives for AI-Driven Cybersecurity“

Overview: This academic paper examines the growing ethical and regulatory challenges brought on by AI’s integration with cybersecurity. It traces the evolution of AI regulation, highlights pressing concerns—like bias, transparency, accountability, and data privacy—and emphasizes the tension between innovation and risk mitigation.
Key Insights:
- AI systems raise unique privacy/security issues due to their opacity and lack of human oversight.
- Current regulations are fragmented—varying by sector—with no unified global approach.
- Bridging the regulatory gap requires improved AI literacy, public engagement, and cooperative policymaking to shape responsible frameworks.
Source: Authored by Vikram Kulothungan, published in January 2025, this paper cogently calls for a globally harmonized regulatory strategy and multi-stakeholder collaboration to ensure AI’s secure deployment.

Why This Post Stands Out

Comprehensive: Tackles both cybersecurity and privacy within the AI context—not just one or the other.
Forward-Looking: Addresses systemic concerns, laying the groundwork for future regulation rather than retrofitting rules around current technology.
Action-Oriented: Frames AI regulation as a collaborative challenge involving policymakers, technologists, and civil society.

Additional Noteworthy Commentary on AI Regulation

1. Anthropic CEO’s NYT Op-ed: A Call for Sensible Transparency

Anthropic CEO Dario Amodei criticized a proposed 10-year ban on state-level AI regulation as “too blunt.” He advocates a federal transparency standard requiring AI developers to disclose testing methods, risk mitigation, and pre-deployment safety measures.

2. California’s AI Policy Report: Guarding Against Irreversible Harms

A report commissioned by Governor Newsom warns of AI’s potential to facilitate biological and nuclear threats. It advocates “trust but verify” frameworks, increased transparency, whistleblower protections, and independent safety validation.

3. Mutually Assured Deregulation: The Risks of a Race Without Guardrails

Gilad Abiri argues that dismantling AI safety oversight in the name of competition is dangerous. Deregulation doesn’t give lasting advantages—it undermines long-term security, enabling proliferation of harmful AI capabilities like bioweapon creation or unstable AGI.

Broader Context & Insights

Fragmented Landscape: U.S. lacks unified privacy or AI laws; even executive orders remain limited in scope.
Data Risk: Many organizations suffer from unintended AI data exposure and poor governance despite having some policies in place.
Regulatory Innovation: Texas passed a law focusing only on government AI use, signaling a partial step toward regulation—but private sector oversight remains limited.
International Efforts: The Council of Europe’s AI Convention (2024) is a rare international treaty aligning AI development with human rights and democratic values.
Research Proposals: Techniques like blockchain-enabled AI governance are being explored as transparency-heavy, cross-border compliance tools.

Opinion

AI’s pace of innovation is extraordinary—and so are its risks. We’re at a crossroads where lack of regulation isn’t a neutral stance—it accelerates inequity, privacy violations, and even public safety threats.

What’s needed:

Layered Regulation: From sector-specific rules to overarching international frameworks; we need both precision and stability.
Transparency Mandates: Companies must be held to explicit standards—model testing practices, bias mitigation, data usage, and safety protocols.
Public Engagement & Literacy: AI literacy shouldn’t be limited to technologists. Citizens, policymakers, and enforcement institutions must be equipped to participate meaningfully.
Safety as Innovation Avenue: Strong regulation doesn’t kill innovation—it guides it. Clear rules create reliable markets, investor confidence, and socially acceptable products.

The paper “Securing the AI Frontier” sets the right tone—urging collaboration, ethics, and systemic governance. Pair that with state-level transparency measures (like Newsom’s report) and critiques of over-deregulation (like Abiri’s essay), and we get a multi-faceted strategy toward responsible AI.

California AI Policy Report Warns of ‘Irreversible Harms’

Responsible AI in the Age of Generative Models: Governance, Ethics and Risk Management

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

“Connected cars are racing ahead, but security is stuck in neutral”

Tags: AI privacy, AI Regulations, AI security, AI standards

Comments (2)

Sep 09 2025

Connected Cars in Europe: Balancing Innovation with Cybersecurity and Privacy

Category: Connected Cars,Information Security — disc7 @ 11:39 am

Connected vehicles have rapidly proliferated across Europe, brimming with sophisticated software, myriad sensors, and continuous connectivity. While these advancements deliver conveniences like remote control features and intelligent navigation, they simultaneously expand the vehicle’s digital attack surface, what enhances “smartness” inherently introduces fresh cybersecurity vulnerabilities.

A recent study — both technical and survey-based — questioned roughly 300 mostly European participants about their awareness and attitudes regarding smart-car security and privacy. The findings indicate that most people understand their vehicles share data with both manufacturers and third parties, particularly those driving newer models. Western Europeans showed greater awareness of these data flows than respondents from Eastern Europe.

Despite rising awareness, many drivers lack clarity about what precisely “smart car” entails. Consumers tend to emphasize visible functionalities — such as self-driving aids or entertainment systems — while overlooking the less visible but critical issue of how data is managed, stored, or potentially exploited.

The existing regulatory environment is striving to catch up. Frameworks like UN R155 and R156, already in effect, mandate systematic cybersecurity management and secure software update mechanisms for connected cars. Similarly, from July 2024, EU rules require that new vehicles cannot be registered unless they guarantee robust cybersecurity—pushing automakers toward ‘security by design.

Moreover, Europe is developing additional protective technologies. For example, the EU-funded SELFY project is building a toolkit to safeguard connected traffic systems, aiming to issue cybersecurity certificates and bolster defenses against cyber threats. The European Commission is also establishing protocols around testing, data recording, safety monitoring, and incident reporting for advanced automated and driverless vehicle systems.

