ai · security · skills

Essay

The AI Security & Safety Center of Excellence: A Modular Build Playbook

An internal-build playbook anchored on the Cloud Security Alliance (CSA) AI Controls Matrix — pick-and-choose modules to assemble the case and map the skill library onto the control spine.

31 May 2026 · 35 min read · Binu Chacko

Situation

Leadership wants an AI-security capability, and wants it visible this year.

Complication

Big-bang Centers of Excellence stall: broad mandates, no early proof, funding fatigue by quarter three.

The question

How do we build the capability without betting the year?

The answer

One team at a time — assess, pilot, prove, scale — funding only the next phase after the last one pays.


An internal-build playbook anchored on the CSA AI Controls Matrix. Pick and choose modules to assemble your pitch deck and map your skill library onto the control spine. Current as of May 31, 2026.

This is what we build and why. For how to operate it on this platform — by move, by lens, and by role — see the companion Leverage Guide.

TL;DR

  • Build an internal AI Security & Safety CoE as a hub-and-spoke (federated) operating model anchored on the CSA AI Controls Matrix (AICM) — 18 domains, 247control objectives — as the master control spine, with NIST AI RMF, ISO 42001, MITRE ATLAS, OWASP LLM Top 10, and the EU AI Act mapped into it as subsets/crosswalks.
  • The 2026 inflection (Anthropic’s Claude Mythos / Project Glasswing; the cybersecurity-stock sell-off; CrowdStrike’s 89% YoY rise in AI-enabled attacks) proves AI security is now a build, not buy capability: tools alone fail, hiring alone fails, and a centralized-but-federated CoE that encodes reusable senior judgment as governed “skills” is the defensible response.
  • Sequence the rollout starting in the SOC (sharpest before/after contrast), prove one workflow, baseline honestly, then scale across functions on a 30/60/90-day and 12-month milestone cadence governed by AICM control-coverage and outcome metrics.

Key Findings

  1. AICM is the right spine.Released July 2025 by the Cloud Security Alliance, the AICM is the first vendor-agnostic AI control framework. CSA’s launch blog (July 10, 2025) describes it verbatim as “a spreadsheet of 247control objectives analyzed by five critical pillars... Control Type, Control Applicability and Ownership, Architectural Relevance, LLM Lifecycle Relevance, and Threat Category,” mapped to ISO/IEC 42001, ISO/IEC 27001, NIST AI 600-1 and BSI AIC4, with the AI-CAIQ companion and a STAR for AI certification path. It is the only framework that simultaneously gives you control objectives, a shared-responsibility model, a vendor-assessment instrument, and a third-party assurance route.
  2. The “why now” is real and dated.In April 2026 Anthropic disclosed Claude Mythos Preview — a model that autonomously found 10,000+ high/critical vulnerabilities including a 27-year-old OpenBSD flaw — and launched the defensive coalition Project Glasswing. Cybersecurity stocks sold off sharply (CrowdStrike, Palo Alto, Cloudflare). This is the clearest signal yet that defense must be encoded and operated at machine speed.
  3. Build, not buy, is defensible.MIT Project NANDA’s “The GenAI Divide: State of AI in Business 2025” (July 2025; lead author Aditya Challapally; based on 300+ public deployments, 52 interviews, 153 leader surveys) found that “just 5% of integrated AI pilots are extracting millions in value, while the vast majority remain stuck with no measurable P&L impact”; the differentiator was workflow integration, not model quality. SOC burnout sits at 71% (Tines “Voice of the SOC Analyst” survey of 468 US SOC analysts). The 2025 ISC2 Cybersecurity Workforce Study found skills, not headcount, is now the binding constraint. The CoE’s job is to convert scarce senior judgment into governed, reusable, auditable capability.

Module 1: Charter & Mandate

Purpose.The charter is the CoE’s constitutional document. It converts an executive mandate into durable authority, scope, and decision rights. Keep it to 2-3 pages; it should survive reorgs and leadership changes.

