The programCybersecurity in the Era of AIProgram overview
  1. AI Governance — operating model, inventory & riskPublished
  2. The EU AI Act — tiers, obligations & timelineComing Aug 2026
  3. ISO/IEC 42001 — build & certify the AIMSComing Sep 2026
  4. Shadow AI — discover, assess & governComing Oct 2026
  5. Security in AI-assisted codingComing Nov 2026
  6. Securing the AI you build — LLM app securityComing Dec 2026
AI Security15 Jul 20269 min read

Cybersecurity in the Era of AI — The Program: Governance, the AI Act, ISO 42001, Shadow AI & Secure AI Development

The program overview: how AI reshapes the security and compliance picture, and the seven-part map — AI governance, the EU AI Act, ISO/IEC 42001, Shadow AI, secure AI-assisted coding, and securing the AI systems you build.

Artificial intelligence has moved from a research curiosity to a load-bearing part of how organizations build software, make decisions, and serve customers — and it has done so faster than most security and governance functions could adapt. The result is a widening gap: AI is being adopted at the edges of the organization (a team wiring an LLM into a product, an employee pasting customer data into a chatbot, a developer accepting AI-generated code) while the governance, controls and regulatory obligations that should surround it lag behind. This program is about closing that gap deliberately. It treats "cybersecurity in the era of AI" as three connected problems: governing AI use responsibly, complying with the fast-arriving regulatory and standards landscape (the EU AI Act, ISO/IEC 42001), and securing both the AI you consume and the AI you build. Each is urgent on its own; together they define what a mature security posture looks like now that AI is everywhere.

This is a program overview. It sets out the landscape and the seven parts that build the program, each shipping as a deep, standalone guide over the coming months. If you have followed our other programs, this one sits alongside them: where the [Security by Design] program made threat modelling the spine of a secure SDLC, this program extends that same discipline to a technology that breaks several of security's usual assumptions — a system whose behaviour is probabilistic, whose "code" is training data, and whose attack surface includes natural language itself.

Why AI changes the security picture

Three properties make AI a genuinely new security problem rather than an old one with a new label. First, AI systems are non-deterministic: the same input can produce different outputs, which undermines the tester's assumption that a passing test today means a passing test tomorrow, and makes assurance a statistical question rather than a binary one. Second, the trust boundary moves into language: a large language model treats instructions and data as the same stream of tokens, so untrusted content — a web page, a document, an email — can carry instructions the model obeys (prompt injection), an attack class with no clean analogue in traditional software. Third, the supply chain deepens: an AI feature depends not just on libraries but on foundation models, training data, embeddings and third-party inference APIs, each a new source of risk, opacity and dependency. On top of these technical shifts sits a governance and regulatory reality that has arrived unusually fast — the EU AI Act is now law, ISO/IEC 42001 gives us the first certifiable AI management system, and boards are asking who owns AI risk. A security program that ignores any of these is incomplete.

The organizing idea of this program is that these problems are best tackled as a coherent whole, in order: you cannot secure AI use you have not inventoried, you cannot comply with regulation you have not mapped to your systems, and you cannot govern shadow AI you cannot see. Governance comes first because it is the frame everything else hangs on; compliance and security techniques fill that frame.

The seven-part program

  1. 01

    AI Governance

    Operating model, inventory & risk tiers

  2. 02

    The EU AI Act

    Risk tiers, obligations & timelines

  3. 03

    ISO/IEC 42001

    Build & certify the AIMS

  4. 04

    Shadow AI

    Discover & govern unsanctioned use

  5. 05

    Security in AI coding

    Safe Copilot / Cursor adoption

  6. 06

    Securing the AI you build

    LLM app security & red-teaming

The seven parts

Part 1 — AI Governance. The foundation: an AI governance operating model that gives AI risk an owner, an AI system inventory so you know what you are running, a risk-classification scheme so effort is proportionate, and the policies and lifecycle controls that make responsible AI a practice rather than a poster. Grounded in the NIST AI Risk Management Framework (Govern, Map, Measure, Manage) and set up to feed everything downstream.

Part 2 — The EU AI Act. The regulation that now sets the floor for anyone building or using AI touching the EU market: its risk-based tiers (unacceptable, high, limited, minimal), the specific obligations on high-risk systems and general-purpose models, the compliance timeline through 2027, and how to determine which tier your systems fall into and what that requires of you.

Part 3 — ISO/IEC 42001. The first certifiable AI management system standard, and the practical vehicle for operationalizing everything else: how to build an AI Management System (AIMS), the Annex A controls, AI impact assessments, and how a 42001 certification demonstrates responsible AI to customers and regulators — the AI analogue of what ISO 27001 did for information security.

Part 4 — Shadow AI. The risk already inside your organization: employees and teams using unsanctioned AI tools, leaking data into models that train on it, and creating exposure nobody approved. How to discover shadow AI, assess what it puts at risk, and govern it — not by banning AI (which fails) but by channelling demand toward sanctioned, safe alternatives.

Part 5 — Security in AI-assisted coding. AI has changed how software is written, and the coding assistants (Copilot, Cursor, and their kin) bring their own risks: insecure suggestions, secrets leaked to models, hallucinated dependencies, and over-trust. How to adopt AI-assisted development safely — enterprise controls, guardrails in the pipeline, and the practices that let you capture the productivity without importing the risk.

Part 6 — Securing the AI you build. For organizations building AI features and products: securing LLM applications against the OWASP LLM Top 10 (prompt injection, insecure output handling, excessive agency and the rest), designing for least privilege and defence in depth, red-teaming AI systems, and the runtime monitoring that catches abuse — the deepest technical part, and the finale.

Who this is for

This program is written for the person now responsible for AI risk — a CISO, a security lead, a Data Protection Officer, a Head of AI or engineering leader — who needs to move from "we should probably do something about AI" to a concrete, prioritized program. It assumes AI is already in use in your organization (it almost certainly is, sanctioned or not) and that you would rather get ahead of the risk than clean up after it. It is pragmatic throughout: real obligations, real controls, real tooling, and a definition of done for each part so you can adopt the program incrementally.

Each part is scope-bounded and builds on the last — governance (Part 1) makes the compliance work (Parts 2–3) tractable, the inventory it produces is what reveals shadow AI (Part 4), and the secure-development practices (Parts 5–6) are where governance meets engineering. You can start reaping value from Part 1 immediately, long before the later parts ship.

What's next

Part 1 — AI Governance is available now and is where to start, because everything else depends on knowing what AI you have and who owns its risk. It covers the governance operating model, the AI inventory, risk classification, and the policy foundation — the frame the whole program hangs on. The remaining parts ship monthly.

If you would rather not build the program alone, this is exactly what Axelia's consultants do: we stand up AI governance, map your systems to the AI Act and ISO/IEC 42001, surface and channel shadow AI, and secure both your AI-assisted development and the AI products you ship — while ISMShed captures the whole thing as continuous, framework-mapped evidence across ISO/IEC 42001, the EU AI Act, ISO 27001, NIS2, DORA and GDPR, so your AI governance becomes your compliance story rather than a separate burden. Start with Part 1, and get ahead of AI risk before it gets ahead of you.

Up next
AI Governance — operating model, inventory & risk

Talk to an expert

Don't wait for the guide. Book a call with our AI-CISO team and get a tailored roadmap to ISO 27001, NIS2, ENS or DORA compliance.