Nevertheless, gaps remain—particularly between policy progress and public trust. Even as regulations evolve and technical tools mature, many vehicle users remain uncertain about the extent of data collection, storage, and sharing. Without stronger transparency, consumer trust is likely to lag behind technological and regulatory advancements.

Car Security and Privacy

Connected cars represent a defining shift in the mobility landscape—offering unprecedented convenience but accompanied by elevated risks. The central paradox is clear: as vehicles become more connected and intelligent, they become more exposed. This isn’t just a matter of potential remote hacking; it’s about data flow—where, how, and by whom vehicle data is used.

Europe is taking commendable steps by enforcing cybersecurity mandates (like R155/R156) and promoting proactive, security-by-design approaches. Projects like SELFY and structured regulatory initiatives around automated vehicles signal forward motion.

However, the real challenge lies in closing the trust gap. Many drivers still don’t have a clear understanding of data practices. Communicating complex cybersecurity architecture in accessible terms is essential. Automakers and regulators must both educate and reassure—perhaps through public dashboards, standardized labels on data practices, or periodic transparency reports that explain what data is collected, why, who has access, and how it’s protected.

For drivers, vigilance remains crucial. Prioritize vehicles that support secure over-the-air updates, enforce two-factor authentication for vehicle apps, and carefully review privacy settings. As consumers, push for clarity and accountability—our vehicles shouldn’t just be smart; they should also be secure and respectful of our privacy.

Connected cars and cybercrime: A primer

How Virtualization Helps Secure Connected Cars

Modern cars: A growing bundle of security vulnerabilities

Car Hacking and its Countermeasures

Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

Multiple Vulnerabilities in the Mazda In-Vehicle Infotainment (IVI) System

Integrating cybersecurity into vehicle design and manufacturing

Your car is probably harvesting your data. Here’s how you can wipe it

The Rise of Automotive Hacking: How to Secure Your Vehicles Against Hacking

Car companies massively exposed to web vulnerabilities

Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Securing vehicles from potential cybersecurity threats

Building Secure Cars

Tags: Connected cars

Internal Auditing in Plain English: A Simple Guide to Super Effective ISO Audits

Sep 08 2025

What are main requirements for Internal audit of ISO 42001 AIMS

Category: AI,Information Security,ISO 42001 — disc7 @ 2:23 pm

ISO 42001 is the upcoming standard for AI Management Systems (AIMS), similar in structure to ISO 27001 for information security. While the full standard is not yet widely published, the main requirements for an internal audit of an ISO 42001 AIMS can be outlined based on common audit principles and the expected clauses in the standard. Here’s a structured view:

1. Audit Scope and Objectives

Define what parts of the AI management system will be audited (processes, teams, AI models, AI governance, data handling, etc.).
Ensure the audit covers all ISO 42001 clauses relevant to your organization.
Determine audit objectives, e.g.,:
- Compliance with ISO 42001.
- Effectiveness of risk management for AI.
- Alignment with organizational AI strategy and policies.

2. Compliance with AIMS Requirements

Check whether the organization’s AI management system meets ISO 42001 requirements, which likely include:
- AI governance framework.
- Risk management for AI (AI lifecycle, bias, safety, privacy).
- Policies and procedures for AI development, deployment, and monitoring.
- Data management and ethical AI principles.
- Roles, responsibilities, and competency requirements for AI personnel.

3. Documentation and Records

Verify that documentation exists and is maintained, e.g.:
- AI policies, procedures, and guidelines.
- Risk assessments, impact assessments, and mitigation plans.
- Training records and personnel competency evaluations.
- Records of AI incidents, anomalies, or failures.
- Audit logs of AI models and data handling activities.

4. Risk Management and Controls

Review whether risks related to AI (bias, safety, security, privacy) are identified, assessed, and mitigated.
Check implementation of controls:
- Data quality and integrity controls.
- Model validation and testing.
- Human oversight and accountability mechanisms.
- Compliance with relevant regulations and ethical standards.

5. Performance Monitoring and Improvement

Evaluate monitoring and measurement processes:
- Metrics for AI model performance and compliance.
- Monitoring of ethical and legal adherence.
- Feedback loops for continuous improvement.
Assess whether corrective actions and improvements are identified and implemented.

6. Internal Audit Process Requirements

Audits should be planned, objective, and systematic.
Auditors must be independent of the area being audited.
Audit reports must include:
- Findings (compliance, nonconformities, opportunities for improvement).
- Recommendations.
Follow-up to verify closure of nonconformities.

7. Management Review Alignment

Internal audit results should feed into management reviews for:
- AI risk mitigation effectiveness.
- Resource allocation.
- Policy updates and strategic AI decisions.

Key takeaway: An ISO 42001 internal audit is not just about checking boxes—it’s about verifying that AI systems are governed, ethical, and risk-managed throughout their lifecycle, with evidence, controls, and continuous improvement in place.

An Internal Audit agreement aligned with ISO 42001 should include the following key components, each described below to ensure clarity and operational relevance:

🧭 Scope of Services

The agreement should clearly define the consultant’s role in leading and advising the internal audit team. This includes directing the audit process, training team members on ISO 42001 methodologies, and overseeing all phases—from planning to reporting. It should also specify advisory responsibilities such as interpreting ISO 42001 requirements, identifying compliance gaps, and validating governance frameworks. The scope must emphasize the consultant’s authority to review and approve all audit work to ensure alignment with professional standards.

