Key Takeaways
- Crest has released an AI Charter and nine guiding principles for the responsible use of AI in cyber‑security services.
- The charter is backed by 60 founding signatory organisations worldwide, reflecting broad industry consensus.
- It addresses buyers’ need for confidence that AI is deployed transparently, with oversight and accountability.
- Current data show 47 % of organisations use AI for vulnerability reporting and 44 % for scanning; three‑quarters of security providers have increased AI use in the past year.
- The charter emphasises that privileged access held by MSSPs demands demonstrable responsible AI practices to maintain trust.
- Nine core principles cover scope definition, customer notification, documentation, human oversight, data handling, secure development, supply‑chain visibility, and dependency risk management.
- Crest is developing complementary standards through ongoing research programmes and working groups to operationalise the charter’s guidance.
Introduction to Crest’s AI Charter
Crest, the cyber‑security trade body, has launched an Artificial Intelligence (AI) Charter accompanied by a set of principles designed to guide the adoption of AI‑powered cyber services. The initiative emerged from a collaborative effort involving sixty founding signatory organisations spanning multiple continents, signalling a unified industry stance on the need for responsible AI integration. By publishing the charter, Crest aims to provide a clear reference point for vendors, managed security service providers (MSSPs), and end‑user organisations seeking to harness AI while mitigating associated risks. The document articulates expectations that go beyond mere technical implementation, focusing on governance, transparency, and accountability as essential components of trustworthy AI deployment in security contexts.
Motivation Behind the Charter
According to Crest, the charter was developed in response to a growing demand for confidence—particularly among buyers—regarding emerging AI capabilities. As AI becomes increasingly embedded in security practices, organisations require assurance that these technologies are used responsibly, transparently, and under appropriate human oversight. The charter seeks to address concerns about opaque AI decision‑making, potential bias, and the inadvertent introduction of new vulnerabilities. By establishing a shared set of expectations, Crest hopes to reduce uncertainty for customers evaluating AI‑enhanced services and to foster a market environment where responsible innovation is rewarded and recognised.
Current AI Adoption Trends in Cybersecurity
Data compiled by Crest illustrate the rapid uptake of AI within the sector: approximately 47 % of organisations now employ AI for vulnerability reporting, and 44 % utilise it for scanning and enumeration activities. Moreover, three‑quarters of security‑service providers have reported increasing their AI usage over the preceding twelve months. These statistics underscore both the momentum behind AI adoption and the urgency of establishing guidelines that keep pace with technological change. The charter’s principles are therefore intended to be applicable across a broad spectrum of AI applications, from automated threat intelligence to predictive analytics, ensuring consistency regardless of the specific use case.
Leadership Statements on Responsible AI
Crest CEO Nick Benson remarked that the advent of AI has introduced a turbulent mix of immediate threats and a rapidly shifting landscape, while the industry braces for future disruptions to its workforce and overall stability. He emphasised that the support of the founding signatory organisations reflects a recognition that responsible AI adoption requires more than just technology—it necessitates shared expectations, professional standards, and practical approaches to assurance. Similarly, Crest Chief Product Officer Sebastian Madden highlighted AI’s potential to improve efficiency, accelerate analysis, strengthen defensive capabilities, and enhance threat response, while urging the sector to urgently address the challenges of governing, securing, and validating these capabilities.
Privilege and Responsibility: MSSPs and Trust
The charter devotes particular attention to managed security service providers (MSSPs) and analogous entities that require highly privileged access to customer systems, networks, and data. Because such access amplifies the potential impact of any misuse or failure, MSSPs must be able to demonstrate that they are employing AI responsibly to preserve customer trust, improve accountability, and mitigate risk. The charter outlines that responsible AI use in these privileged contexts involves clear governance, rigorous testing, and mechanisms for human intervention, thereby ensuring that elevated access does not translate into uncontrolled or opaque AI behaviour.
Core Principles of the AI Charter
The charter is underpinned by nine core principles that collectively define responsible AI adoption in cyber‑security services:
- Scope and Purpose Definition – Clearly delineate the scope, purpose, and potential impact of AI‑enabled services on delivery, outcomes, data handling, and risk, applying oversight, testing, and governance controls proportionate to the nature, scale, and risk of AI use.
- Customer Notification and Explanation – Fully inform customers about AI use in tools, methodologies, and automations—including internal and third‑party solutions—explaining benefits, limitations, and associated risks.
- Documentation and Traceability – Document AI usage comprehensively, ensure traceability and reviewability, and retain relevant records for assurance purposes.
- Human Oversight and Control – Maintain competent personnel oversight of all AI‑enabled activity, with processes for reviewing outputs, challenging decisions, and assuming control when needed, alongside safeguards against rogue usage.
- Data Use Transparency – Disclose how AI may utilise customer data (e.g., for model training) and whether data could be transferred outside the organisation or jurisdiction, subject to agreed legal, regulatory, and contractual safeguards.
- Protection of AI Artefacts – Safeguard customer data, prompts, outputs, and other AI‑generated artefacts against unauthorised access or manipulation.
- Secure Development Practices – Develop AI cyber tools using recognised secure development, integration, and assurance best practices.
- Supply‑Chain Visibility – Maintain visibility into the AI supply chain, ensuring that material third‑party AIs or providers are known, properly assessed, and governed with appropriate risk‑management controls.
- Dependency Impact Assessment – Identify material AI dependencies in service delivery and assess their potential impacts should systems crash or become unavailable.
These principles are designed to be practical and adaptable, allowing organisations of varying sizes and specialisations to implement them according to their specific risk profiles and operational contexts.
Implementation and Assurance Mechanisms
To translate the principles into actionable practice, the charter encourages organisations to establish internal AI governance frameworks, conduct regular audits, and employ independent assurance where appropriate. It recommends the adoption of standardised documentation templates, version‑controlled model repositories, and clear incident‑response procedures that address AI‑specific failures. Additionally, Crest highlights the value of third‑party certifications or attestations that validate adherence to the charter’s expectations, thereby providing an extra layer of confidence for customers seeking assurance about their service providers’ AI practices.
Future Work: Standards Development and Research Programme
Beyond the charter itself, Crest is actively engaged in developing a complementary set of standards focused on AI security and the use of AI within security services. This effort is being pursued through an ongoing research programme and various working groups that bring together experts from academia, industry, and regulatory bodies. The goal is to translate the high‑level principles into concrete technical specifications, testing methodologies, and compliance frameworks that can be widely adopted. By iterating on the charter with concrete standards, Crest aims to bridge the gap between aspirational guidance and enforceable, measurable controls that enhance the overall resilience of AI‑driven cyber‑security offerings.
Conclusion and Industry Impact
The launch of Crest’s AI Charter represents a significant step toward maturing the conversation around AI in cyber‑security. By consolidating industry consensus into a clear set of principles and providing a roadmap for responsible implementation, the charter addresses both the enthusiasm for AI’s capabilities and the legitimate concerns surrounding its deployment. As more organisations align with these guidelines, the sector can expect improved transparency, stronger accountability, and heightened trust—essential ingredients for sustaining innovation while safeguarding the critical assets and systems that underpin modern digital society.

