DISC InfoSec blogAI Risk Register Archives

Jun 01 2026

Four risks, three frameworks, and what real-world mapping across ISO 27001, ISO 42001, and NIST 800-53 Rev. 5 actually looks like

Category: AI Risk,Information Security,ISO 27k,ISO 42001,NIST CSF — disc7 @ 9:52 am

Your Risk Register Is Probably Built Backwards

Four risks, three frameworks, and what mapping ISO 27001, ISO 42001, and NIST 800-53r5 actually looks like in practice.

Most risk registers are built backwards. Someone exports a control list from a framework, generates a row for each control, and reverse-engineers a “risk” to justify it. The result looks comprehensive and tells you almost nothing useful. Auditors recognize it on sight.

A working risk register starts from the other direction — from the business issue. What could materially hurt the company? What’s the mechanism? What controls actually move the needle? Then the framework mapping comes in, and only as a way to evidence that the controls you already need are also the ones the standards expect.

This post walks through four risks. Four come from a live register at a SaaS platform serving M&A and financial services clients — ISO 42001 & ISO 27001 certified. The fourth is the risk almost every SMB is currently running without measuring, and the one I expect to dominate AI-era incident reports for the next two years.

Risk 1 — Outdated Spring Framework and Spring Security

The business issue. The core application is running on Spring Framework 5.3.39 and Spring Security 5.8.16. Both are end-of-OSS-support. Both are missing fixes for high and critical CVEs that have been public for over a year. The framework underlies every authenticated request the platform serves, so the blast radius of any successful exploit is the entire customer base.

Contributing risk factors. Framework upgrades are the kind of work that gets deferred because nothing visibly breaks when you skip a quarter — until something does. Contributing factors typically include: engineering capacity prioritized toward customer-visible features, breaking-change risk in major Spring upgrades, dependency entanglement with libraries that pin to older Spring versions, and the absence of a configuration-as-code baseline that would make environment-by-environment upgrades safer to attempt.

How it relates across domains.

InfoSec: Direct exposure. Spring4Shell-class vulnerabilities and Spring Security authentication-bypass CVEs are not theoretical — they have working exploits, EDR signatures, and threat-actor playbooks.
Privacy: Indirect but real. An authentication bypass against a platform processing M&A diligence rooms means unauthorized access to highly sensitive personal and corporate data. GDPR Article 32 (security of processing) becomes the relevant hook.
Compliance: Indefensible at audit. “We are running a framework with known unpatched critical CVEs” is not a position you want to be in during a customer security questionnaire or an ISO 27001 surveillance audit.
AI governance: Tangential. But worth noting: if AI features depend on the same framework, the AI system’s confidentiality and integrity properties inherit the framework’s weaknesses. ISO 42001 expects you to know that.

Compensating controls already in place. CrowdStrike EDR, WAF, network segmentation, MFA, session controls. These reduce — but do not eliminate — exposure. They buy time. They are not a substitute for the upgrade.

Risk 2 — Hidden or Backdoor Functionality in Major Vendor Software

The business issue. Major vendor software in the stack (Apache Tomcat as one example, but the category is broader) could contain undocumented functionality — whether maliciously inserted, accidentally shipped, or buried in a dependency three layers deep. Recent industry events have made this category move from “theoretical supply-chain hand-wringing” to “the thing your insurance carrier asks about by name.”

Contributing risk factors. Vendor opacity. Lack of reproducible builds. Incomplete or absent SBOMs for transitive dependencies. The economic reality that even diligent vendor management cannot inspect code you do not have. The increasing sophistication of nation-state actors targeting widely deployed open-source components as a force multiplier.

How it relates across domains.

InfoSec: Detection is the only realistic primary control. You will not prevent this at the source — you will catch it through behavioral monitoring, anomaly detection, and network segmentation that limits what a compromised component can reach.
Privacy: If the compromised component handles personal data, you are looking at notification obligations under GDPR Article 33/34 and U.S. state breach laws. Processor relationships (Article 28) make this messier — you may be on the hook for a sub-processor’s exposure.
Compliance: Supply-chain assurance is one of the fastest-growing audit focus areas across ISO 27001:2022 (A.5.19–A.5.22), SOC 2, and regulator guidance. “We trusted the vendor” is not an acceptable answer anymore.
AI governance: If AI components or models come from third-party vendors — and most do, somewhere in the pipeline — supply-chain integrity extends to model weights, training datasets, and inference infrastructure. ISO 42001 A.10 (third-party and customer relationships) is the natural home for this.

Compensating controls already in place. Vendor management program, SBOM where available, CrowdStrike EDR for behavioral detection, network segmentation, Sumo Logic for anomaly detection, monitoring of third-party security research feeds.