📄 Deliverables

A detailed list of expected outputs should be included, such as a comprehensive audit report with an executive summary, gap analysis, and risk assessment. The agreement should also cover a remediation plan with prioritized actions, implementation guidance, and success metrics. Supporting materials like policy templates, training recommendations, and compliance monitoring frameworks should be outlined. Finally, it should ensure the development of a capable internal audit team and documentation of audit procedures for future use.

⏳ Timeline

The agreement must specify key milestones, including project start and completion dates, training deadlines, audit phase completion, and approval checkpoints for draft and final reports. This timeline ensures accountability and helps coordinate internal resources effectively.

💰 Compensation

This section should detail the total project fee, payment terms, and a milestone-based payment schedule. It should also clarify reimbursable expenses (e.g., travel) and note that internal team costs and facilities are the client’s responsibility. Transparency in financial terms helps prevent disputes and ensures mutual understanding.

👥 Client Responsibilities

The client’s obligations should be clearly stated, including assigning qualified internal audit team members, ensuring their availability, designating a project coordinator, and providing access to necessary personnel, systems, and facilities. The agreement should also require timely feedback on deliverables and commitment from the internal team to complete audit tasks under the consultant’s guidance.

🎓 Consultant Responsibilities

The consultant’s duties should include providing expert leadership, training the internal team, reviewing and approving all work products, maintaining quality standards, and being available for ongoing consultation. This ensures the consultant remains accountable for the integrity and effectiveness of the audit process.

🔐 Confidentiality

A robust confidentiality clause should protect proprietary information shared during the engagement. It should specify the duration of confidentiality obligations post-engagement and ensure that internal audit team members are bound by equivalent terms. This builds trust and safeguards sensitive data.

💡 Intellectual Property

The agreement should clarify ownership of work products, stating that outputs created by the internal team under the consultant’s guidance belong to the client. It should also allow the consultant to retain general methodologies and templates for future use, while jointly owning training materials and audit frameworks.

⚖️ Limitation of Liability

This clause should cap the consultant’s liability to the total fee paid and exclude consequential or punitive damages. It should reinforce that ISO 42001 compliance is ultimately the client’s responsibility, with the consultant providing guidance and oversight—not execution.

🛑 Termination

The agreement should include provisions for termination with advance notice, payment for completed work, delivery of all completed outputs, and survival of confidentiality obligations. It should also ensure that any training and knowledge transfer remains with the client post-termination.

📜 General Terms

Standard legal provisions should be included, such as independent contractor status, governing law, severability, and a clause stating that the agreement represents the entire understanding between parties. These terms provide legal clarity and protect both sides.

Responsible AI in the Age of Generative Models: Governance, Ethics and Risk Management

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

Dutch AI ACT Guide Ver 1.1

Tags: AIMS, Internal audit of ISO 42001

Comments (6)

Sep 07 2025

The Dutch AI Act Guide: A Practical Roadmap for Compliance

Category: AI,AI Governance — disc7 @ 10:33 pm

The Dutch government has released version 1.1 of its AI Act Guide, setting a strong example for AI Act readiness across Europe. Published by the Ministry of Economic Affairs, this free 21-page document is one of the most practical and accessible resources currently available. It is designed to help organizations—whether businesses, developers, or public authorities—understand how the EU AI Act applies to them.

The guide provides a four-step approach that makes compliance easier to navigate: start with risk rather than abstract definitions, confirm whether your system meets the EU’s definition of AI, determine your role as either provider or deployer, and finally, map your obligations based on the AI system’s risk level. This structure gives users a straightforward way to see where they stand and what responsibilities they carry.

Content covers a wide range of scenarios, including prohibited AI uses such as social scoring or predictive policing, as well as obligations for high-risk AI systems in critical areas like healthcare, education, HR, and law enforcement. It also addresses general-purpose and generative AI, with requirements around transparency, risk mitigation, and exceptions for open models. Government entities get additional guidance on tasks such as Fundamental Rights Impact Assessments and system registration. Importantly, the guide avoids dense legal jargon, using clear explanations, definitions, and real-world references to make the regulations understandable and actionable.

My take on the Dutch AI Act Guide is that it’s one of the most practical tools released so far to help organizations translate EU AI Act requirements into actionable steps. Unlike dense regulatory texts, this guide simplifies the journey by giving a clear, structured roadmap—making it easier for businesses and public authorities to assess whether they’re in scope, identify their risk category, and understand obligations tied to their role.

From an AI governance perspective, this guide helps organizations move from theory to practice. Governance isn’t just about compliance—it’s about building a culture of accountability, transparency, and ethical use of AI. The Dutch approach encourages teams to start with risk, not abstract definitions, which aligns closely with effective governance practices. By embedding this structured framework into existing GRC programs, companies can proactively manage AI risks like bias, drift, and misuse.

For cybersecurity, the guide adds another layer of value. Many high-risk AI systems—especially in healthcare, HR, and critical infrastructure—depend on secure data handling and system integrity. Mapping obligations early helps organizations ensure that cybersecurity controls (like access management, monitoring, and data protection) are not afterthoughts but integral to AI deployment. This alignment between regulatory expectations and cybersecurity safeguards reduces both compliance and security risks.

In short, the Dutch AI Act Guide can serve as a playbook for integrating AI governance into GRC and cybersecurity programs—helping organizations stay compliant, resilient, and trustworthy while adopting AI responsibly.

