How to prepare security controls for future AI regulations
With so many competing compliance requirements related to AI, how could any CISO comply with all of them? Learn how to reconcile your AI strategy with the regulatory landscape.
The global AI regulatory landscape is fragmented and volatile. As a result, cybersecurity leaders must reconcile competing compliance requirements and safeguard organizational AI without creating roadblocks to the overall AI strategy's success.
While the EU AI Act imposes a comprehensive, risk-based approach with severe penalties, China has implemented laws to balance AI advancements with control over societal behaviors. Other major markets, such as the U.S., have yet to produce unified guidance. In the absence of unified federal guardrails, states are creating a patchwork of requirements with both common and conflicting demands.
Cybersecurity leaders are confronting the reality of fulfilling these emerging, competing regulatory mandates even as AI adoption stretches the resources of their security programs. Most leaders report struggling to maintain visibility into embedded AI features deployed by vendors. Given the volume of AI tools and the speed of deployment, there is a significant degree of urgency to define appropriate cybersecurity controls for AI. Otherwise, organizations risk magnifying enterprise regulatory exposure and eroding any competitive advantage gained from AI adoption.
To establish future-proof cybersecurity controls capable of satisfying diverse, nonstandardized regulatory mandates, cybersecurity leaders must take a thoughtful, strategic approach grounded in collaboration, risk-based principles and resilience.
Filter regulatory noise through internal partnerships
Cybersecurity leaders must move beyond reliance on static global policy trackers to determine their exposure to emerging AI regulations and policies. They must also work with internal groups that represent assurance, governance and legal functions to determine the applicability of specific mandates.
Cybersecurity leaders should also consider relevant cybersecurity AI risk and the feasibility, cost and impact of potential controls. This requires aligning regulations with key stakeholders to ensure cybersecurity-relevant components are embedded into the organization's AI governance structure.
Ground AI strategy with risk-based principles
Traditional cybersecurity controls focus on mitigating harm to systems and data. With the rise of GenAI and AI agents, cybersecurity leaders must guard against conventional confidentiality threats for enterprise AI, such as data breaches, data leakage, malware and insider threats, as well as new threats to the integrity of enterprise data that interacts with AI, such as hallucinations, inaccuracies and biases.
Emerging AI regulations go beyond threats to organizational data and intellectual property. They also explicitly target threats to people's health, safety and liberty, demanding controls within the purview of the CISO. This is why cybersecurity leaders must build their compliance strategy on risk-based principles that lay the foundation for emerging laws and standards: safety, transparency, accountability, privacy and security.
For example, a baseline focus on data transparency and integrity might require cybersecurity leaders to prioritize controls that not only protect the data ingested by AI systems, but also extend identity and access management controls from the human workforce to machine identities. This ensures strong authentication and authorization for both the employee interacting with AI and any AI agent.
Additionally, attempting to comply with every emerging regulation individually is a resource-intensive trap. Cybersecurity leaders must instead build a baseline compliance posture by aligning the principles underlying emerging AI regulations with efforts to close remaining gaps.
Leaders can determine the baseline principles by categorizing cybersecurity risks into two categories:
- Harm to people: safety, bias, privacy.
- Harm to property: data integrity, intellectual property theft, availability.
Cybersecurity resilience for AI risks
Regulatory resilience means demonstrating entirely new disaster and incident response planning relevant to cybersecurity-relevant AI threats. Most organizations reported experiencing at least one deepfake attack that involved some form of social engineering or exploited existing automated processes.
Cybersecurity compliance plans must include investments in AI runtime defenses, tabletop exercises and broader resilience plans. Additionally, cybersecurity leaders must demonstrate the antifragility needed to isolate, recover and adapt to AI-related cybersecurity incidents. These tactics will help define appropriate cybersecurity controls for AI, preventing the magnification of enterprise regulatory exposure while ensuring organizations get the most from their AI strategies.
Bernard Woo is a vice president analyst at Gartner, with a focus on data protection and privacy programs, as well as data discovery and data classification considerations. Woo and other Gartner analysts will present the latest insights for security and risk management leaders at the Gartner Security & Risk Management Summits, taking place June 1-3 in National Harbor, Md., July 22-24 in Tokyo, August 4-5 in Sao Paulo and September 22-24 in London. Follow news and updates from the conferences on X and LinkedIn using #GartnerSEC.
