Essay
An internal-build playbook anchored on the Cloud Security Alliance (CSA) AI Controls Matrix — pick-and-choose modules to assemble the case and map the skill library onto the control spine.
31 May 2026 · 35 min read · Binu Chacko
Situation
Leadership wants an AI-security capability, and wants it visible this year.
Complication
Big-bang Centers of Excellence stall: broad mandates, no early proof, funding fatigue by quarter three.
The question
“How do we build the capability without betting the year?”
The answer
One team at a time — assess, pilot, prove, scale — funding only the next phase after the last one pays.
An internal-build playbook anchored on the CSA AI Controls Matrix. Pick and choose modules to assemble your pitch deck and map your skill library onto the control spine. Current as of May 31, 2026.
This is what we build and why. For how to operate it on this platform — by move, by lens, and by role — see the companion Leverage Guide.
Purpose.The charter is the CoE’s constitutional document. It converts an executive mandate into durable authority, scope, and decision rights. Keep it to 2-3 pages; it should survive reorgs and leadership changes.
Recommended charter sections (lift directly into a slide):
Hub-and-spoke / federated model.The hub (CoE) owns standards, the control baseline, shared tooling/skills, and assurance. Spokes (the eight infosec functions — Identity, Network & Infrastructure, Endpoint & Workload, Application & DevSecAIOps, Data, Cloud & Container, Security Operations, and Governance, Risk & Assurance — plus embedded champions in Legal/Privacy and Data Science) own execution within hub-defined guardrails. Microsoft’s Cloud Adoption Framework and Gartner both recommend mature AI organizations run advisory/standard-setting hubs while frontline teams own delivery; Dataiku found firms that scale AI are far more likely to use hub-and-spoke than any other structure.
Framing the mandate to leadership.Anchor on three things the board already cares about: (a) regulatory exposure (EU AI Act high-risk obligations live Aug 2, 2026; SEC cyber disclosure); (b) the 2026 threat inflection; (c) the failure rate of ungoverned AI adoption (MIT’s 95%-no-measurable-impact finding). Position the CoE as the mechanism that converts AI from a liability into a defensible, audited capability.
Thesis: AI security is not a product you can purchase; it is encoded, governed, reusable judgment. The enterprise must build it.
Why tools alone fail.AI-SPM, guardrail, and red-team tools are necessary but insufficient. MIT Project NANDA (2025) found that just 5% of integrated GenAI pilots extracted measurable value — and the cause was integration, brittle workflows, and lack of contextual learning, not model quality. A tool with no encoded judgment behind it just “delivers noise faster” (ThreatConnect’s phrasing on bad SOC automation).
Why hiring alone fails. The 2025 ISC2 Cybersecurity Workforce Study (16,029 respondents, December 2025) found the binding constraint has shifted from headcount to skills: “95% of respondents reported at least one skills gap within their teams, and 59% described those gaps as critical or significant, compared with 44% in 2024.” AI was the #1 rising technical skill demand, ahead of cloud security. ISC2 stopped publishing a workforce-gap headcount number entirely, stating respondents consistently emphasized skills over size. You cannot hire your way out fast enough, and the senior people who have the judgment are the bottleneck. The defensible move is to encode that judgment once and execute it many times.
Why centralized-but-federated wins. A pure central team bottlenecks; a pure federated model fragments standards. Hub-and-spoke captures the compounding effect of shared infrastructure, consistent governance, and institutional learning while letting spokes move fast. IBM research found centralized/hub-and-spoke AI operating models achieve materially higher ROI than decentralized ones (cited at ~36% higher).
The Mythos corollary. When AI can find and chain zero-days autonomously, the only scalable defense is defense that also runs at machine speed under human governance. That is precisely what a skill-library CoE produces.
Three archetypes (decision criteria):
CoE roles & responsibilities (roles only — no headcount):
RACI (CoE × functions):
| Activity | CoE (Hub) | Sec Eng | SOC | Sec Services | Emerging Tech | Legal/Privacy | Data Sci/ML | BUs |
|---|---|---|---|---|---|---|---|---|
| AI security standards & AICM baseline | A/R | C | C | C | C | C | C | I |
| Skill authoring & approval | A/R | C | C | C | C | I | C | I |
| SOC AI workflow execution | C | I | A/R | C | I | I | I | I |
| AI red-team / ATLAS testing | A/R | C | C | R | C | I | C | I |
| AI vendor risk (AI-CAIQ) | A/R | C | I | C | C | C | C | C |
| Autonomy gate approval | A | C | R | C | C | C | C | I |
| Model risk validation | C | I | I | I | C | C | A/R | I |
| Regulatory alignment (EU AI Act/SEC) | R | I | I | I | I | A/R | C | C |
Spoke / embedded-champion model. Each function nominates an AI Security Champion who (a) carries hub standards into the function, (b) feeds local use cases and friction back to the hub, and (c) owns local skill adoption. Champions are dotted-line to the CoE Lead.
The 18 AICM domains (memorize the codes):
Control composition: Of the 247control objectives, 37 are AI-specific, 183 overlap with cloud controls, and 22 are cloud-only (per Coalfire’s analysis of the AICM). This means roughly 85% of AICM leverages your existing cloud-security muscle — the build is largely extension, not greenfield.
The five pillars (lenses) on every control:
AI service-provider roles (SSRM): Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and AI Customer/User. The CoE must classify each enterprise AI system by which role the enterprise plays for it (e.g., you are an AI Customer of OpenAI but an Application Provider of your internal copilot), then apply the role-specific implementation guidance (CSA publishes separate implementation/auditing guideline versions per role).
Operationalizing AICM in GRC: (1) Download AICM + AI-CAIQ; (2) build an AI system inventory and classify by SSRM role; (3) run AI-CAIQ self-assessment across all 18 domains; (4) produce a risk-prioritized gap remediation plan; (5) embed AICM controls into procurement/vendor contracts; (6) continuous monitoring; (7) pursue STAR for AI.
AI-CAIQ self-assessment workflow:Control specification → self-assessment question(s) → ownership assignment → evidence/documentation → gap rating. Use it both internally and as the vendor due-diligence instrument.
STAR for AI path: (1) sign the AI Trustworthy Pledge; (2) implement AICM; (3) STAR for AI Level 1 = publish AI-CAIQ self-assessment to the STAR Registry (Valid-AI-ted is an automated scoring enhancement); STAR for AI Level 2 / STAR for AI 42001 (live since Nov 20, 2025) = ISO/IEC 42001 certification + a Valid-AI-ted AI-CAIQ. (Zendesk was the first organization worldwide to submit both precursor components.)
Cross-walk — frameworks that map INTO AICM:
Use a 5-level ladder. The CSA’s own AI Maturity Model for Cybersecurity (Jan 2026, developed with Darktrace) and AI Security Maturity Model (AISMM) — which aligns directly to AICM and uses five CMM-aligned levels — are the published references. Note: the AISMM is explicitly about the security program, not individual projects (project-level assessment is what AICM + AI-CAIQ are for).
| Level | Name | What it looks like |
|---|---|---|
| L1 | Initial / Reactive | No AI inventory; ad-hoc prompt filtering; security reacts post-incident; no AI governance policy. |
| L2 | Repeatable | AI asset inventory exists; policies written; red-teaming at least quarterly; human approval required before any autonomous action. |
| L3 | Defined | AICM baseline adopted; AI-CAIQ run across domains; skills authored & versioned; embedded champions active; ATLAS-based threat modeling standard. |
| L4 | Capable / Managed | Full AI-SPM stack; continuous automated red-teaming; outcome metrics tracked; bounded autonomy with audit trails; STAR for AI L1 achieved. |
| L5 | Efficient / Self-improving | Skills self-improve via feedback loops; machine-speed defense under human-on-the-loop governance; STAR for AI L2/42001; control coverage continuously assured. |
Assess current state via AI-CAIQ + a per-domain L1-L5 scoring. Pace adoption by closing the largest control-coverage gaps first and gating autonomy expansion on demonstrated L4 controls.
Operating principle: Adopting AI and securing it are the same act. Every AI capability the CoE ships is simultaneously a security control and a governed object.
What the AI does (machine-speed, mechanical, repeatable): tier-one alert triage, enrichment, correlation, drafting (reports, summaries), threat hunting at scale, deduplication, evidence collection. These map to high-volume, well-understood, measurable, reversible work.
What humans own (judgment, accountability): exceptions, the novel and consequential, final decisions on high-impact/irreversible actions, accountability for outcomes, and — critically — deciding where autonomy ends.
Governing agentic AI in security operations. Use the explicit oversight spectrum:
Non-negotiable guardrails before any autonomous execution: every action must be reversible(isolate↔un-isolate, disable↔re-enable, push-rule↔revert), identity-enforced, time-boxed, and logged. The 2026 consensus (Torq, Security Boulevard, McKinsey) is “don’t jump from AI-summarizes to AI-executes-containment” — climb the trust ladder incrementally.
The 2026 inflection.In late March 2026 the existence of Anthropic’s most capable model leaked via an unsecured database (Fortune broke the story); on April 7, 2026 Anthropic formally announced Claude Mythos Preview and Project Glasswing, a defensive coalition with launch partners AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks (plus ~40 more organizations) and $100M in usage credits. By a May 26, 2026 update, Mythos had identified 10,000+ high/critical vulnerabilities, including a 27-year-old OpenBSD flaw and a 17-year-old FreeBSD RCE (triaged as CVE-2026-4747) that it found and exploited fully autonomously. Mythos scored 83.1% on the CyberGym benchmark vs. Claude Opus 4.6’s 66.6%.
Market reaction.Cybersecurity stocks sold off hard: on April 10, 2026, Cloudflare fell ~13-14%, CrowdStrike ~7-11%, Palo Alto ~6-7%; the S&P 500 Software & Services index fell 2.6% on April 9. The fear: “if AI can find serious vulnerabilities faster than human experts, what are cybersecurity companies selling?” Analyst counterpoint (JPMorgan reiterated Overweight on CRWD and PANW within 24 hours; RBC called Glasswing “most positive” for both) framed partners as essential layers, not roadkill — but the dislocation made the urgency unmistakable. Notably, Treasury Secretary Bessent and Fed Chair Powell reportedly held an emergency meeting with major-bank CEOs about Mythos’s systemic risk.
The widening attack surface. Every agent, copilot, and integration is new attack surface. The CrowdStrike 2026 Global Threat Report(Feb 24, 2026) found “AI-enabled adversaries increased operations by 89% year-over-year”; the average eCrime breakout time fell to 29 minutes (fastest observed 27 seconds), 82% of detections were malware-free, and 42% of vulnerabilities were exploited before public disclosure. Wiz’s “State of AI in the Cloud 2026” found 90% of organizations now run self-hosted AI models and 57% deploy self-hosted AI agents, creating “new, often overprivileged control planes that attackers can exploit to move laterally.” Gartner predicts (Aug 26, 2025 press release) that “forty percent of enterprise applications will be integrated with task-specific AI agents by the end of 2026, up from less than 5% today.” Prompt injection (OWASP LLM01:2025) remains the #1 LLM risk; data exfiltration via AI, excessive agency (LLM06), and system-prompt leakage (LLM07) compound it.
The adoption-without-governance gap.MIT NANDA: 95% of GenAI pilots delivered no measurable return. SOC analyst burnout sits at 71% (Tines “Voice of the SOC Analyst,” 468 US analysts), with 69% reporting understaffed teams and 64% likely to switch jobs within a year. These are precisely the conditions the CoE exists to fix.
Note on caution.Some researchers (Bruce Schneier; the AISLE research group) noted smaller open models could replicate some Mythos findings and that Anthropic’s announcement was partly a PR play (it coincided with a major revenue milestone and reported IPO speculation). Present Mythos as a directionally valid watershed, not as settled fact on exact capability margins.
Start in the SOC.The before/after contrast is sharpest, the work is high-volume and measurable, and burnout makes the case self-evident. Phishing/alert triage is the canonical first workflow — high volume, well-understood, easy to measure, reversible.
Phase plan (milestones, not budgets/headcount):
Governance gates between phases: control coverage met, reversibility proven, audit trail complete, metrics validated. Measure honestly: baseline before, measure after, report the real number — early dips are expected and credible, and reporting them builds trust.
Leading indicators:# skills authored/approved; AICM control coverage %; # AI systems inventoried & SSRM-classified; red-team cadence; champion coverage across functions.
Lagging / outcome indicators: tier-one triage time compression; mean-time-to-respond (MTTR); proactive threat-hunting time; false-positive rate; analyst retention/burnout score.
Capability/maturity metrics: per-domain L1-L5 score; STAR for AI level achieved.
Control-coverage metrics: % of 247 control objectives implemented, by domain; gap-closure velocity.
Avoid vanity metrics: raw alert counts, “AI adoption %,” number of tools deployed. Real before/after figures must come from measured pilots, not assumed— any illustrative number in a pitch deck must be explicitly labeled as illustrative.
What a “skill” is: an encoded unit of senior security judgment with five attributes — (1) trigger (what invokes it), (2) encoded judgment (the senior logic), (3) what the AI executes (the mechanical action), (4) where autonomy ends (HITL/HOTL boundary), (5) the AICM control it satisfies.
Sample skill record:
Skill: Phishing triage & enrichment. Trigger: new user-reported email alert. Encoded judgment: senior analyst’s URL/sender/attachment heuristics. AI executes: enrich, correlate, auto-close known-benign, draft case summary. Autonomy ends: human approves any mailbox-wide purge (HITL). AICM control:SEF (incident management), LOG (monitoring), TVM (threat & vuln).
Mapping to AICM & catalog:Every skill is tagged to one or more of the 18 domains; the CoE service catalog is then organized by domain (or by function-facing service line: Detection & Triage, Threat Hunting, AI Red-Team, Vendor AI Risk, Model Risk, Guardrail Engineering). This lets you map your existing skill library directly onto AICM coverage and expose gaps — a skill with no AICM tag is either out of scope or a coverage hole.
Packaging to functions: publish the catalog as consumable services with SLAs, inputs/outputs, autonomy level, and the control(s) satisfied — so a spoke can “order” a skill the way it orders a platform service.
AI Governance Board.Cross-functional (security, legal/privacy, data science, business, risk). Owns: high-risk use-case approval, risk appetite, autonomy-expansion sign-off, policy ratification. Mirror NIST AI RMF’s Govern function as the cross-cutting layer that informs Map/Measure/Manage.
Policy/standard ownership: CoE owns AI security policy and the AICM baseline; Legal owns regulatory interpretation; Data Science owns model-development standards within the baseline.
Model risk management: validation, drift monitoring, model cards, evaluation harnesses, retirement.
Third-party / vendor AI risk: use AI-CAIQ as the standardized vendor questionnaire; require AICM-aligned contract clauses; continuous vendor monitoring; prefer STAR for AI-registered vendors.
Responsible-AI / safety guardrails: transparency, fairness, explainability, safety; map to AICM GRC and Supply Chain/Transparency/Accountability (STA) controls.
Change control for the skill substrate (critical and novel): Treat skills as governed code. Define who can author, edit, approve, and retire a skill; require version control, peer review, and an audit trail for every change. A skill that encodes judgment and executes autonomously is a control object — changing it changes your security posture, so it needs CCC-grade change management.
Regulatory alignment:
Thresholds that change the plan:
← Newer essay
Operating the Platform: A Leverage Guide
Older essay →
Why Most AI Security Pilots Don't Survive Production
Subscribe for the next essay.