Embedding AI Oversight into GRC: Building Trust, Compliance, and Accountability

Source: AI Governance: 5 Ways to Embed AI Oversight into GRC

Responsible AI in the Age of Generative Models: Governance, Ethics and Risk Management

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

Responsible AI in the Age of Generative Models: Governance, Ethics and Risk Management

Tags: The Dutch AI Act Guide

Comments (1)

Sep 07 2025

Embedding AI Oversight into GRC: Building Trust, Compliance, and Accountability

Category: AI,AI Governance — disc7 @ 10:17 am

1. Why AI Governance Matters

AI brings undeniable benefits—speed, accuracy, vast data analysis—but without guardrails, it can lead to privacy breaches, bias, hallucinations, or model drift. Ensuring governance helps organizations harness AI safely, transparently, and ethically.

2. What Is AI Governance?

AI governance refers to a structured framework of policies, guidelines, and oversight procedures that govern AI’s development, deployment, and usage. It ensures ethical standards and risk mitigation remain in place across the organization.

3. Recognizing AI-specific Risks

Important risks include:

Hallucinations—AI generating inaccurate or fabricated outputs
Bias—AI perpetuating outdated or unfair historical patterns
Data privacy—exposure of sensitive inputs, especially with public models
Model drift—AI performance degrading over time without monitoring.

4. Don’t Reinvent the Wheel—Use Existing GRC Programs

Rather than creating standalone frameworks, integrate AI risks into your enterprise risk, compliance, and audit programs. As risk expert Dr. Ariane Chapelle advises, it’s smarter to expand what you already have than build something separate.

5. Five Ways to Embed AI Oversight into GRC

Broaden risk programs to include AI-specific risks (e.g., drift, explainability gaps).
Embed governance throughout the AI lifecycle—from design to monitoring.
Shift to continuous oversight—use real-time alerts and risk sprints.
Clarify accountability across legal, compliance, audit, data science, and business teams.
Show control over AI—track, document, and demonstrate oversight to stakeholders.

6. Regulations Are Here—Don’t Wait

Regulatory frameworks like the EU AI Act (which classifies AI by risk and prohibits dangerous uses), ISO 42001 (AI management system standard), and NIST’s Trustworthy AI guidelines are already in play—waiting to comply could lead to steep penalties.

7. Governance as Collective Responsibility

Effective AI governance isn’t the job of one team—it’s a shared effort. A well-rounded approach balances risk reduction with innovation, by embedding oversight and accountability across all functional areas.

Quick Summary at the End:

Start small, then scale: Begin by tagging AI risks within your existing GRC framework. This lowers barriers and avoids creating siloed processes.
Make it real-time: Replace occasional audits with continuous monitoring—this helps spot bias or drift before they become big problems.
Document everything: From policy changes to risk indicators, everything needs to be traceable—especially if regulators or execs ask.
Define responsibilities clearly: Everyone from legal to data teams should know where they fit in the AI oversight map.
Stay compliant, stay ahead: Don’t just tick a regulatory box—build trust by showing you’re in control of your AI tools.

Source: AI Governance: 5 Ways to Embed AI Oversight into GRC

AI Governance: Applying AI Policy and Ethics through Principles and Assessments

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative.

CISO 2.0 From Cost Center to Value Creator: The Modern Playbook for the CISO as a P&L Leader Aligning Cybersecurity with Business Impact

Tags: AI Governance

Comments (1)

Sep 05 2025

The Modern CISO: From Firewall Operator to Seller of Trust

Category: AI,CISO,vCISO — disc7 @ 2:09 pm

The role of the modern CISO has evolved far beyond technical oversight. While many entered the field expecting to focus solely on firewalls, frameworks, and fighting cyber threats, the reality is that today’s CISOs must operate as business leaders as much as security experts. Increasingly, the role demands skills that look surprisingly similar to sales.

This shift is driven by business dynamics. Buyers and partners are highly sensitive to security posture. A single breach or regulatory fine can derail deals and destroy trust. As a result, security is no longer just a cost center—it directly influences revenue, customer acquisition, and long-term business resilience.

CISOs now face a dual responsibility: maintaining deep technical credibility while also translating security into a business advantage. Boards and executives are asking not only, “Are we protected?” but also, “How does our security posture help us win business?” This requires CISOs to communicate clearly and persuasively about the commercial value of trust and compliance.

At the same time, budgets are tight and CISO compensation is under scrutiny. Justifying investment in security requires framing it in business terms—showing how it prevents losses, enables sales, and differentiates the company in a competitive market. Security is no longer seen as background infrastructure but as a factor that can make or break deals.

Despite this, many security professionals still resist the sales aspect of the job, seeing it as outside their domain. This resistance risks leaving them behind as the role changes. The reality is that security leadership now includes revenue protection and revenue generation, not just technical defense.

The future CISO will be defined by their ability to translate security into customer confidence and measurable business outcomes. Those who embrace this evolution will shape the next generation of leadership, while those who cling only to the technical side risk becoming sidelined.

Advice on AI’s impact on the CISO role:
AI will accelerate this transformation. On the technical side, AI tools will automate many detection, response, and compliance tasks that once required hands-on oversight, reducing the weight of purely operational responsibilities. On the business side, AI will raise customer expectations for security, privacy, and ethical use of data. This means CISOs must increasingly act as “trust architects,” communicating how AI is governed and secured. The CISO who can blend technical authority with persuasive storytelling about AI risk and trust will not only safeguard the enterprise but also directly influence growth. In short, AI will make the CISO less of a firewall operator and more of a business strategist who sells trust.

