Who’s to blame when the AI tool managing a company’s compliance status gets it wrong?
07 Aug 2025
•
,
3 min. read
If you put a group of CISOs in a room, they are all likely to wait for one of them to declare they have the answer, the silver bullet, that solves the issue of the day. In reality, however, what needs to happen is that all the CISOs combined have a fragment of the answer and need to piece them together to create the answer to the issue.
The above was a comment from a policy panel at Black Hat USA 2025. The comment has merit, as no single vendor, service provider, individual or another entity can resolve the cybersecurity conundrum. It truly is a team sport that requires all those involved to play an active role.
The issue is breaking down the barriers of sharing that may exist between companies that could be competitors. In physical security situations, companies do share information; for example, in retail, it’s common for store security guards to collaborate with neighboring guards to warn of a threat. However, in cybersecurity, obscurity can be seen as security and the threat is never shared.
As the panel was dominated by policy-makers, or those involved in advising policy-makers, they credited improved cybersecurity posture to policy. I am not sure I subscribe to this.
In part, it may be true, but improved cybersecurity posture is probably a result of financial risk. The cost of a cyber incident continues to increase, and regulatory fines that result from policy breaches (if the policy has a financial penalty component) are only one line item in the overall costs. The business risk of a cyber incident is no longer just on the desk of the IT and cybersecurity team – it’s a board- or C-level issue and is about ensuring the business can withstand the financial loss incurred should there be a cyber incident, and each company has a different appetite for risk. Financial risk, including any regulatory issues, is often mitigated through insurance, and cyber risk is no different to the more traditional insurances a company holds, which is why the cyber risk insurance market continues to grow.
AI to the rescue
The panel also discussed the use of AI by defenders and adversaries. For defenders, it’s imperative to use AI as employing enough threat hunters to undertake the task without the use of AI would be near impossible. Another interesting comment from the panel concerned AI tools that provide confirmation of compliance with regulations and policy.
As the number of policies continues to rise, so does the burden of managing compliance. AI tools that manage compliance and the continual changes in the compliance requirements are fast becoming the only way some companies may be able to manage their compliance status.
However, what if the AI model being used to calculate compliance with the relevant policy gets it wrong? Will a regulator cut the company some slack as they thought they were compliant, or will the penalty be levied regardless of who or what is to blame? For me, this is another instance where AI needs to become a tool that complements human expertise and should not be trusted as the only source.
The takeaway from the panel session for me is that there will continue to be more policy and compliance requirements. With the change in administration still being relatively new, it’s a pivotal moment. No one really knows the direction policy may take and whether it will be simplified or simply added to. The reason for more policy could be seen as a declaration that industry has failed to self-regulate and that a stronger security posture will only be achieved through penalties for non-compliance.
The final point of the panel discussion mentioned multi-factor-authentication (MFA), and the panel agreed that a whole-nation approach is needed to ensure all businesses adopt MFA as a baseline standard. And I could not agree more: there really is no excuse for not deploying MFA.