Risk 3 — AI Feature Produces Misleading or Biased Output in Customer Use

The business issue. AI features in production — for example, financial, healthcare, or M&A document summarization and redaction recommendations — could produce outputs that are misleading, biased, or wrong in ways customers cannot easily detect. In a high-stakes diligence context, a confidently incorrect summary or a missed redaction is not a minor UX (User Experience) issue. It is a trust event, potentially a liability event, and depending on jurisdiction a regulatory event.

Contributing risk factors. Model limitations (every model has them; vendors do not always disclose them in operational terms). Training data quality and representativeness. Insufficient human-in-the-loop review for high-stakes outputs. Lack of structured output validation. The general gap between how AI systems are marketed and how they behave under tail-case inputs.

How it relates across domains.

InfoSec: Indirect. The risk is not confidentiality or integrity of the system — it is integrity of the output. This is the category where pure infosec frameworks run out of language and AI-specific governance has to take over.
Privacy: Direct under GDPR. Article 22 (automated decision-making), Articles 13–14 (transparency obligations), Article 5 (accuracy and fairness principles), and Article 35 (DPIA threshold) all engage when AI output materially affects an individual or a transaction.
Compliance: ISO 42001 is the primary frame. The 27001 hooks are thin and forcing them dilutes the analysis — bias and misleading output is genuinely a 42001-domain risk and should be scored there.
AI governance: This is the canonical ISO 42001 risk. Clause 8.3 (AI system impact assessment), Annex A.6.2.4 (system validation), A.7.4 (data quality), A.9.2 (operation), A.6.2.6 (system monitoring) — the entire 42001 spine engages here.

Compensating controls already in place. ISO 42001 AI management system controls, AI feature review and approval process, human-in-the-loop for high-stakes outputs, customer disclosure of AI use, model performance monitoring, output validation in QA, AI impact assessment process where threshold is met.

Risk 4 — Uncontrolled Data Exposure Through Shadow AI and Connected AI Tools

This is the most prolific AI security risk facing SMBs today, and it is almost universally underweighted on the registers I see. Most SMBs are running it actively, right now, without measuring it.

The business issue. Employees use consumer AI tools — ChatGPT free tier, Gemini, personal Claude accounts, AI meeting note-takers, AI browser extensions, AI plug-ins inside Slack and Notion and Chrome — to do real work. They paste customer data, source code, draft contracts, financial records, internal communications, and partner data into systems the company has no contractual relationship with, no DPA from, no visibility into, and often no acceptable use policy covering.

The connected AI tools half of this risk is the more dangerous one. A sanctioned AI meeting notetaker plugged into the corporate calendar. An AI sales assistant connected to the CRM. An AI coding agent with repository access. An AI feature that a SaaS vendor turned on in their latest release without prompting a fresh security review. Each of these has authenticated access to substantial corporate data. Each was typically procured department-by-department without going through vendor risk review, security review, or a DPIA. The aggregate data exposure is much larger than any individual decision-maker realized when they clicked “enable.”

Contributing risk factors. No AI acceptable use policy, or one that exists but is not enforced. No technical controls — no CASB, no DLP that recognizes AI endpoints, no browser-level AI gating. Consumer AI free tiers without enterprise-grade data protections (training opt-out, retention controls, audit logs). Procurement workflows that do not catch “this SaaS tool also has AI features now,” which by 2026 describes nearly every SaaS tool in the stack. BYOD environments where the company has no visibility into what is running. The general pace at which vendors are shipping AI features faster than security teams can review them.

How it relates across domains.

InfoSec: This is data exfiltration through user behavior rather than through exploit. The “attacker” is well-intentioned employees getting work done. That makes it the hardest category for traditional security tooling — there is no malware signature, no anomalous network destination if the AI tool runs in a sanctioned browser, no exfil pattern that EDR catches. Detection has to come from policy, awareness, DLP that understands AI endpoints, and vendor management.
Privacy: This is the heaviest privacy exposure on the register. Sending PII or customer data to an AI tool the company has no DPA with is a probable subprocessor violation under GDPR Article 28 and a likely CCPA issue. Purpose limitation (Article 5(1)(b)) and accuracy (Article 5(1)(d)) both engage. If the AI tool retains data for training, you have lost control of customer information you contractually promised to protect — and you may not be able to get it back.
Compliance: B2B SaaS customer contracts increasingly carry explicit subprocessor lists, data residency clauses, and prohibitions on sending customer data to AI training. Shadow AI usage breaks every one of those simultaneously. SOC 2 CC9.2 (vendor management) and ISO 27001 A.5.19–A.5.22 are the audit hooks. For regulated customers (financial services, healthcare), this can be a contract termination event.
AI governance: ISO 42001 covers this even when the AI is being used informally rather than deployed as a product. A.9.3 (responsible use) and A.5.2–A.5.5 (AI policy framework) apply to ad-hoc internal usage. This is exactly the gap that catches SMBs without an AI management system in place.