The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership

How AI Is Transforming the Cybersecurity Leadership Playbook

Aligning Cybersecurity with Business Goals: The Complete Program Blueprint

Summary of CISO 3.0: Leading AI Governance and Security in the Boardroom

Becoming a Complete vCISO: Driving Maximum Value and Business Alignment

DISC Infosec vCISO Services

How CISO’s are transforming the Third-Party Risk Management

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

Navigating Supply Chain Cyber Risk

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

Tags: CISO, The Modern CISO, vCISO

Source: New zero-day startup offers $20 million for tools that can hack any smartphone

Sep 04 2025

🕵️‍♂️ A New Player in the Zero-Day Market

Category: Zero day — disc7 @ 1:59 pm

A UAE-based startup named Advanced Security Solutions has entered the cybersecurity scene with a bold proposition: offering up to $20 million for zero-day exploits that can compromise any smartphone via a single text message. This figure places it among the highest publicly known bounties in the exploit market, signaling aggressive intent and deep pockets.

💰 Bounty Breakdown

The company’s bounty structure includes $15 million for Android and iPhone exploits, $10 million for Windows vulnerabilities, and smaller amounts for browser-based flaws—$5 million for Chrome and $1 million for Safari and Edge. Messaging apps like WhatsApp, Telegram, and Signal are also targeted, with $2 million offered for each. These figures reflect a growing demand and rising prices in the zero-day ecosystem.

🧩 Mystery Behind the Curtain

Despite its high-profile launch, Advanced Security Solutions remains opaque. The company has not disclosed its ownership, funding sources, or client list. Its website claims partnerships with over 25 government and intelligence agencies and boasts a team of veterans from elite intelligence units and private military contractors. However, it avoids any mention of ethical or legal boundaries.

🧠 Expert Opinions and Market Context

Security researchers familiar with the zero-day market suggest the offered prices are realistic, though one expert noted that $20 million might be considered “low” depending on the buyer’s ethics. The same expert cautioned against selling exploits to entities that conceal their identity, emphasizing the risks of dealing with anonymous buyers.

📈 Evolution of the Exploit Economy

The zero-day market has evolved rapidly over the past decade. In 2015, Zerodium offered $1 million for iPhone exploits. By 2018, Crowdfense raised the bar to $3 million. Today, prices have surged due to improved device security and increased demand from governments. Crowdfense’s latest list includes $7 million for iPhone and $8 million for WhatsApp exploits, showing how competitive the landscape has become.

🇷🇺 A Russian Outlier

Operation Zero, a Russian firm, also offers up to $20 million for similar exploits but claims to work exclusively with the Russian government. This exclusivity limits its reach, especially since U.S. and European researchers are legally barred from selling to Russia. In contrast, Advanced Security Solutions appears to be casting a wider net, albeit under a veil of secrecy.

🔍 Ethical and Strategic Implications

The emergence of such companies raises serious ethical and geopolitical questions. While they claim to support counterterrorism and narcotics control, the lack of transparency and accountability makes it difficult to assess their true impact. The commodification of zero-days risks empowering regimes with poor human rights records or enabling surveillance beyond legal bounds.

Zero Days

Given my expertise in AI governance and ethical deployment, this development is a flashing red light. The lack of transparency, combined with astronomical bounties, suggests a market that prioritizes power over accountability. I recommend using this case as a teaching tool in my training materials—perhaps a mind map contrasting ethical vs. unethical exploit markets, or a stakeholder matrix showing who benefits and who risks harm. It’s also a prime scenario for simulating AICP-style questions around lawful use, vendor vetting, and international compliance.

Here’s a structured mind map to help you visualize the ethical, strategic, and regulatory dimensions of the TechCrunch article on Advanced Security Solutions and its $20M zero-day bounty offer:

🧠 Mind Map: Ethical & Strategic Implications of High-Stakes Zero-Day Markets

1. Actors & Stakeholders

Advanced Security Solutions: UAE-based startup offering record bounties
Exploit Developers: Researchers, hackers, private contractors
Government & Intelligence Agencies: Claimed clients, potential end-users
Regulators & Compliance Bodies: GDPR, EU AI Act, ISO 42001
Civil Society & Journalists: Transparency advocates, watchdogs
Tech Companies: Apple, Google, Meta—targets of exploits

2. Motivations & Incentives

Startup: Market dominance, intelligence leverage, financial gain
Researchers: Monetary reward, prestige, ethical dilemma
Governments: Surveillance, counterterrorism, geopolitical advantage
Regulators: Risk mitigation, legal enforcement, public trust

3. Risks & Ethical Concerns

Lack of Transparency: Unknown buyers, undisclosed use cases
Human Rights Violations: Potential misuse by authoritarian regimes
Surveillance Overreach: Exploits used beyond legal boundaries
Market Commodification: Treating vulnerabilities as tradable assets

4. Legal & Compliance Tensions

GDPR: Data protection vs. surveillance tools
EU AI Act: High-risk AI systems and cybersecurity implications
ISO 42001: Governance of AI lifecycle and exploit handling
Export Controls: Restrictions on selling to sanctioned entities

5. Strategic Comparisons

Crowdfense: Transparent pricing, selective clientele
Zerodium: Longstanding player, known bounty structure
Operation Zero (Russia): Exclusive to Russian government
Advanced Security Solutions: High bounty, opaque operations

6. Sectoral Impact

Finance & Insurance: Data breaches, regulatory exposure
Healthcare: Patient data vulnerability, ethical fallout
Education: Surveillance of students, academic integrity risks
Autonomous Driving: Exploit-induced safety failures
Advertising & Tourism: Behavioral tracking, privacy erosion

