Over 70 cybersecurity organizations have signed a new charter, vowing a responsible use of AI for cybersecurity purposes.
The AI Charter, launched by cyber industry body CREST on July 9, is built around nine principles for AI-enabled cybersecurity activities that were initially revealed in March:
- Accountability and governance
- Transparency of use
- Documentation and auditability
- Boundaries and control
- Data handling, sovereignty and client control
- Security and confidentiality
- Secure development of AI tooling
- Supply chain assurance
- Resilience and business continuity
CREST’s Principles for AI-Enabled Cybersecurity
First, the signatories made a commitment to accountability, governance and transparency. Under these foundational principles, signatory firms must clearly define the scope and purpose of all AI-enabled activities while rigorously assessing how they affect service delivery, client outcomes, data handling and operational risks. Governance and testing controls must remain proportional to the scale of AI deployment.
Furthermore, firms pledge to maintain absolute transparency, informing clients whenever AI is used in their tools or methodologies and clearly explain the associated benefits, limitations and risks.
To maintain trust and operational integrity, the charter emphasizes documentation, auditability, human oversight and strict data sovereignty. Signatories commit to keeping traceable, reviewable records of their AI utilization, alongside validation and quality assurance processes, to ensure compliance audits are fully supported.
While AI tools may operate with various levels of autonomy, the charter mandates that qualified personnel must maintain final oversight, retaining the power to intervene, review outputs and challenge decisions.
Additionally, data handling is strictly governed: firms must clearly disclose whether client data will be used to train models or be transferred across jurisdictions, ensuring all data usage aligns perfectly with agreed legal, regulatory and contractual commitments.
The remaining pillars of the charter focus on securing the technology itself and building long-term operational resilience. Firms are required to safeguard client prompts, outputs, and AI-generated assets through robust security and confidentiality controls, while adhering to secure development and integration practices throughout the entire lifecycle of their AI tools.
This security mindset extends to the supply chain, requiring signatories to identify and manage the risks of any third-party AI dependencies.
Finally, to ensure business continuity, firms must proactively plan for potential AI failures, establish practical fallback arrangements and remain completely transparent with clients regarding how system disruptions could impact service levels and recovery expectations.
Over 70 Signatories to the CREST AI Charter
To develop these principles, CREST reviewed existing frameworks on AI use for cybersecurity purposes, with contributions from its members, feedback from industry leaders during the CRESTCon Leaders Days and other events and validation from the organization’s technical committee.
A key deciding factor for the selected principles was defining “what sets AI-driven cyber services apart from traditional ones,” a CREST spokesperson told Infosecurity.
To further back the launch, CREST said it recently found that 69% of cybersecurity providers are now using AI in daily service delivery and 76% say that use has grown in the past year.
The 73 founding signatories of the CREST AI Charter represent 10% of the body’s members, spanning Europe, North America, the Middle East and Asia-Pacific.
They include firms across many cybersecurity domains, including penetration testing, vulnerability assessment, incident response, security operations and threat intelligence.
Critical Need for AI Cybersecurity Standards
The AI Charter is “just the start,” Nick Benson, CEO of CREST, told Infosecurity. “We expect this to have a snowball effect whereby organizations, governments and providers also adopt these common principles.”
CREST described its model as “one of self-regulation, aimed at enabling a functioning, successful market” and hopes the AI Charter can make “regulation less necessary and the compliance burden lighter.
Nevertheless, Benson said it is “absolutely critical that we move rapidly beyond the principles to establish thorough standards that can be independently assessed against.”
Additionally, he added that the industry body would “welcome regulators supporting and signposting these principles.”
“Aligning national standards to the CREST ones will promote harmonization, cross-border interoperability and minimize frictional costs for both buyers and vendors,” he Benson concluded.
Read now: UK Government Launches Cyber Resilience Pledge, Claiming 60+ Signatories