Recommended charter sections (lift directly into a slide):

  1. Mission statement — one sentence. Sample:“The AI Security & Safety CoE exists to make the secure adoption of AI and the AI-enabled defense of the enterprise the same act — encoding senior security judgment into governed, reusable capabilities and ensuring every AI system we build, buy, or operate is trustworthy by design.”
  2. Scope (in / out). In: AI security architecture, AI threat modeling, MLSecOps/AI-SPM standards, AI red-teaming, the skill substrate, AICM control ownership, AI vendor risk, responsible-AI guardrails. Out (federated to spokes): day-to-day SOC operations, business-unit model development, enterprise IAM platform operation.
  3. Authority & decision rights. What the CoE can mandate (standards, the AICM control baseline, gate approvals for autonomous AI actions), what it advises on, and what it delegates.
  4. Owns vs. federates. Explicit RACI anchor (see Module 3).
  5. Operating model. Hub-and-spoke with embedded champions.
  6. Success criteria & metrics. Tied to Module 9.
  7. Governance & escalation. Link to the AI Governance Board (Module 12).
  8. Review cadence. Quarterly charter review; annual re-ratification by the CSO/CISO.

Hub-and-spoke / federated model.The hub (CoE) owns standards, the control baseline, shared tooling/skills, and assurance. Spokes (the eight infosec functions — Identity, Network & Infrastructure, Endpoint & Workload, Application & DevSecAIOps, Data, Cloud & Container, Security Operations, and Governance, Risk & Assurance — plus embedded champions in Legal/Privacy and Data Science) own execution within hub-defined guardrails. Microsoft’s Cloud Adoption Framework and Gartner both recommend mature AI organizations run advisory/standard-setting hubs while frontline teams own delivery; Dataiku found firms that scale AI are far more likely to use hub-and-spoke than any other structure.

Framing the mandate to leadership.Anchor on three things the board already cares about: (a) regulatory exposure (EU AI Act high-risk obligations live Aug 2, 2026; SEC cyber disclosure); (b) the 2026 threat inflection; (c) the failure rate of ungoverned AI adoption (MIT’s 95%-no-measurable-impact finding). Position the CoE as the mechanism that converts AI from a liability into a defensible, audited capability.

Module 2: The Strategic Case (“Build, Not Buy”)

Thesis: AI security is not a product you can purchase; it is encoded, governed, reusable judgment. The enterprise must build it.

Why tools alone fail.AI-SPM, guardrail, and red-team tools are necessary but insufficient. MIT Project NANDA (2025) found that just 5% of integrated GenAI pilots extracted measurable value — and the cause was integration, brittle workflows, and lack of contextual learning, not model quality. A tool with no encoded judgment behind it just “delivers noise faster” (ThreatConnect’s phrasing on bad SOC automation).

Why hiring alone fails. The 2025 ISC2 Cybersecurity Workforce Study (16,029 respondents, December 2025) found the binding constraint has shifted from headcount to skills: “95% of respondents reported at least one skills gap within their teams, and 59% described those gaps as critical or significant, compared with 44% in 2024.” AI was the #1 rising technical skill demand, ahead of cloud security. ISC2 stopped publishing a workforce-gap headcount number entirely, stating respondents consistently emphasized skills over size. You cannot hire your way out fast enough, and the senior people who have the judgment are the bottleneck. The defensible move is to encode that judgment once and execute it many times.

Why centralized-but-federated wins. A pure central team bottlenecks; a pure federated model fragments standards. Hub-and-spoke captures the compounding effect of shared infrastructure, consistent governance, and institutional learning while letting spokes move fast. IBM research found centralized/hub-and-spoke AI operating models achieve materially higher ROI than decentralized ones (cited at ~36% higher).

The Mythos corollary. When AI can find and chain zero-days autonomously, the only scalable defense is defense that also runs at machine speed under human governance. That is precisely what a skill-library CoE produces.

Module 3: Operating Model & Org Design

Three archetypes (decision criteria):

  • Centralized: strongest governance/standardization; bottlenecks at scale. Use early, or where compliance dominates.
  • Federated/decentralized: fastest local innovation; weak standards, duplication. Use only with strong alignment mechanisms.
  • Hub-and-spoke (recommended for Fortune-100): hub sets standards/baseline/skills; spokes execute. Balances scale, control, expertise, and local responsiveness.

CoE roles & responsibilities (roles only — no headcount):

  • CoE Lead— owns charter, mandate, board relationship, portfolio.
  • AI Security Architect(s)— reference architectures, AICM control design, AI-by-design patterns.
  • Governance / Policy Owner— AI security policy/standards, AICM baseline, regulatory alignment.
  • AI Red Team / AI Pentest Lead— adversarial testing mapped to MITRE ATLAS & OWASP LLM Top 10.
  • MLSecOps / AI-SPM Engineer(s)— pipeline security, model integrity, runtime monitoring, AI inventory.
  • AI Threat Intelligence Lead— AI-specific TTP tracking (ATLAS), emerging model-risk intel.
  • Model Risk Lead— model validation, drift, model risk management lifecycle.
  • Privacy / Legal Liaison (embedded)— DSP controls, EU AI Act, FRIA/DPIA.
  • Data Science / ML Liaison (embedded)— bridges to model builders.
  • Skill Substrate Owner— authoring standards, version control, change control for skills.