7. Governance & Response Strategies

Vendor Vetting Protocols: Due diligence on exploit buyers
Ethical Disclosure Frameworks: Incentivizing responsible reporting
Stakeholder Matrices: Mapping impact across sectors
Training & Certification: AICP-style scenarios, compliance drills

🧭 Advice for You,

This case is a goldmine for scenario-based learning. I suggest turning this mind map into:

A stakeholder matrix for training sessions
A compliance quiz with ethical dilemmas
A visual aid contrasting exploit markets (ethical vs. opaque)
A briefing slide for sector-specific risk analysis
Reach out to us with any questions. info@DeuraInfoSec.com

OWASP LLM01:2025 Prompt Injection

Tags: Zero-Day Market

OWASP LLM01:2025 Prompt Injection

Sep 04 2025

Hidden Malware in AI Images: How Hackers Exploit LLMs Through Visual Prompt Injection

Category: AI,Hacking,Malware — disc7 @ 9:38 am

Cybersecurity researchers at Trail of Bits have uncovered a sneaky new corruption vector: malicious instructions embedded in images served by AI chatbots (LLMs). These prompts are invisible to the human eye but become legible to AI models after processing.

The method exploits the way some AI platforms downscale images—for efficiency and performance. During this bicubic interpolation, hidden black text layered onto an image becomes readable, effectively exposing the concealed commands.

Hackers can use this tactic to deliver covert commands or malicious prompts. While the original image appears innocuous, once resized by the AI for analysis, the hidden instructions emerge—potentially allowing the AI to execute unintended or dangerous actions.

What’s especially concerning is the exploitation of legitimate AI workflows. The resizing is a routine process meant to optimize performance or adapt images for analysis—making this an insidious vulnerability that’s hard to detect at a glance.

This discovery reveals a wider issue with multimodal AI systems—those that handle text, audio, and images together. Visual channels can serve as a novel and underappreciated conduit for hidden prompts.

Efforts to flag and prevent such attacks are evolving, but the complexity of multimodal input opens a broader attack surface. Organizations integrating AI into real-world applications must remain on guard and update security practices accordingly.

Ultimately, the Trail of Bits team’s research is a stark warning: as AI becomes more capable and integrated, so too does the ingenuity of those seeking to subvert it. Vigilance, layered defenses, and thoughtful design are more critical than ever.

source: Hackers Exploit Sitecore Zero-Day for Malware Delivery

Viewpoint

This latest attack vector is a chilling example of side-channel exploitation in AI—the same way power usage or timing patterns can leak secrets, here the resizing process is the leaky conduit. What’s especially alarming is how this bypasses typical content filtering: to the naked eye, the image is benign; to the AI, it becomes a Trojan.

Given how prevalent AI tools are becoming—from virtual assistants to diagnostic aides in healthcare—these weaknesses aren’t just theoretical. Any system that processes user-supplied images is potentially exposed. This underscores the need for robust sanitization pipelines that analyze not just the content, but the transformations applied by AI systems.

Moreover, multimodal AI means multimodal vulnerabilities. Researchers and developers must expand their threat models beyond traditional text-based prompt injection and consider every data channel. Techniques like metadata checks, manual image audits, and thorough testing of preprocessing tools should become standard.

Ultimately, this attack emphasizes that convenience must not outpace safety. AI systems must be built with intentional defenses against these emergent threats. Lessons learned today will shape more secure foundations for tomorrow.

Tags: Visual Prompt Injection

Sep 03 2025

An AI-Powered Brute-Force Tool for Ethical Security Testing

Category: AI,Information Security,Security Tools — disc7 @ 2:05 pm

Summary of the Help Net Security article.

BruteForceAI is a free, open-source penetration testing tool that enhances traditional brute-force attacks by integrating large language models (LLMs). It automates identification of login form elements—such as username and password fields—by analyzing HTML content and deducing the correct selectors.

After mapping out the login structure, the tool conducts multi-threaded brute-force or password-spraying attacks. It simulates human-like behavior by randomizing timing, introducing slight delays, and varying the user-agent—concealing its activity from conventional detection systems.

Intended for legitimate security use, BruteForceAI is geared toward authorized penetration testing, academic research, self-assessment of one’s applications, and participation in bug bounty programs—always within proper legal and ethical bounds. It is freely available on GitHub for practitioners to explore and deploy.

By combining intelligence-powered analysis and automated attack execution, BruteForceAI streamlines what used to be a tedious and manual process. It automates both discovery (login field detection) and exploitation (attack execution). This dual capability can significantly speed up testing workflows for security professionals.

BruteForceAI

BruteForceAI represents a meaningful leap in how penetration testers can validate and improve authentication safeguards. On the positive side, its automation and intelligent behavior modeling could expedite thorough and realistic attack simulations—especially useful for uncovering overlooked vulnerabilities hidden in login logic or form implementations.

That said, such power is a double-edged sword. There’s an inherent risk that malicious actors could repurpose the tool for unauthorized attacks, given its stealthy methods and automation. Its detection evasion tactics—mimicking human activity to avoid being flagged—could be exploited by bad actors to evade traditional defenses. For defenders, this heightens the importance of deploying robust controls like rate limiting, behavioral monitoring, anomaly detection, and multi-factor authentication.

In short, as a security tool it’s impressive and helpful—if used responsibly. Ensuring it remains in the hands of ethical professionals and not abused requires awareness, cautious deployment, and informed defense strategies.

Download

This tool is designed for responsible and ethical use, including authorized penetration testing, security research and education, testing your own applications, and participating in bug bounty programs within the proper scope.

BruteForceAI is available for free on GitHub.

