Powered by Termly
We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience and analyze website traffic. By clicking “Accept,” you agree to our website's cookie use as described in our Cookie Policy. You can change your cookie settings at any time by clicking “Preferences.”
ComplianceGenieComplianceGenie.io
Back to Blog
Adapting GRC and InfoSec Programs for the AI Era
2025 AI Security Governance Series - 6 of 8

Adapting GRC and InfoSec Programs for the AI Era

Mark Almeida-Cardy
October 20, 2025
6 min read

Adapting GRC and InfoSec Programs for the AI Era

Introduction: From Cybersecurity to AI Security by Design

For decades, enterprises have invested in governance, risk, and compliance (GRC) programs and built mature information security frameworks. But AI introduces new risks and attack vectors that stretch beyond traditional controls.

  • Data poisoning during training.
  • Model inversion to extract sensitive information.
  • Adversarial inputs that trick AI into harmful outputs.
  • Compliance gaps when AI decisions violate privacy or bias laws.

Rather than reinventing the wheel, organizations are adapting existing GRC and InfoSec practices to include AI as a first-class risk domain.

ERM Updates: Recognizing AI as a Distinct Risk Category

Enterprises are updating their enterprise risk registers to account for AI. AI-related risks span:

  • Compliance risk: Regulatory breaches (e.g., EU AI Act violations).
  • Operational risk: Business disruption due to AI failures.
  • Reputational risk: Backlash from biased or unsafe AI outputs.
  • Cybersecurity risk: New attack vectors targeting models and training data.

Boards are now debating AI risk appetite: Which processes can be delegated to AI? How much oversight is non-negotiable?

Extending Controls: Applying Security Disciplines to AI

Many existing controls can be extended to cover AI:

  • Access controls: Restricting who can query, train, or modify models.
  • Data governance: Treating training datasets with the same sensitivity as production data.
  • Change management: Ensuring retraining or fine-tuning follows formal review and approval workflows.
  • Deployment practices: Embedding model validation into secure development lifecycles.

Emerging best practices include “model firewalls” to sanitize inputs/outputs of generative AI and specialized monitoring for drift or anomalous behavior.

AI Incident Response: Preparing for the Unexpected

Traditional incident response playbooks must be adapted to address AI-specific failures and attacks.

  • Scenarios: Data leakage via AI, adversarial attack exposure, biased model deployment.
  • Response actions: Rolling back to prior model versions, enacting AI “kill switches,” or retraining models on clean data.
  • Exercises: Tabletop simulations focused on AI incidents to test readiness.

SANS and others emphasize that governance and risk-based decision-making should complement technical fixes during AI incidents.

Role Evolution: CISOs, Risk Teams, and Cross-Functional Collaboration

AI governance requires new collaboration across teams:

  • CISOs are expanding charters to explicitly cover AI risks.
  • GRC leaders are embedding AI into compliance and audit cycles.
  • Data scientists are being trained in security and compliance principles.
  • AI risk committees are forming, bringing together InfoSec, legal, compliance, and IT.

Some enterprises are even standing up AI centers of excellence, embedding security and GRC into every stage of AI projects.

Metrics & Reporting: Making AI Risks Visible

GRC dashboards are evolving to include AI-specific metrics:

  • Number of AI systems inventoried.
  • Percentage with completed risk assessments.
  • Open AI-related compliance issues.
  • Frequency of AI model drift incidents.
  • Results from AI-focused audits or bias tests.

Scenario analysis is also being used to model financial exposure from AI-related incidents, helping justify governance budgets.

Conclusion: Integrating AI Into Enterprise GRC as a Core Pillar

AI is no longer an experimental technology—it’s a critical enterprise system. That means AI governance must be woven into existing GRC and InfoSec frameworks, not treated as a side project.

By updating risk registers, extending familiar controls, building AI-ready incident response, and empowering CISOs and boards with visibility, organizations can govern AI with the same rigor as cybersecurity.

The result is not just risk mitigation, but confidence to innovate. Companies that align AI with their GRC and security strategies will move faster, with fewer surprises, and stronger trust.

✅ Next in this series: We’ll explore emerging practitioner guidance—from SANS’ Critical AI Security Guidelines to Gartner’s AI TRiSM framework—and what they mean for enterprise adoption.

Open Source: This blog is powered by blog-engine, an open source repository.

Content Creation: This content was created with AI-assistance and reviewed by human experts to ensure accuracy and quality. We believe in transparent, human-in-the-loop AI content creation.

Back to All Posts