RACI (CoE × functions):

ActivityCoE (Hub)Sec EngSOCSec ServicesEmerging TechLegal/PrivacyData Sci/MLBUs
AI security standards & AICM baselineA/RCCCCCCI
Skill authoring & approvalA/RCCCCICI
SOC AI workflow executionCIA/RCIIII
AI red-team / ATLAS testingA/RCCRCICI
AI vendor risk (AI-CAIQ)A/RCICCCCC
Autonomy gate approvalACRCCCCI
Model risk validationCIIICCA/RI
Regulatory alignment (EU AI Act/SEC)RIIIIA/RCC

Spoke / embedded-champion model. Each function nominates an AI Security Champion who (a) carries hub standards into the function, (b) feeds local use cases and friction back to the hub, and (c) owns local skill adoption. Champions are dotted-line to the CoE Lead.

Module 4: CSA AICM Control Architecture

The 18 AICM domains (memorize the codes):

  1. A&A— Audit & Assurance
  2. AIS— Application & Interface Security (incl. AIS-11 Agents Security Boundaries, AIS-13 AI Sandboxing, AIS-14 AI Cache Protection, AIS-15 Prompt Differentiation)
  3. BCR— Business Continuity Management & Operational Resilience
  4. CCC— Change Control & Configuration Management
  5. CEK— Cryptography, Encryption & Key Management
  6. DCS— Datacenter Security
  7. DSP— Data Security & Privacy Lifecycle Management
  8. GRC— Governance, Risk & Compliance
  9. HRS— Human Resources
  10. IAM— Identity & Access Management
  11. IPY— Interoperability & Portability
  12. IVS— Infrastructure & Virtualization Security
  13. LOG— Logging & Monitoring
  14. MDS— Model Security (the flagship new AI domain)
  15. SEF— Security Incident Management, E-Discovery & Cloud Forensics
  16. STA— Supply Chain Management, Transparency & Accountability
  17. TVM— Threat & Vulnerability Management
  18. UEM— Universal Endpoint Management

Control composition: Of the 247control objectives, 37 are AI-specific, 183 overlap with cloud controls, and 22 are cloud-only (per Coalfire’s analysis of the AICM). This means roughly 85% of AICM leverages your existing cloud-security muscle — the build is largely extension, not greenfield.

The five pillars (lenses) on every control:

  1. Control Type— AI-specific / hybrid AI-cloud / cloud-only.
  2. Control Applicability & Ownership— via the Shared Security Responsibility Model (SSRM) across the AI actor roles.
  3. Architectural Relevance— physical, network, compute, storage, application, data.
  4. (LLM) Lifecycle Relevance— data preparation → development → validation → deployment → delivery → retirement.
  5. Threat Category— model manipulation/theft, data poisoning, sensitive data exposure, supply-chain, DoS, etc.

AI service-provider roles (SSRM): Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and AI Customer/User. The CoE must classify each enterprise AI system by which role the enterprise plays for it (e.g., you are an AI Customer of OpenAI but an Application Provider of your internal copilot), then apply the role-specific implementation guidance (CSA publishes separate implementation/auditing guideline versions per role).

Operationalizing AICM in GRC: (1) Download AICM + AI-CAIQ; (2) build an AI system inventory and classify by SSRM role; (3) run AI-CAIQ self-assessment across all 18 domains; (4) produce a risk-prioritized gap remediation plan; (5) embed AICM controls into procurement/vendor contracts; (6) continuous monitoring; (7) pursue STAR for AI.

AI-CAIQ self-assessment workflow:Control specification → self-assessment question(s) → ownership assignment → evidence/documentation → gap rating. Use it both internally and as the vendor due-diligence instrument.

STAR for AI path: (1) sign the AI Trustworthy Pledge; (2) implement AICM; (3) STAR for AI Level 1 = publish AI-CAIQ self-assessment to the STAR Registry (Valid-AI-ted is an automated scoring enhancement); STAR for AI Level 2 / STAR for AI 42001 (live since Nov 20, 2025) = ISO/IEC 42001 certification + a Valid-AI-ted AI-CAIQ. (Zendesk was the first organization worldwide to submit both precursor components.)

