AI and Cyber Risk: The CISO's Governance Framework for AI Security

AI creates new cybersecurity attack surfaces, enables more sophisticated attacks, and introduces AI-specific vulnerabilities like model poisoning and adversarial inputs. The integrated AI security and governance framework for CISOs.

Key Takeaways

AI creates three distinct cybersecurity governance challenges: AI as a threat amplifier (AI-enabled attacks), AI as an attack surface (securing AI systems themselves), and AI as a defensive tool (AI-powered security tools and their governance).
AI-specific attack vectors that CISOs must assess: prompt injection (manipulating AI outputs through crafted inputs), model poisoning (corrupting AI training data or models), adversarial examples (inputs designed to cause AI misclassification), and data extraction (recovering training data from AI models).
CPS 234 (APRA's information security standard), NIST Cybersecurity Framework, and ISO 27001 all apply to AI systems — AI systems are information assets and must be within the scope of the organisation's information security management system.
AI supply chain security is a specific CISO concern — AI models and training pipelines inherited from third parties may contain embedded vulnerabilities, backdoors, or malicious functionality that traditional security testing does not detect.
GenAI in the security operations centre: AI-powered security tools (SIEM AI, threat intelligence AI, incident response AI) require the same governance as other enterprise AI — their outputs must be supervised, their limitations understood, and their decision-making accountable.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

Why AI changes the CISO's job

For Chief Information Security Officers, AI is simultaneously the largest new threat vector and the largest new defensive capability. The CISO's responsibility has fundamentally expanded — AI systems are now part of the attack surface that must be secured, AI-enabled threats are part of the threat landscape that must be defended against, and AI-driven security tools are part of the defensive toolkit that must be governed. According to the World Economic Forum's Global Cybersecurity Outlook 2025, 72% of organisations reported that cyber risk increased over the past year. Darktrace's 2025 survey found 78% of CISOs report significant impact from AI-powered cyber threats, with 93% expecting daily AI attacks within the next year.

The 2026 reality is that AI has been deployed across the enterprise faster than security governance has been built around it. Saviynt's 2026 survey of over 200 CISOs found that AI systems already have meaningful access — often with privilege levels no one explicitly granted. Someone plugged in a copilot in a SaaS tool, an engineering team tested an agent, a business unit installed an assistant. None felt significant in isolation, but collectively they create systems acting on behalf of people without the governance structures that apply to human access. CISOs must now retrofit governance onto an AI footprint they did not authorise.

The four new threat categories CISOs must address

Threat 1: Prompt injection and jailbreaking. Adversaries craft inputs designed to override AI system instructions and trigger unauthorised actions. The Cloud Security Alliance's 4 April 2026 CISO Daily Briefing confirmed active exploitation: Claude Code exploited via malicious GitHub markdown files; zero-click agentic browser session hijacking documented; "PleaseFix" technique enables covert instruction channels. Prompt injection is no longer theoretical — it is in production environments. Defending requires content filtering, instruction hierarchy enforcement, and runtime monitoring of agent behaviour for off-policy actions.

Threat 2: Data leakage through AI systems. AI systems require broad access to proprietary or sensitive data to function. Without strict access controls, these permissions create searchable exposure of payroll, customer, or intellectual property data. Employees pasting confidential information into consumer-tier AI tools is a leakage path that did not exist three years ago. Enterprise-tier tools with training-data opt-out are baseline controls. Data loss prevention (DLP) tools must be extended to AI endpoints.

Threat 3: Model poisoning and supply chain compromise. Adversaries can poison training data, contaminate fine-tuning datasets, or distribute compromised pre-trained models. The OpenClaw vulnerabilities (November 2025) demonstrated agentic AI supply chain risk: a critical one-click remote code execution flaw, command injection vulnerabilities, and approximately 12% of skills on the public marketplace containing malware. Cybersecurity firm Censys found over 21,000 OpenClaw instances exposed to the internet leaking unencrypted API keys, login tokens, and credentials.

Threat 4: Identity and access management for non-human actors. Traditional IAM was built for human users. AI agents operating with their own credentials, escalating privileges, and chaining actions across systems do not fit those frameworks. APRA explicitly named this gap in its 30 April 2026 letter to Australian financial services. The strategic answer is Zero Trust extended to non-human identities (NHIs) — every agent operating under strict least-privilege principles, with continuous authorisation rather than session-based trust.

OWASP Top 10 for LLM Applications — the baseline

The OWASP Top 10 for LLM Applications is the de facto baseline framework CISOs should adopt for AI security. Yet Moody's 2025 Cyber Survey found only 29% of global organisations follow it. The OWASP categories include: prompt injection (LLM01); insecure output handling (LLM02); training data poisoning (LLM03); model denial of service (LLM04); supply chain vulnerabilities (LLM05); sensitive information disclosure (LLM06); insecure plugin design (LLM07); excessive agency (LLM08); overreliance (LLM09); and model theft (LLM10). For agentic AI, OWASP has issued additional guidance addressing tool misuse, memory poisoning, cascading failures, and supply chain attacks specific to autonomous agents.

AI-enabled offensive threats — what CISOs are defending against

AI is changing the offensive landscape. AI now generates 40% of phishing emails targeting businesses according to Cobalt's cybersecurity statistics. Phishing campaigns using AI-generated personalised content achieve materially higher success rates than template-based campaigns. DryRun Security found 87% of AI-generated pull requests introduce vulnerabilities, and GitGuardian identified 28.65 million new hardcoded secrets in public repositories — AI-assisted coding is producing security defects at scale.

Deepfakes and voice cloning are operational threats. CFO fraud attempts using AI-generated voice or video impersonating executives have moved from anecdotal to common. CISOs must update authentication and authorisation procedures for high-value financial transactions and sensitive communications — single-factor voice or video verification is no longer sufficient.

The framework alignment — NIST AI RMF + ISO 42001 + EU AI Act

CISOs do not need to invent a new AI security framework. The NIST AI Risk Management Framework provides the foundation (Govern, Map, Measure, Manage functions), with the December 2025 NIST IR 8596 preliminary draft bridging the AI RMF with the Cybersecurity Framework 2.0. ISO/IEC 42001:2023 provides the certifiable management system. The EU AI Act provides the legal obligation for organisations operating in or supplying EU markets. For CISOs already operating under ISO 27001 information security management, adding ISO 42001 follows the same Plan-Do-Check-Act methodology and integrates with existing governance documentation.

NIST AI 600-1 (Generative AI Profile, July 2024) addresses LLM-specific risks. The April 2026 NIST concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure will provide sector-specific guidance for critical infrastructure CISOs.

What CISOs should have in place by end of 2026

An AI inventory covering every AI system deployed (including embedded vendor AI features and shadow AI procured outside IT governance). AI-specific adversarial testing — prompt injection probing, jailbreak chaining, data exfiltration scenarios, agentic workflow assessment — conducted as ongoing capability not annual exercise. Updated IAM extended to non-human identities under Zero Trust principles by Q2 2026 according to current industry guidance. Updated DLP and SaaS security posture management (SSPM) tools to detect AI endpoint usage and policy violations. Updated incident response playbooks specifically addressing AI failure modes (prompt injection compromise, model behaviour drift, agent action breach). Updated vendor risk management for AI vendors including SBOM disclosure, security testing evidence, and incident notification obligations. Board reporting on AI risk specifically — APRA has confirmed this is required in regulated financial services; it is increasingly expected across regulated sectors.