A note on the SMB profile specifically. Enterprises have legal, procurement, and security teams that can absorb some of this risk through process. SMBs typically do not. The 30-person SaaS company where everyone has admin on their own laptop and procures their own SaaS tools is the canonical Shadow AI environment. Most don’t know what data is being sent where, and most have no realistic path to find out without first putting policy and tooling in place. The good news: this is the risk where the early-stage investments — an AI AUP, vendor inventory, awareness training, browser-level controls — produce disproportionate residual-risk reduction.

Compensating controls in a mature program. AI acceptable use policy, AI vendor inventory, AI-aware DLP, browser-level controls or CASB enforcement on AI endpoints, awareness training that names specific tools and specific behaviors, procurement gates that flag AI features in new and renewing contracts, periodic spot-checks of connected AI integrations across the SaaS estate.

The Control Matrix

The table below maps each risk to the controls that actually do the work — not every control that could conceivably touch the risk, just the ones that move residual exposure. The NIST column is split: 800-53r5 for the technical and operational risks where it has strong native coverage, NIST AI RMF for the AI-specific risks where 800-53 underperforms.

Risk	ISO 27001:2022	ISO 42001	NIST 800-53r5 / AI RMF
Outdated Spring Framework / Spring Security	A.8.8 (vulnerability management), A.8.25 (secure dev lifecycle), A.8.27 (secure system architecture), A.8.28 (secure coding), A.8.31 (dev/test/prod separation), A.5.17 (authentication information), A.8.5 (secure authentication)	A.6.2.5 (AI system requirements and specification — where Spring underpins AI features)	800-53r5: RA-5 (vulnerability scanning), SI-2 (flaw remediation), SA-3 (system development lifecycle), SA-8 (security and privacy engineering principles), SA-11 (developer testing and evaluation), SA-15 (development process, standards, tools), IA-2 (identification and authentication), IA-5 (authenticator management), CM-7 (least functionality), CM-8 (system component inventory)
Hidden / backdoor functionality in vendor software	A.5.19 (information security in supplier relationships), A.5.20 (addressing security in supplier agreements), A.5.21 (managing ICT supply chain), A.5.22 (monitoring supplier services), A.5.23 (information security for cloud services), A.8.8 (vulnerability management), A.8.16 (monitoring activities), A.8.28 (secure coding)	A.10.2 (allocation of responsibilities), A.10.3 (suppliers) — plus B.8 processor controls where Organization’s acts as processor	800-53r5: SR-3 (supply chain controls and processes), SR-6 (supplier assessments and reviews), SR-11 (component authenticity), RA-5 (vulnerability scanning), SI-2 (flaw remediation), SI-4 (system monitoring), AU-6 (audit record review, analysis, and reporting)
AI feature produces misleading or biased output	A.5.34 (privacy and PII protection) — and intentionally light here; this is a 42001 risk	A.6.2.4 (system validation), A.6.2.5 (system requirements), A.6.2.6 (system monitoring), A.6.2.8 (system documentation), A.7.2 (data for AI systems), A.7.4 (data quality), A.7.5 (data provenance), A.8.2 (responsible AI), A.8.3 (AI system impact assessment), A.9.2 (responsible use), A.5.2–A.5.5 (AI policy and governance)	NIST AI RMF: GOVERN-3.2 (AI risk roles and responsibilities), MAP-2.3 (system capabilities and limitations characterized), MEASURE-2.11 (fairness and bias evaluation), MANAGE-4.1 (post-deployment monitoring) — paired with 800-53r5 SA-11, RA-3, PM-31 as proxy controls
Shadow AI / connected AI tool data exposure	A.5.10 (acceptable use of information), A.5.14 (information transfer), A.5.19–A.5.22 (supplier relationships, applied to AI vendors), A.6.3 (information security awareness, education, and training), A.8.3 (information access restriction), A.8.12 (data leakage prevention — legitimate use here), A.8.16 (monitoring activities), A.5.34 (privacy and PII protection)	A.5.2–A.5.5 (AI policy framework), A.6.1.2 (AI objectives — including unsanctioned use boundaries), A.9.2 (responsible use), A.9.3 (use of AI systems), A.10.4 (customers — for downstream data flow impact)	800-53r5: AC-20 (use of external information systems), AC-21 (information sharing), AT-2 (literacy training and awareness), PL-4 (rules of behavior), SC-7 (boundary protection), SI-4 (system monitoring), CA-9 (internal system connections). NIST AI RMF: GOVERN-3.2 (roles and responsibilities), MAP-4.1 (third-party AI considerations), MANAGE-3.1 (AI risks and benefits documented)

A few things worth noticing about this matrix.

