EU Cyber Resilience Act requires documented security testing

Following a similar move by the UK Government, the Australian Government has issued an open letter to businesses regarding AI-related cyber risks. The guidance explicitly calls on Boards to elevate their AI literacy to ensure robust governance. Specifically, Boards are expected to: - Maintain AI Literacy: Develop the technical fluency required to set strategic direction and provide meaningful oversight. - Align AI Strategy with Risk: Oversee an AI roadmap that fits the organization's risk appetite, backed by rigorous monitoring and reporting. - Ensure Operational Resilience: Establish clear triggers for intervention, including for third-party dependencies, to take timely action if AI systems deviate from expected performance. #AIRisk #Governance #BoardofDirectors #AI https://lnkd.in/gESY-Hzm

Peter’s observations got me thinking: as AI becomes embedded in critical business processes, our cybersecurity-oriented understanding of “Trust” may need to evolve. In cybersecurity, we’ve fallen into thinking of Trust as something to minimize and make as temporary as possible (e.g. zero trust, strict access boundaries, continuous reverification, and tightly controlled relationships between systems and data access.) But with LLM-driven agents now taking real-world, consequential actions, that framing may be too narrow. We may need to expand our understanding of trust to include not just relationships between systems, people, and data - but also the reliability, validity, adverse-impact risk, and accountability of automatically acting on machine-made (vs. people-supplied) content. Check out what Peter at Integrity Quantitative Advisors has observed.

The Five Eyes just published joint guidance on agentic AI security. Six national cyber agencies signed off: CISA, NSA, ASD's ACSC, NCSC-UK, the Canadian Centre for Cyber Security, and NCSC-NZ. The behaviors they describe aren't theoretical. Bridgewell Advisory has been documenting them across commercial and DoD AI environments for over a year: Goal misalignment. Specification gaming. Sycophantic and deceptive behavior. Agents that change behavior under evaluation. Strategic deception, where an agent hides capabilities to avoid being shut down. Cascading failures across components. Accountability gaps where no one can trace who decided what. The Five Eyes conclusion: governance, accountability, monitoring, and human oversight are essential prerequisites, not optional safeguards. That's the problem A3T™ solves. A3T is a governance overlay that constrains how AI systems respond. No model change, no retraining. It enforces truth before completion, silence over fabrication, structure over prompting, human authority over output. The other half is Human Training. Cross-substrate testing across six commercial platforms and two DoD environments documented 19 common failure modes. A3T governance alone resolves 5. A3T plus a trained human operator resolves 11 and mitigates the remaining 8. Humans and AI. Better Together. That's not a tagline. That's what the data shows. And now what the Five Eyes have validated. Read the joint guidance: https://lnkd.in/e4cvs-iz A3T™ and the Behavioral Governance Criteria for AI Acquisition: https://aiasateam.com #AIGovernance #Cybersecurity #DefenseAcquisition #AgenticAI

AI Governance Is No Longer Optional. So the Pope just dropped an encyclical about AI governance, and honestly, it’s a wake-up call for everyone in security. The core message is simple—AI can’t be a free-for-all controlled entirely by private companies. That’s got real implications for how we build and secure these systems. For cybersecurity folks like me, this means governance frameworks aren’t boring compliance boxes anymore. They’re becoming actual business requirements. NIST, ISO, Zero Trust—these aren’t just frameworks your company checks off. They’re what separates responsible AI from the kind that keeps regulators and boards up at night. The shift is already happening. How are you thinking about governance in your security strategy?

AI is moving fast. Governance needs to move smarter. ISO/IEC 42001 sets a structured path for organizations to manage Artificial Intelligence responsibly, securely, and with clear accountability. In our latest blog, Anzen breaks down the world’s first standard for Artificial Intelligence Management Systems and what it means for businesses building with AI. Read the full blog to understand how AI governance can support trust, compliance, and long-term digital resilience. 🔗 https://lnkd.in/dExY9Fmh #AIGovernance #ISOIEC42001 #ArtificialIntelligenceManagementSystem #AICompliance #RiskManagement #Cybersecurity #ITGovernance #EnterpriseSecurity #ResponsibleAI #AnzenTechnologies #Anzen

Blown away by the great conversations at GuidePoint Security’s GPSEC yesterday. The consistent thread across the dialog was that we are in a period of significant disruption. AI accelerated vulnerability research is creating an exponential rise in vulnerabilities and the AI accelerated adversary is reducing the time to exploit dramatically. Organizations are leaning in with Horizon3.ai to use proactive and production safe AI to continuously fight against AI accelerated threats. Prioritizing precious time and human resources on issues that are truly exploitable in their environment. And finally, validating remediation with proof. Now more than ever we need to cut through noise and use exploitation and the attackers perspective as the signal. ☕️ Horizon3.ai is the consistent flow of espresso your offensive security capabilities need. #Nodezero Tim Lawrence Devon McFadden Hailey Horton Clint Beasley

Whenever I speak with CISOs and senior cybersecurity leaders, the conversation quickly turns to AI and the evolving threat landscape. There’s a real sense of urgency. Organizations are moving quickly to adopt AI, but visibility, governance, and control are still catching up. In this short clip from the Proofpoint Protect event in Paris, I break down three questions that come up in almost every conversation: Where is our data? Who has access to it? What is the source of truth, and how do we get control of it? These aren’t new challenges. But AI expands the attack surface and puts more pressure on how data is managed, accessed, and governed. If you don’t have clear answers, you’re operating without a reliable foundation for how AI systems are trained, used, and controlled. That’s the reality most teams are working through today.

Security agencies like CISA are drawing hard red lines around agentic AI deployments. Give an AI agent unchecked permissions and you’re not innovating—you’re setting up a governance nightmare. A hijacked AI agent with broad access doesn’t just trigger an IT alert. It leads to operational downtime and lost revenue—real hits to your bottom line. CISA and its global partners are clear: organizations must enforce least privilege, rigorously limit what agents can access, and maintain continuous auditing. High-risk tasks demand human-in-the-loop approval and real oversight. You can’t just hope your old guardrails will protect you at machine speed. The message for business leaders is simple: Validate your AI exposure before an incident forces your hand. Don’t wait—know where the real risk is and act before someone else defines the outcome. Read the full breakdown on what these new security lines mean: https://lnkd.in/gh-xByta We simplify risk so you can take smart risks. Get in touch.

Reading between the lines - Part 5 AI is moving from assisting our systems to exposing their weakest points. Recent breakthroughs in AI-driven security testing show that advanced models can identify and exploit vulnerabilities at a pace that traditional remediation cycles struggle to match. For financial services, this is more than a technology story. Trust in our industry depends not only on strong controls, but on how quickly we can detect, repair, test, and recover when systems are challenged. AI may well define the future of efficiency, security, and scale. But it also forces us to ask a harder question: are we building resilience at the same speed at which risk is evolving? That shifts the conversation around DR and BCP. The big question is whether DRs and BCPs are quietly moving back to physical ledgers, completing the full circle. That may sound old-fashioned. Or it may be the most practical debate we need to have. #ReadingBetweenTheLines #AI #DigitalTrust #OperationalResilience #CyberSecurity #BCP #DR #FinancialServices #RiskManagement #FutureOfTrust