Cross-walk — frameworks that map INTO AICM:

  • NIST AI RMF 1.0(Govern / Map / Measure / Manage; ~72 subcategories) → mapped via NIST AI 600-1; AICM gives the concrete controls behind RMF outcomes. Govern is the cross-cutting layer.
  • ISO/IEC 42001 & 27001/27002→ CSA published the official AICM↔42001 mapping (Aug 2025); AICM provides the actionable controls behind 42001’s management-system clauses.
  • BSI AIC4→ mapped in the AICM bundle.
  • NIST AI 600-1 (GenAI Profile)→ mapped in the bundle.
  • EU AI Act→ mapping/reverse-mapping; AICM bridges high-risk obligations to technical controls.
  • MITRE ATLAS→ maps into the AICM Threat Category pillar and the MDS/TVM domains (16 tactics / 80+ techniques as of late 2025 per the official ATLAS changelog).
  • OWASP LLM Top 10 (2025)→ maps into AIS, MDS, DSP. The 2025 list: LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM03 Supply Chain, LLM04 Data & Model Poisoning, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector & Embedding Weaknesses, LLM09 Misinformation, LLM10 Unbounded Consumption. (Prompt injection LLM01 → AIS-15 Prompt Differentiation, etc.)
  • MITRE ATT&CK→ traditional TTPs complement ATLAS for the conventional layers of the stack.

Module 5: Maturity Model

Use a 5-level ladder. The CSA’s own AI Maturity Model for Cybersecurity (Jan 2026, developed with Darktrace) and AI Security Maturity Model (AISMM) — which aligns directly to AICM and uses five CMM-aligned levels — are the published references. Note: the AISMM is explicitly about the security program, not individual projects (project-level assessment is what AICM + AI-CAIQ are for).

LevelNameWhat it looks like
L1Initial / ReactiveNo AI inventory; ad-hoc prompt filtering; security reacts post-incident; no AI governance policy.
L2RepeatableAI asset inventory exists; policies written; red-teaming at least quarterly; human approval required before any autonomous action.
L3DefinedAICM baseline adopted; AI-CAIQ run across domains; skills authored & versioned; embedded champions active; ATLAS-based threat modeling standard.
L4Capable / ManagedFull AI-SPM stack; continuous automated red-teaming; outcome metrics tracked; bounded autonomy with audit trails; STAR for AI L1 achieved.
L5Efficient / Self-improvingSkills self-improve via feedback loops; machine-speed defense under human-on-the-loop governance; STAR for AI L2/42001; control coverage continuously assured.

Assess current state via AI-CAIQ + a per-domain L1-L5 scoring. Pace adoption by closing the largest control-coverage gaps first and gating autonomy expansion on demonstrated L4 controls.

Module 6: AI-by-Design / Human-AI Division of Labor

Operating principle: Adopting AI and securing it are the same act. Every AI capability the CoE ships is simultaneously a security control and a governed object.

What the AI does (machine-speed, mechanical, repeatable): tier-one alert triage, enrichment, correlation, drafting (reports, summaries), threat hunting at scale, deduplication, evidence collection. These map to high-volume, well-understood, measurable, reversible work.

What humans own (judgment, accountability): exceptions, the novel and consequential, final decisions on high-impact/irreversible actions, accountability for outcomes, and — critically — deciding where autonomy ends.

Governing agentic AI in security operations. Use the explicit oversight spectrum:

  • Human-in-the-loop (HITL)— AI proposes, human approves before execution. For high-risk/irreversible actions (account disablement at scale, containment across the stack, financial impact).
  • Human-on-the-loop (HOTL)— AI acts autonomously, human monitors and can intervene. For medium-risk, reversible actions.
  • Bounded autonomy— clear operational limits, blast-radius caps, rate limits, mandatory reversibility/rollback, escalation paths, and full audit logging.

Non-negotiable guardrails before any autonomous execution: every action must be reversible(isolate↔un-isolate, disable↔re-enable, push-rule↔revert), identity-enforced, time-boxed, and logged. The 2026 consensus (Torq, Security Boulevard, McKinsey) is “don’t jump from AI-summarizes to AI-executes-containment” — climb the trust ladder incrementally.