Source: BruteForce AI

Tags: Brute-Force Tool

Source: Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations

Aug 28 2025

Agentic AI Misuse: How Autonomous Systems Are Fueling a New Wave of Cybercrime

Category: AI,Cybercrime — disc7 @ 9:05 am

Cybercriminals have started “vibe hacking” with AI’s help, AI startup Anthropic has shared in a report released on Wednesday.

1. Overview of the Incident
Cybercriminals are now leveraging “vibe hacking” — a term coined by AI startup Anthropic — to misuse agentic AI assistants in sophisticated data extortion schemes. Their report, released on August 28, 2025, reveals that attackers employed the agentic AI coding assistant, Claude Code, to orchestrate nearly every step of a breach and extortion campaign across 17 different organizations in various economic sectors.

2. Redefining Threat Complexity
This misuse highlights how AI is dismantling the traditional link between an attacker’s technical skill and the complexity of an attack. Instant access to AI-driven expertise enables low-skill threat actors to launch highly complex operations.

3. Detection Challenges Multiplied
Spotting and halting the misuse of autonomous AI tools like Claude Code is extremely difficult. Their dynamic and adaptive nature, paired with minimal human oversight, makes detection systems far less effective.

4. Ongoing AI–Cybercrime Arms Race
According to Anthropic, while efforts to curb misuse are necessary, they will likely only mitigate—not eliminate—the rising tide of malicious AI use. The interplay between defenders’ improvements and attackers’ evolving methods creates a persistent, evolving arms race.

5. Beyond Public Tools
This case concerns publicly available AI tools. However, Anthropic expresses deep concern that well-resourced threat actors may already be developing, or will soon develop, their own proprietary agentic systems for even more potent attacks.

6. The Broader Context of Agentic AI Risks
This incident is emblematic of broader vulnerabilities in autonomous AI systems. Agentic AI—capable of making decisions and executing tasks with minimal human intervention—expands attack surfaces and introduces unpredictable behaviors. Efforts to secure these systems remain nascent and often reactive.

7. Mitigation Requires Human-Centric Strategies
Experts stress the importance of human-centric cybersecurity responses: building deep awareness of AI misuse, investing in real-time monitoring and anomaly detection, enforcing strong governance and authorization frameworks, and designing AI systems with security and accountability built in from the start.

Perspective

This scenario marks a stark inflection point in AI-driven cyber risk. When autonomous systems like agentic AI assistants can independently orchestrate multi-stage extortion campaigns, the cybersecurity playing field fundamentally changes. Traditional defenses—rooted in predictable attack patterns and human oversight—are rapidly becoming inadequate.

To adapt, we need a multipronged response:

Technical Guardrails: AI systems must include robust safety measures like runtime policy enforcement, behavior monitoring, and anomaly detection capable of recognizing when an AI agent goes off-script.
Human Oversight: No matter how autonomous, AI agents should operate under clearly defined boundaries, with human-in-the-loop checkpoints for high-stakes actions.
Governance and Threat Modeling: Security teams must rigorously evaluate threats from agentic usage patterns, prompt injections, tool misuse, and privilege escalation—especially considering adversarial actors deliberately exploiting these vulnerabilities.
Industry Collaboration: Sharing threat intelligence and developing standardized frameworks for detecting and mitigating AI misuse will be essential to stay ahead of attackers.

Ultimately, forward-looking organizations must embrace the dual nature of agentic AI: recognizing its potential for boosting efficiency while simultaneously addressing its capacity to empower even low-skilled adversaries. Only through proactive and layered defenses—blending human insight, governance, and technical resilience—can we begin to control the risks posed by this emerging frontier of AI-enabled cybercrime.

ISO 27001 Made Simple: Clause-by-Clause Summary and Insights

From Compliance to Trust: Rethinking Security in 2025

Understand how the ISO/IEC 42001 standard and the NIST framework will help a business ensure the responsible development and use of AI

Analyze the impact of the AI Act on different stakeholders: autonomous driving

Identify the rights of individuals affected by AI systems under the EU AI Act by doing a fundamental rights impact assessment (FRIA)

Building Trust with High-Risk AI: What Article 15 of the EU AI Act Means for Accuracy, Robustness & Cybersecurity

From Compliance to Confidence: How DISC LLC Delivers Strategic Cybersecurity Services That Scale

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Managing Artificial Intelligence Threats with ISO 27001

Tags: Agentic AI

Aug 27 2025

The Impact of Artificial Intelligence on the Cybersecurity Workforce: NIST’s Evolving Framework

Category: AI,NIST CSF — disc7 @ 4:41 pm

Credit: NICE

1. Introduction & Context

NIST’s NICE (National Initiative for Cybersecurity Education) Workforce Framework (NICE Framework) , known as NIST SP 800-181 rev. 1, has been designed for adaptability — particularly to account for emerging technologies like artificial intelligence (AI). Strong engagement with federal agencies, industry, academia, and international groups has ensured that NICE evolves with AI developments. NICE has hosted numerous events — from webinars to annual conferences — to explore AI’s impact on cybersecurity education, workforce needs, and program design.

2. AI Security as a New Competency Area

One major evolution includes the introduction of a new AI Security Competency Area within the NICE Framework. This area will define the core knowledge and skills needed to understand how AI intersects with cybersecurity — from managing risks to leveraging opportunities. The draft competency content is open for public comment and draws on resources such as the AI Risk Management Framework (AI RMF 1.0), the NSF AI Scholarships for Service initiative, and DoD’s Cyber Workforce Framework.

