DISC InfoSec blogAI Governance Playbook Archives

May 19 2026

50 Companies, 1 AI Model, 271 Firefox Bugs: What Project Glasswing Means for AI Governance

Category: AI Governance,AI Governance Enforcement — disc7 @ 7:39 am

When AI Finds Bugs Humans Missed for 27 Years, Your Governance Playbook Needs to Change

Last month, Anthropic announced Project Glasswing.

Fifty of the most consequential technology and financial institutions on the planet — Apple, Google, Microsoft, AWS, Nvidia, Cisco, Broadcom, Palo Alto Networks, CrowdStrike, JPMorgan Chase, the Linux Foundation, and roughly forty more — are now part of a coordinated effort to use a single AI model, Claude Mythos Preview, to find and fix vulnerabilities in the software the rest of us depend on.

Mozilla has already gone public with results. Firefox 150 shipped with 271 vulnerabilities patched in a single release, surfaced by Mythos in about four weeks of focused work. One of those bugs had quietly survived 27 years inside OpenBSD — an operating system whose entire identity is built around being unbreakable.

Read that again. Twenty-seven years of expert human review missed what an AI surfaced in under a month.

That’s the headline. The headline isn’t the story.

The real story is what this does to governance

For two decades, the answer to “how do I trust this software?” has been a stack of artifacts: SOC 2 reports, penetration tests, vendor questionnaires, patch cadence policies. Those artifacts assume a world where vulnerability discovery is bottlenecked by human expertise.

That assumption just broke.

When one AI can audit every line of code in a major operating system and write working exploit code for the bugs it finds, three things move at the same time:

The bar for “reasonable security” shifts. Insurers, regulators, and enterprise buyers will start asking whether vendors use AI-assisted code review. Vendors who can’t answer cleanly will be a different risk category by 2027.

The window between patch and exploit collapses. Attackers have always reverse-engineered patches. AI compresses that work from days to minutes. If your mean time to patch critical vulnerabilities is north of 30 days, that window is materially more dangerous than it was last year.

Disclosure infrastructure shows its age. CISA’s coordinated disclosure process and the CNA framework were designed for human-paced research. They were not built for a coalition of fifty organizations running a model that finds thousands of zero-days on a quarterly cadence.

Where AI Governance comes in

I’ve spent the last two years implementing ISO/IEC 42001 in production — including taking ShareVault, a virtual data room serving M&A and financial services clients, through a successful Stage 2 audit.

That work taught me one thing clearly: AI governance is not a downstream compliance exercise. It’s the operating layer for trust.

Glasswing is the most visible signal yet that the governance question is moving from “should we use AI in security-critical workflows?” to “what controls govern its use, who has access, and how do we verify the answers?” That’s the question every framework — ISO 42001, NIST AI RMF, the EU AI Act — was built to answer. Most organizations haven’t actually mapped controls to use cases yet. The ones who do this quarter will own the conversation in 2027.

Your next quarterly agenda

Update vendor due diligence. Add one question to every security review: “Do you use AI-assisted code review or vulnerability scanning, and what governance controls sit around it?” You don’t need a perfect answer. You need to know who’s thinking about it.
Validate actual patch performance — not the policy, the numbers. Mean time to patch critical CVEs is now a material disclosure conversation.
Call your cyber insurance broker and ask whether AI-audited code is showing up in renewal questionnaires yet. If not this year, when. Get ahead of the question.
Map this to your AI governance framework. ISO 42001, NIST AI RMF, and the EU AI Act give you the scaffolding. Skip the mapping exercise and you’ll be re-engineering it under audit pressure.
Brief your board. Not on the technology. On the shift in what “reasonable security” now means.

Where this goes next

Glasswing is a coalition of fifty today. Capabilities like Mythos always proliferate — Anthropic itself estimates comparable models will be broadly available within 6 to 18 months. When that happens, defenders lose their head start.

