The CISO's AI Governance Brief: Cybersecurity Obligations, AI Attack Surfaces, and NIS 2

AI expands the attack surface, creates new cybersecurity obligations under NIS 2 and sector-specific regulation, and introduces adversarial AI risks most security programs have not addressed. The CISO's practical briefing.

Key Takeaways

AI systems create three new attack surfaces that traditional security programs typically do not cover: the training data pipeline, the model itself, and the AI inference infrastructure.
NIS 2 Directive (EU) and equivalent critical infrastructure cybersecurity rules explicitly apply to AI systems used in essential services — supply chain security obligations now extend to AI vendors.
Adversarial AI — attacks designed to manipulate AI outputs rather than compromise systems — is an active threat in financial services, fraud detection, and content moderation. Traditional security controls do not detect it.
The EU AI Act requires providers and deployers of high-risk AI to implement cybersecurity measures proportionate to the risk — this creates a new cybersecurity compliance obligation beyond sector-specific rules.
Three immediate actions: add AI systems to your asset inventory and threat model, review AI vendor contracts for security obligations, and assess your incident response plan for AI-specific failure scenarios.

"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."

CISO AI governance — where cybersecurity meets AI risk

For CISOs in 2026, AI creates a dual challenge: AI systems are both a new attack surface to defend and a new category of asset to govern. The WEF's Global Cybersecurity Outlook 2025 reported that 72% of organisations say cyber risk has increased. Darktrace's 2025 survey found 78% of CISOs report significant AI threat impact, with 93% expecting daily AI-enabled attacks within a year. AI has moved from a technology concern to a board-level security and governance issue.

The four AI threat categories CISOs must address

Prompt injection and adversarial attacks. The Cloud Security Alliance's April 2026 report confirmed remote code execution through prompt injection in production AI systems. Attack vectors include direct prompt injection, indirect prompt injection through data sources, zero-click agentic browser hijacking, and tool-use manipulation. OWASP's Top 10 for LLM Applications is the baseline reference, though only 29% of organisations follow it (Moody's 2025).

Data leakage through AI. Employees inputting confidential data into consumer AI tools, AI processing personal data beyond authorised scope, training data extraction from models. Saviynt's 2026 survey of 200+ CISOs found that "AI has access no one granted" — AI agents operating with permissions that were never formally authorised through IAM processes.

Model poisoning and supply chain. Compromised training data, malicious fine-tuning, supply chain attacks through AI model repositories. The OpenClaw vulnerability disclosure (November 2025) identified 21,000+ exposed instances with 12% of repository content containing malware.

AI-enabled threats. AI-generated phishing (40% of phishing now AI-generated per Cobalt), AI-assisted code vulnerabilities (87% of AI-generated pull requests contain security flaws per DryRun), deepfakes for social engineering, and automated vulnerability discovery.

APRA's specific CISO-relevant expectations

APRA's 30 April 2026 industry letter named identity and access management for non-human actors (AI agents) as a specific gap. This is directly in CISO territory: AI agents require IAM controls, authentication, authorisation, and audit logging equivalent to human users. CPS 234 (information security) applies to AI systems processing information assets. Adversarial testing — prompt injection, jailbreak, data exfiltration — is expected for material AI systems.

Framework alignment for CISOs

The operational framework stack for CISO AI governance: NIST AI RMF (AI-specific risk management) + NIST Cybersecurity Framework 2.0 (cyber risk management) + NIST IR 8596 (December 2025 preliminary draft bridging both). ISO/IEC 42001 for AI management system + ISO 27001 for information security. OWASP Top 10 LLM for application security. EU AI Act cybersecurity requirements for in-scope AI. CPS 234 for Australian financial services information security.

What CISOs should build

AI-specific security controls. Prompt injection testing, output filtering, input validation for AI systems. Rate limiting and anomaly detection for AI API access. Data loss prevention rules covering AI tool inputs. Network segmentation for AI training and inference infrastructure.

IAM for non-human actors. AI agents, automated workflows, and AI-driven processes need identity management: unique identities, least-privilege access, authentication, audit logging, and access review. This is the gap APRA specifically named.

AI vendor security assessment. Standard third-party risk assessment extended with AI-specific questions: model security testing, training data security, adversarial robustness, incident response for AI-specific failures.

Incident response for AI. AI incidents (model behaviour anomalies, adversarial attacks, data leakage through AI, AI-generated content incidents) need defined response procedures, escalation paths, and reporting obligations.