First, the AI bias row is intentionally light on ISO 27001. Forcing A.8.12 (DLP) or similar onto an AI bias risk is the kind of stretch that auditors notice and that practitioners do to make registers look symmetrical. Different risks live in different frameworks for a reason.

Second, A.8.12 (DLP) finally finds a legitimate home in the Shadow AI row. That control was the wrong fit for AI output bias, but it is exactly right for AI input leakage. Same control number, completely different risk story — which is part of why control-first registers fail.

Third, the Shadow AI row pulls from all three frameworks at near-equal weight. It is simultaneously a supplier risk, an awareness risk, a boundary-protection risk, an AI-governance risk, and a privacy risk. That cross-cutting profile is part of why it is hard for any single team to own — and part of why it sits unaddressed on so many registers.

Fourth, the supply-chain row pulls A.5.23 (cloud services) and SR-11 (component authenticity) explicitly. These have moved from “nice to have” to “expected” in the last twelve months as the audit community has caught up to the reality of modern dependency graphs.

A Practitioner’s Perspective on Mapping Business Risks to Frameworks

Six things I’ve learned doing this work at the implementation end rather than the consulting-deck end.

Start from the risk, not the control. Every register I have inherited that started from a control list is unusable. The ones that started from “what could materially hurt the business” are the ones that survive contact with an auditor and with reality. Frameworks are evidence, not source material. Shadow AI is the cleanest illustration of this principle in the current threat landscape — start from controls and you map it to DLP and call it done. Start from the business issue and you discover it is a policy gap, a vendor management gap, a training gap, a technical controls gap, and a privacy gap simultaneously. The controls are the answer. They are not the question.

Resist the urge to map everything to everything. A clean register has some empty cells. An AI bias risk genuinely does not have strong ISO 27001 coverage, and pretending otherwise dilutes both the risk analysis and the framework. If a column is light, write that down. Auditors prefer honesty over symmetry.

Use the right framework for the risk. NIST 800-53r5 is excellent for infrastructure and operational controls and underperforms on AI-specific risks. NIST AI RMF is purpose-built for the AI risks and has no opinion about your patching cadence. ISO 27001:2022 and ISO 42001 are designed to interlock — let them. The temptation to force one framework to cover everything is the single most common mistake I see in mid-market registers.

Compensating controls are real, but they are not the destination. Every one of the risks above has compensating controls in place. CrowdStrike, WAFs, segmentation, monitoring, human review, awareness training. These reduce velocity and impact. They do not eliminate the underlying issue. A register that scores residual risk as “low” because compensating controls exist — without a plan to remediate the root cause — is telling you a story about itself, not about the risk.

Score the risk the SMB is actually running, not the one the framework imagines. Shadow AI is the canonical example. Most SMB registers either omit it entirely or score it at moderate residual on the strength of an AUP nobody enforces. The honest score reflects what would happen if a customer audited the actual data flows tomorrow. That is usually a different number — and the gap between the two numbers is the value the security function is failing to deliver.

The capability-governance gap is the real risk category. Every one of these four risks is a version of the same problem: technical capability has outrun the governance and operational practices needed to keep it safe. The Spring stack is more complex than the upgrade process can keep up with. The supply chain is deeper than the vendor management program can see. The AI feature is more capable than the output validation can verify. The AI tools employees use are more numerous and more powerful than any inventory the company maintains. The frameworks are useful because they force you to close that gap — not because the controls themselves are magic.

A risk register is a forcing function. It makes you write down what you know, what you do not know, and what you are doing about it. The frameworks are the language you write it in. The business issues are what you are writing about. Get that order right and the register starts doing real work. Get it wrong and you have a document that satisfies no one — not the auditor, not the board, not the engineers who are supposed to fix the problem.

Written from the implementation seat. If you are working through similar risks on your own register — especially Shadow AI, which most SMBs are running unmeasured — DISC InfoSec does this work for B2B SaaS and financial services organizations. vCISO, vCAIO, ISO 42001 and ISO 27001 implementation, AI governance. Reach out: hd@deurainfosec.com.

The AI Governance Quick-Start: Defensible in 10 Days, Not 4 Quarters

DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.

AI Attack Surface ScoreCard

AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do

Your Shadow AI Problem Has a Name-And Now It Has a Score

Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative