Over 70 Cybersecurity Firms Endorse New AI Security Charter

0
6

Key Takeaways

  • Over 70 cybersecurity organizations have signed CREST’s new AI Charter, committing to responsible AI use in security services.
  • The charter is built around nine core principles covering accountability, transparency, data governance, security, supply‑chain risk, and resilience.
  • Signatories must disclose when AI is used, maintain human oversight, and ensure data handling aligns with legal and contractual obligations.
  • The initiative aims to create a self‑regulating framework that could reduce the need for heavy government regulation while promoting cross‑border interoperability.
  • CREST plans to evolve the principles into independently assessable standards and welcomes regulator support to foster harmonization.

Overview of the CREST AI Charter
On July 9, the cybersecurity industry body CREST launched the AI Charter, a voluntary pledge signed by more than 70 firms worldwide. The charter distills nine principles for AI‑enabled cybersecurity activities that were first unveiled in March. These principles address everything from governance and transparency to the security of AI tooling itself, reflecting CREST’s effort to define what distinguishes AI‑driven cyber services from traditional offerings. By committing to the charter, signatories agree to embed responsible AI practices into their service delivery, risk management, and client communications.


Accountability, Governance, and Transparency
Under the charter’s foundational principles, participating firms must clearly define the scope and purpose of every AI‑enabled activity. They are required to rigorously assess how AI impacts service delivery, client outcomes, data handling, and operational risks, ensuring that governance and testing controls are proportional to the scale of deployment. Moreover, signatories pledge absolute transparency: whenever AI is used in a tool or methodology, they must inform clients and plainly explain the associated benefits, limitations, and potential risks. This openness is intended to build trust and enable clients to make informed decisions about the AI components of their security engagements.


Documentation, Auditability, and Human Oversight
To preserve operational integrity, the charter emphasizes traceable records of AI use, validation processes, and quality‑assurance mechanisms that support compliance audits. Signatories commit to maintaining documentation that is reviewable and auditable, thereby facilitating internal and external scrutiny. While AI tools may operate with varying degrees of autonomy, the charter mandates that qualified personnel retain final oversight, possessing the authority to intervene, review outputs, and challenge decisions. This human‑in‑the‑loop requirement ensures that AI augments rather than replaces expert judgment in critical cybersecurity functions.


Data Handling, Sovereignty, and Client Control
Data governance forms a pivotal pillar of the charter. Firms must disclose whether client data will be used to train models or transferred across jurisdictions, guaranteeing that all data usage aligns precisely with agreed legal, regulatory, and contractual commitments. By enforcing strict data sovereignty controls, the charter seeks to prevent unauthorized data leakage or misuse and to give clients confidence that their information remains under their control throughout the AI lifecycle.


Security, Confidentiality, and Secure Development
The remaining principles focus on protecting the AI technology itself. Signatories are required to safeguard client prompts, outputs, and AI‑generated assets through robust security and confidentiality controls. Throughout the entire lifecycle of their AI tools—from design and development to deployment and retirement—firms must follow secure development and integration practices. This includes applying established secure‑coding standards, conducting regular vulnerability assessments, and employing encryption where appropriate to protect both the AI system and the data it processes.


Supply‑Chain Assurance and Resilience
Recognizing that AI systems often rely on third‑party components, the charter obliges signatories to identify and manage risks associated with any external AI dependencies. This supply‑chain assurance involves vetting vendors, monitoring for vulnerabilities, and establishing clear contractual safeguards. Additionally, to ensure business continuity, firms must proactively plan for potential AI failures, devise practical fallback arrangements, and remain transparent with clients about how system disruptions could affect service levels and recovery expectations. By preparing for contingencies, the charter aims to maintain reliable security services even when AI tools encounter unexpected issues.


Development of the Charter and Signatory Profile
CREST crafted the AI Charter by reviewing existing AI‑in‑cybersecurity frameworks, consulting its members, gathering feedback from industry leaders during CRESTCon Leaders Days, and validating the principles with its technical committee. A decisive factor in shaping the nine principles was defining what sets AI‑driven cyber services apart from traditional ones. Supporting the launch, CREST noted that 69 % of cybersecurity providers now use AI in daily service delivery, with 76 % reporting growth in AI usage over the past year. The 73 founding signatories represent roughly 10 % of CREST’s membership and span Europe, North America, the Middle East, and Asia‑Pacific, covering domains such as penetration testing, vulnerability assessment, incident response, security operations, and threat intelligence.


The Critical Need for AI Cybersecurity Standards
Nick Benson, CEO of CREST, described the AI Charter as “just the start” and anticipates a snowball effect as more organizations, governments, and providers adopt the common principles. He characterized the model as one of self‑regulation aimed at fostering a functional, successful market, hoping that widespread adherence will make formal regulation less necessary and lighten the compliance burden. Nevertheless, Benson stressed that moving rapidly from principles to independently assessable standards is “absolutely critical.” CREST welcomes regulator support and signposting of the principles, arguing that aligning national standards with the CREST framework will promote harmonization, cross‑border interoperability, and reduced frictional costs for both buyers and vendors.


Conclusion
The CREST AI Charter represents a coordinated effort by the cybersecurity community to establish responsible AI practices through a clear set of nine principles. By committing to accountability, transparency, data sovereignty, security, supply‑chain risk management, and resilience, signatory firms aim to build trust with clients and ensure that AI enhances rather than undermines security outcomes. As the charter gains traction, CREST’s vision of evolving these principles into robust, verifiable standards could shape the future of AI‑enabled cybersecurity, balancing innovation with the safeguards essential for protecting digital assets in an increasingly AI‑driven world.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here