Bacho Foto - stock.adobe.com
Cyber body Crest launches AI security charter
Crest’s industry-backed AI charter commits signatories to supporting responsible AI adoption and aims to foster trust in AI-enabled security services.
Cyber security trade body Crest has launched an artificial intelligence (AI) charter and set of principles, backed by a founding cohort of 60 signatory organisations from all over the world, setting out a set of guidelines and principles for adoption of AI-powered cyber services.
According to Crest, the AI Charter was developed in response to a growing need for confidence – especially among buyers – in emerging AI capabilities. It said that as AI becomes increasingly embedded in security practices, end-user organisations need reassurance that AI is used responsibly, transparently, and with human oversight.
In areas such as penetration testing, for example, data compiled by Crest purport to show that 47% of organisations now use AI for vulnerability reporting and 44% for scanning and enumeration – while three quarters of security services providers have increased their AI use over the past 12 months.
“Since the advent of AI, the cyber security industry has faced a turbulent mix of immediate threats and a rapidly shifting landscape, while bracing for future disruptions to its workforce and stability,” said Crest CEO Nick Benson.
“The support of our founding signatory organisations reflects industry recognition that responsible AI adoption requires more than technology alone. It requires shared expectations, professional standards, and practical approaches to assurance.”
Privilege with responsibility
Crest said that since managed security services providers (MSSPs) and their ilk need highly privileged access to sensitive systems, networks and data, they need to be able to demonstrate that they are using AI responsibly to maintain customer trust, improve accountability, and reduce risk.
As such the AI Charter sets out clear expectations for how the cyber industry should responsibly adopt AI, reflecting the practical experience of Crest’s community members and wider thinking on the issue. It is also underpinned by nine core principles:
- That the scope and purpose of AI-enabled cyber services and how they may affect service delivery, outcomes, data handling and risk, are defined, and that oversight, testing and governance controls proportionate to the nature, scale and risk of AI use are applied;
- That customers are fully informed of AI use in cyber tools, methodologies and automations, including internal and third-party solutions where appropriate, and that the use of AI is explained, covering aspects such as benefits, limitations, and risks;
- That AI use is documented, traceable and reviewable, with relevant records retained for assurance purposes;
- That competent personnel retain oversight of all AI-enabled activity, reviewing outputs, challenging decisions, and taking control if needed, with controls in place to stop rogue usage;
- That customers are informed of how AI may use their data, such as for model training, and whether data may be transferred outside their organisation or jurisdiction, subject to agreed legal, regulatory and contractual safeguards;
- That customer data, prompts, outputs and other AI-generated artefacts are protected;
- That AI cyber tools are developed using secure development, integration and assurance best practices;
- That there is visibility into the AI supply chain, with material third-party AIs or providers known and properly assessed, and appropriate governance and risk management controls applied.
- That material AI dependencies in service delivery are identified and their impacts assessed should systems crash or become otherwise unavailable.
“Artificial intelligence presents significant opportunities for the cyber security profession,” said Crest chief product officer Sebastian Madden.
“It has the potential to improve efficiency, accelerate analysis, strengthen defensive capabilities and help organisations respond more effectively to emerging threats. But at the same time, we must urgently address the practical challenges of governing, securing, and validating these capabilities.”
Further to its charter, Crest is also working on the development of a set of standards to cover AI security and the use of AI in security services through an ongoing research programme and various working groups.
Read more about AI-enabled cyber tools
- Agentic AI is touted as a helpful tool for managing tasks, and cyber criminals are already taking advantage. Should information security teams look to AI agents to keep up?
- At Google Cloud Next, Wiz co-founder Yinon Costica called on security defenders to use AI to steal a march on threat actors, and launched agentic capabilities for cyber teams.
- TXOne Networks CEO Terence Liu says AI is transforming both industrial operations and cyber threats, forcing GCC energy operators to prioritise visibility, operational control and resilience.