Here’s where I think the next two years go:

AI governance becomes the language of trust. Procurement, insurance, and audit conversations will increasingly turn on whether you can produce evidence — not policy, evidence — that your AI use is governed. ISO 42001 certifications and EU AI Act conformity assessments will start showing up in RFP scoring criteria the way SOC 2 did a decade ago.

The “vCAIO” role becomes real. Most mid-market companies will not hire a full-time Chief AI Officer in 2026 or 2027. They will retain fractional governance leadership the same way they did with vCISOs after 2015. The work is similar: control mapping, risk register, board reporting, audit readiness.

Tools without process will look like theater. The organizations that come out ahead won’t be the ones that panic-buy an AI security platform. They’ll be the ones that built the governance muscle — control mappings, role definitions, audit evidence, escalation paths — before the capability was everywhere.

Financial data rooms are the hard mode of compliance. If governance works there, it works anywhere. That’s the bar I’ve been holding myself to, and it’s the bar I’d encourage you to hold your vendors to.

One question for you: Do you actually know whether the vendors in your stack use AI in their code review process? If you don’t — that’s the conversation to start this week.

If you’re working through what Glasswing-class capabilities mean for your AI governance program, I’m happy to think it through with you. DM me below.

Disc | Principal Consultant, DISC InfoSec ISO 42001 & ISO 27001 Lead Implementer | CISSP, CISM | PECB Authorized Training Partner Lead implementer for ShareVault’s ISO/IEC 42001 certification — passed Stage 2 audit

The AI Governance Quick-Start: Defensible in 10 Days, Not 4 Quarters

DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.

AI Attack Surface ScoreCard

AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do

Your Shadow AI Problem Has a Name-And Now It Has a Score

Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative

Schedule a consultation or drop a note below: info@deurainfosec.com

Tags: AI Governance Playbook

Comments (0)

Mar 31 2026

Which AI Governance Framework Should You Adopt First? A Practical Guide for U.S., EU, and Global Organizations

Category: AI Governance,ISO 42001 — disc7 @ 9:28 am

ISO/IEC 42001, the EU AI Act, and the NIST AI Risk Management Framework (AI RMF) represent three distinct but complementary approaches to governing artificial intelligence. ISO 42001 is a formal management system standard designed to institutionalize AI governance within organizations. Its core concept is continuous improvement through structured controls, with a primary focus on embedding AI risk management into business processes. It applies broadly across industries and is certifiable, making it attractive for organizations seeking formal assurance. Its scope covers governance, lifecycle management, and accountability, using a risk-based, auditable approach. Globally, it is emerging as the backbone for standardized AI governance, especially for enterprises seeking international credibility.

The EU AI Act is fundamentally different, operating as a regulatory framework rather than a voluntary standard. Its core concept is risk classification of AI systems (e.g., unacceptable, high-risk), with a primary focus on protecting individuals’ rights and safety. It applies to any organization that develops, deploys, or offers AI systems within the European Union, regardless of where the company is based. Compliance is mandatory, not certifiable, and enforced through legal mechanisms. Its scope is extensive, covering use cases, data governance, transparency, and human oversight. The risk approach is prescriptive and tiered, and its global impact is significant, as it effectively sets a de facto regulatory benchmark for companies operating internationally.

The NIST AI RMF takes a more flexible, guidance-driven approach. Its core concept is trustworthy AI built on principles like fairness, accountability, and transparency. The primary focus is helping organizations identify, assess, and manage AI risks without imposing strict requirements. It is applicable to organizations of all sizes, particularly in the U.S., but is not certifiable or legally binding. Its scope spans the AI lifecycle, emphasizing governance, mapping, measurement, and management functions. The risk approach is adaptive and contextual rather than prescriptive. Globally, it serves as a practical playbook and is widely referenced as a baseline for AI risk discussions.

When compared, ISO 42001 provides structure and certifiability, the EU AI Act enforces legal accountability, and NIST AI RMF offers operational flexibility. ISO is ideal for organizations wanting to operationalize governance programs with measurable controls. The EU AI Act is unavoidable for companies interacting with EU markets, demanding strict adherence to compliance requirements. NIST AI RMF, meanwhile, is best suited for organizations seeking to mature their AI risk posture without the overhead of certification or regulatory burden.

Together, these frameworks form a layered model of AI governance: NIST AI RMF as the foundation for understanding and managing risk, ISO 42001 as the system for institutionalizing and auditing those practices, and the EU AI Act as the regulatory overlay enforcing accountability. Organizations that align across all three are better positioned to move from reactive compliance to proactive, continuous AI risk management—something that is quickly becoming a competitive differentiator in the global market.

If you’re deciding which framework to adopt first, the answer isn’t “one-size-fits-all”—it depends heavily on where you operate, your regulatory exposure, and how mature your AI usage is. But there is a practical sequencing that works in most real-world scenarios.

🇺🇸 U.S.-based organizations (like you in California)

Start with NIST AI Risk Management Framework.

The reason is simple: it’s flexible, fast to adopt, and aligns well with how U.S. companies already think about risk (similar to NIST CSF). It gives you an immediate way to structure AI governance without slowing innovation.

From a vCISO or GRC standpoint, this is your “operational foundation”—you can quickly map risks, define controls, and start producing defensible outputs for clients or regulators.

👉 My take: If you skip this step and jump straight into compliance-heavy frameworks, you’ll create “paper governance” without real risk visibility.

🇪🇺 If you touch EU markets (customers, users, or data)

Prioritize the EU AI Act immediately—even before anything else if exposure is high.

This is not optional. If your AI system falls into “high-risk,” you’re dealing with legal obligations, audits, and potential penalties.

👉 My take: This is the “hard boundary” framework. It defines what you must do, not what you should do.

Even U.S. companies often underestimate this—if your product scales, EU rules will reach you faster than expected.

🌍 When you want credibility, scale, or enterprise trust

Adopt ISO/IEC 42001 after you’ve operationalized risk (typically after NIST AI RMF).

ISO 42001 is where governance becomes institutionalized and auditable. It’s especially valuable if you:

Sell to enterprises
Need third-party assurance
Want to productize your AI governance (e.g., your DISC InfoSec offering)

👉 My take: This is your “trust multiplier.” It turns internal practices into something marketable and defensible.

🔑 Practical adoption sequence (what I recommend)

For most organizations (especially in the U.S.):

Start with NIST AI RMF → build real risk visibility
Overlay EU AI Act (if applicable) → ensure regulatory compliance
Formalize with ISO 42001 → scale, certify, and monetize trust

💡 My blunt perspective

If you start with ISO 42001 → you risk over-engineering too early
If you ignore EU AI Act → you risk legal exposure
If you skip NIST AI RMF → you risk fake governance (compliance theater)

Comparing of ISO 27001 with ISO 42001

ISO/IEC 42001 builds directly on the structure of ISO/IEC 27001, so at first glance the two frameworks look similar in clauses, risk assessment approach, and use of Annex A controls. However, their intent and scope diverge significantly. ISO 27001 is inward-focused, centered on protecting an organization’s information assets and managing risks that could impact the business. In contrast, ISO/IEC 42001 is outward-looking and expands accountability beyond the organization to include impacts—both negative and positive—on society, individuals, and other stakeholders arising from AI use. It also shifts emphasis from purely information protection to governance of AI-driven products and services, making it closer to a quality management system in practice. Key differences include the introduction of AI system impact assessments (evaluating societal harms and benefits), distinct and more AI-specific Annex A controls, and additional guidance annexes. While many governance elements (e.g., audits, nonconformities) remain structurally similar, ISO 42001 requires deeper scrutiny of ethical, societal, and product-level risks, making it broader, more externally accountable, and more aligned with AI lifecycle management than ISO 27001.

At DISC InfoSec:
👉 “We move you from AI chaos → risk visibility → compliance → certification”

AI Governance Playbook: How to Secure, Control, and Optimize Artificial Intelligence Initiatives

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: AI Governance Playbook, EU AI Act, ISO 42001, NIST AI RMF

Comments (2)

DISC InfoSec blog