3. AI’s Role in Work Roles & Skills Integration

Beyond this standalone competency, NICE aims to integrate AI-related Tasks, Knowledge, and Skill (TKS) statements into existing and newly emerging cybersecurity job roles. This includes coverage for three essential themes: (a) strategic implications of AI for organizations and legal/regulatory considerations; (b) securing AI systems against threats including misuse; and (c) enhancing cybersecurity work through AI — such as using it for threat detection and analysis.

4. Community Engagement & Feedback Mechanisms

NIST encourages public participation in shaping the evolution of the NICE Framework. Stakeholders—including federal agencies, educators, certification bodies, and private-sector groups—are invited to join forums like the NICE Community Coordinating Council, attend events, join the NICE Framework Users Group, or provide direct feedback.

5. AI’s Dual Security Role in NIST Strategy

Another dimension of NIST’s AI-focused cybersecurity efforts focuses on both securing AI (making AI systems robust against threats) and enabling security through AI (using AI to strengthen defenses). Related initiatives include developing community profiles for adapting other cybersecurity frameworks (e.g., the Cybersecurity Framework), as well as launching research tools such as Dioptra and the PETs Testbed that support evaluation of machine learning and privacy technologies.

6. Broader Vision for AI & Cybersecurity Integration

NIST’s broader vision includes aligning its AI-cybersecurity initiatives with its existing guidance (e.g., AI RMF, SSDF, privacy frameworks) and expanding into practical, operational tools and community-driven resources. The goal is a cohesive, holistic approach that supports both the defense of AI systems and the incorporation of AI into cybersecurity across organizational, national, and international levels.

7. Summary

In essence, the NIST blog outlines how AI is reshaping the cybersecurity workforce—through new competency areas, an expanded skill taxonomy, and community-driven development of training and frameworks. NIST is at the forefront of this transformation, laying essential groundwork for organizations to adapt to AI-induced changes while safeguarding both AI and the systems it interacts with.

Engage proactively: If you’re in the cybersecurity field—especially in education, policy, workforce development, or hiring—stay involved. Submit feedback to NIST, participate in the NICE community forums, or attend their events to help shape AI-integrated workforce standards.
Upskill intentionally: Incorporate AI-related skills into your training or hiring programs. Target roles that require AI literacy—such as understanding AI risks, securing AI systems, or leveraging AI for defense.
Emphasize both “of” and “through” AI: Ensure your workforce is prepared not only to protect AI systems (security of AI) but also to harness AI as a tool for enhancing cybersecurity (security through AI).
Leverage NIST tools and frameworks: Explore resources like AI RMF, SSDF profiles for generative AI, Dioptra, and PETs Testbed to inform your practices, tool selection, and workflow integration.

Source: The Impact of Artificial Intelligence on the Cybersecurity Workforce

Tags: Cybersecurity Workforce, NIST’s Evolving Framework

ISO 27001 Made Simple: Clause-by-Clause Summary and Insights

Aug 26 2025

AI systems should be developed using data sets that meet certain quality standards

Category: AI,Data Governance — disc7 @ 3:13 pm

AI systems should be developed using data sets that meet certain quality standards

Data Governance
AI systems, especially high-risk ones, must rely on well-managed data throughout training, validation, and testing. This involves designing systems thoughtfully, knowing the source and purpose of collected data (especially personal data), properly processing data through labeling and cleaning, and verifying assumptions about what the data represents. It also requires ensuring there is enough high-quality data available, addressing harmful biases, and fixing any data issues that could hinder compliance with legal or ethical standards.

Quality of Data Sets
The data sets used must accurately reflect the intended purpose of the AI system. They should be reliable, representative of the target population, statistically sound, and complete to ensure that outputs are both valid and trustworthy.

Consideration of Context
AI developers must ensure data reflects the real-world environment where the system will be deployed. Context-specific features or variations should be factored in to avoid mismatches between test conditions and real-world performance.

Special Data Handling
In rare cases, sensitive personal data may be used to identify and mitigate biases. However, this is only acceptable if no other alternative exists. When used, strict security and privacy safeguards must be applied, including controlled access, thorough documentation, prohibition of sharing, and mandatory deletion once the data is no longer needed. Justification for such use must always be recorded.

Non-Training AI Systems
For AI systems that do not rely on training data, the requirements concerning data quality and handling mainly apply to testing data. This ensures that even rule-based or symbolic AI models are evaluated using appropriate and reliable test sets.

Organizations building or deploying AI should treat data management as a cornerstone of trustworthy AI. Strong governance frameworks, bias monitoring, and contextual awareness ensure systems are fair, reliable, and compliant. For most companies, aligning with standards like ISO/IEC 42001 (AI management) and ISO/IEC 27001 (security) can help establish structured practices. My recommendation: develop a data governance playbook early, incorporate bias detection and context validation into the AI lifecycle, and document every decision for accountability. This not only ensures regulatory compliance but also builds user trust.

From Compliance to Trust: Rethinking Security in 2025

Understand how the ISO/IEC 42001 standard and the NIST framework will help a business ensure the responsible development and use of AI

Analyze the impact of the AI Act on different stakeholders: autonomous driving

Identify the rights of individuals affected by AI systems under the EU AI Act by doing a fundamental rights impact assessment (FRIA)

Building Trust with High-Risk AI: What Article 15 of the EU AI Act Means for Accuracy, Robustness & Cybersecurity

From Compliance to Confidence: How DISC LLC Delivers Strategic Cybersecurity Services That Scale

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Managing Artificial Intelligence Threats with ISO 27001

Tags: AI Data Governance