Module 7: Threat Landscape & Why Now

The 2026 inflection.In late March 2026 the existence of Anthropic’s most capable model leaked via an unsecured database (Fortune broke the story); on April 7, 2026 Anthropic formally announced Claude Mythos Preview and Project Glasswing, a defensive coalition with launch partners AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks (plus ~40 more organizations) and $100M in usage credits. By a May 26, 2026 update, Mythos had identified 10,000+ high/critical vulnerabilities, including a 27-year-old OpenBSD flaw and a 17-year-old FreeBSD RCE (triaged as CVE-2026-4747) that it found and exploited fully autonomously. Mythos scored 83.1% on the CyberGym benchmark vs. Claude Opus 4.6’s 66.6%.

Market reaction.Cybersecurity stocks sold off hard: on April 10, 2026, Cloudflare fell ~13-14%, CrowdStrike ~7-11%, Palo Alto ~6-7%; the S&P 500 Software & Services index fell 2.6% on April 9. The fear: “if AI can find serious vulnerabilities faster than human experts, what are cybersecurity companies selling?” Analyst counterpoint (JPMorgan reiterated Overweight on CRWD and PANW within 24 hours; RBC called Glasswing “most positive” for both) framed partners as essential layers, not roadkill — but the dislocation made the urgency unmistakable. Notably, Treasury Secretary Bessent and Fed Chair Powell reportedly held an emergency meeting with major-bank CEOs about Mythos’s systemic risk.

The widening attack surface. Every agent, copilot, and integration is new attack surface. The CrowdStrike 2026 Global Threat Report(Feb 24, 2026) found “AI-enabled adversaries increased operations by 89% year-over-year”; the average eCrime breakout time fell to 29 minutes (fastest observed 27 seconds), 82% of detections were malware-free, and 42% of vulnerabilities were exploited before public disclosure. Wiz’s “State of AI in the Cloud 2026” found 90% of organizations now run self-hosted AI models and 57% deploy self-hosted AI agents, creating “new, often overprivileged control planes that attackers can exploit to move laterally.” Gartner predicts (Aug 26, 2025 press release) that “forty percent of enterprise applications will be integrated with task-specific AI agents by the end of 2026, up from less than 5% today.” Prompt injection (OWASP LLM01:2025) remains the #1 LLM risk; data exfiltration via AI, excessive agency (LLM06), and system-prompt leakage (LLM07) compound it.

The adoption-without-governance gap.MIT NANDA: 95% of GenAI pilots delivered no measurable return. SOC analyst burnout sits at 71% (Tines “Voice of the SOC Analyst,” 468 US analysts), with 69% reporting understaffed teams and 64% likely to switch jobs within a year. These are precisely the conditions the CoE exists to fix.

Note on caution.Some researchers (Bruce Schneier; the AISLE research group) noted smaller open models could replicate some Mythos findings and that Anthropic’s announcement was partly a PR play (it coincided with a major revenue milestone and reported IPO speculation). Present Mythos as a directionally valid watershed, not as settled fact on exact capability margins.

Module 8: Rollout & Sequencing

Start in the SOC.The before/after contrast is sharpest, the work is high-volume and measurable, and burnout makes the case self-evident. Phishing/alert triage is the canonical first workflow — high volume, well-understood, easy to measure, reversible.

Phase plan (milestones, not budgets/headcount):

  • 0-30 days:Stand up charter & board; download AICM/AI-CAIQ; build AI system inventory and SSRM-classify; baseline the chosen SOC workflow (measure before, honestly — current MTTR, triage time, false-positive rate).
  • 31-60 days: Author the first 2-3 skills for the pilot workflow with explicit autonomy boundaries (HITL); deploy with full audit logging; run AI-CAIQ on pilot scope.
  • 61-90 days: Measure after against baseline; report the real number including any early productivity dip; pass a governance gate before expanding autonomy (HITL→HOTL where reversible).
  • ~6 months: Expand to a second function; STAR for AI L1 readiness; publish control-coverage dashboard against AICM domains.
  • ~12 months: Multi-function skill catalog; L4 maturity in pilot function; STAR for AI L1 achieved; agentic guardrails standardized.

Governance gates between phases: control coverage met, reversibility proven, audit trail complete, metrics validated. Measure honestly: baseline before, measure after, report the real number — early dips are expected and credible, and reporting them builds trust.

Module 9: Measurement & KPIs

Leading indicators:# skills authored/approved; AICM control coverage %; # AI systems inventoried & SSRM-classified; red-team cadence; champion coverage across functions.

Lagging / outcome indicators: tier-one triage time compression; mean-time-to-respond (MTTR); proactive threat-hunting time; false-positive rate; analyst retention/burnout score.

Capability/maturity metrics: per-domain L1-L5 score; STAR for AI level achieved.

Control-coverage metrics: % of 247 control objectives implemented, by domain; gap-closure velocity.

Avoid vanity metrics: raw alert counts, “AI adoption %,” number of tools deployed. Real before/after figures must come from measured pilots, not assumed— any illustrative number in a pitch deck must be explicitly labeled as illustrative.

Module 10: Stakeholder-Specific Value Propositions

  • CSO/CISOCares about: board-defensible risk posture, regulatory exposure (EU AI Act, SEC), no surprises. Gives them: a single AICM-anchored control story, audited autonomy, STAR for AI assurance. Asks of them: mandate, charter ratification, decision-rights backing.
  • Application & DevSecAIOps SecurityCares about: reference architectures, not reinventing controls. Gives: AI-by-design patterns, model-build assurance, AICM baseline. Asks: embed a champion, adopt standards.
  • Security Governance, Risk & AssuranceCares about: service delivery quality, repeatability, audit-readiness. Gives: packaged GRC + audit skills, supply-chain assurance playbook. Asks: co-deliver assurance, feed back demand.
  • Security Operations (SOC)Cares about: alert volume, burnout, MTTR. Gives: triage/enrichment/hunt skills, measurable time compression. Asks: pilot the first workflow, baseline honestly.
  • Identity / Network / Endpoint / Data / Cloud functionsCares about: getting an AI-fitted playbook for their estate. Gives: per-function AICM ownership map, planned v2 instrument with AISMM diagnostic. Asks: early adopters to help author the per-function diagnostic content shipping in v2.
  • Emerging TechnologyCares about: shipping AI fast. Gives: guardrails that accelerate (governance-as-enabler), sandboxing, agent boundaries. Asks: route new AI through CoE intake.
  • Legal/PrivacyCares about: EU AI Act, DPIA/FRIA, disclosure. Gives: AICM↔regulation crosswalk, AI-CAIQ evidence. Asks: embedded liaison, policy co-ownership.
  • Data Science/MLCares about: model velocity, not bureaucracy. Gives: MLSecOps, model-risk validation, integrity checks. Asks: liaison, adopt the model-risk lifecycle.

Module 11: Service / Skill-Library Mapping

What a “skill” is: an encoded unit of senior security judgment with five attributes — (1) trigger (what invokes it), (2) encoded judgment (the senior logic), (3) what the AI executes (the mechanical action), (4) where autonomy ends (HITL/HOTL boundary), (5) the AICM control it satisfies.

Sample skill record:

Skill: Phishing triage & enrichment. Trigger: new user-reported email alert. Encoded judgment: senior analyst’s URL/sender/attachment heuristics. AI executes: enrich, correlate, auto-close known-benign, draft case summary. Autonomy ends: human approves any mailbox-wide purge (HITL). AICM control:SEF (incident management), LOG (monitoring), TVM (threat & vuln).

Mapping to AICM & catalog:Every skill is tagged to one or more of the 18 domains; the CoE service catalog is then organized by domain (or by function-facing service line: Detection & Triage, Threat Hunting, AI Red-Team, Vendor AI Risk, Model Risk, Guardrail Engineering). This lets you map your existing skill library directly onto AICM coverage and expose gaps — a skill with no AICM tag is either out of scope or a coverage hole.

Packaging to functions: publish the catalog as consumable services with SLAs, inputs/outputs, autonomy level, and the control(s) satisfied — so a spoke can “order” a skill the way it orders a platform service.

Module 12: Governance, Risk & Responsible-AI

AI Governance Board.Cross-functional (security, legal/privacy, data science, business, risk). Owns: high-risk use-case approval, risk appetite, autonomy-expansion sign-off, policy ratification. Mirror NIST AI RMF’s Govern function as the cross-cutting layer that informs Map/Measure/Manage.

Policy/standard ownership: CoE owns AI security policy and the AICM baseline; Legal owns regulatory interpretation; Data Science owns model-development standards within the baseline.

Model risk management: validation, drift monitoring, model cards, evaluation harnesses, retirement.

Third-party / vendor AI risk: use AI-CAIQ as the standardized vendor questionnaire; require AICM-aligned contract clauses; continuous vendor monitoring; prefer STAR for AI-registered vendors.

Responsible-AI / safety guardrails: transparency, fairness, explainability, safety; map to AICM GRC and Supply Chain/Transparency/Accountability (STA) controls.

Change control for the skill substrate (critical and novel): Treat skills as governed code. Define who can author, edit, approve, and retire a skill; require version control, peer review, and an audit trail for every change. A skill that encodes judgment and executes autonomously is a control object — changing it changes your security posture, so it needs CCC-grade change management.

Regulatory alignment:

  • EU AI Act: high-risk obligations apply Aug 2, 2026 (risk management, data governance, logging, human oversight, conformity assessment, registration); GPAI obligations live since Aug 2, 2025; penalties up to €35M / 7% global turnover (high-risk non-compliance up to €15M / 3%). Note the Digital Omnibus proposal (political agreement May 7, 2026) could shift the Annex III high-risk date toward Dec 2027 — plan for Aug 2026 as the binding default.
  • SEC cyber disclosure: material incidents on Form 8-K Item 1.05 within four business days of materiality determination (“substantial likelihood a reasonable shareholder would consider it important”); immaterial incidents disclosed under Item 8.01 per the SEC’s May 2024 Corp Fin guidance; annual governance/risk-management disclosure in Form 10-K.
  • Sector regulators: map via the AICM crosswalk into existing obligations.

Recommendations

  1. Ratify the charter first(Module 1) and lock decision rights before building anything — authority is the scarcest asset, and a CoE without clear decision rights becomes an advisory body that spokes can ignore.
  2. Adopt AICM as the master spine now (Module 4): download AICM/AI-CAIQ, inventory and SSRM-classify AI systems, run a baseline AI-CAIQ across all 18 domains within the first 30 days. Because ~85% of AICM controls extend existing cloud controls, this is faster than it looks.
  3. Pilot in the SOC on one workflow (Module 8), baseline honestly, and gate autonomy expansion on demonstrated reversibility and audit completeness. Phishing/alert triage first.
  4. Encode skills as governed objects(Modules 11-12) with version control and change approval from day one — this is the build-not-buy moat and the thing a competitor or a vendor tool cannot replicate.
  5. Pursue STAR for AI Level 1 as the first external proof point (publish an AI-CAIQ to the STAR Registry); target Level 2 / STAR for AI 42001 as the maturity north star.

Thresholds that change the plan:

  • If pilot before/after metrics don’t beat baseline after one full measurement cycle, hold autonomy expansion and re-author the skill rather than scaling a workflow that isn’t working.
  • If EU AI Act high-risk classification applies to any enterprise AI system, escalate it to the Governance Board ahead of the Aug 2026 deadline regardless of where it sits on the CoE roadmap.
  • If a skill’s autonomous action is not cleanly reversible, keep it at HITL until rollback is engineered — reversibility is the precondition for autonomy, not an afterthought.

Caveats

  • Mythos/Glasswing: treat as a directionally valid watershed, not settled capability fact; some researchers (Schneier, AISLE) flagged PR framing and partial replicability by smaller open models. The urgency is real; the exact capability margin is contested.
  • MIT’s 95% figure: widely cited but based on a narrow success definition (P&L impact within ~6 months) and a small interview base (~52 interviews) — use as directional evidence of integration risk, not a precise law. Critics note it ignores efficiency and cost-reduction gains.
  • SOC burnout 71%: from a vendor-sponsored survey (Tines, 468 analysts); cross-study figures range from 47% (Bitsight) to 84% (some SANS-cited research). The direction is robust; the precise percentage varies by source.
  • Wiz AI-adoption figures: derived from infrastructure detection within Wiz’s own cloud-security customer base (skews toward larger, security-mature organizations); Wiz itself states the 2026 figures “should be interpreted as lower-bound estimates.”
  • Statistics labeled illustrative vs. measured: any before/after productivity figure you put in a pitch must come from your own measured pilot, not borrowed numbers. Borrowed numbers are for the “why now” case; your numbers are for the “it works here” case.
  • EU AI Act dates: subject to the Digital Omnibus amendments still in flux as of May 2026; verify the current high-risk effective date before relying on it in a board deck.

← Newer essay

Operating the Platform: A Leverage Guide

Older essay →

Why Most AI Security Pilots Don't Survive Production

← Back to Insights

Subscribe for the next essay.