AI Security: Empowering Leaders with a Robust AI Framework
Empower cybersecurity with KPMG's AI Security framework. Enhance protection and responsible AI adoption using trusted strategies and robust governance.

How CISOs Can Enhance Cybersecurity with a Trusted Framework for Responsible AI Adoption
CISOs face an increasingly complex challenge: protecting their organizations from the proliferation of artificial intelligence (AI) across various functions and processes. From product development and customer experience to data integrity and cyber threat management, the risks associated with AI are continually evolving.
CISOs are tasked with ensuring that this fascinating technology is both effective and trustworthy. Even in very risk-averse organizations, supporting AI adoption is essential to keep pace with competitors and align with overall business strategy.
Broad AI Use Cases, Emerging Challenges, and the Growing Need for AI Trust
One of the common hurdles CISOs face is the lack of sufficient headcount and skilled resources. This shortage complicates the assessment and mitigation of risks associated with AI deployments. Additionally, there is the issue of shadow AI—AI systems implemented without proper governance, documentation, or cybersecurity measures. These often well intentioned AI initiatives can operate outside established security protocols, introducing unintended vulnerabilities.
Without a structured approach to risk assessment and mitigation, organizations are left in a reactive mode, exposed to potential threats. CISOs should proactively engage in AI governance programs to gain insight into risks and compliance requirements, ensuring they can take ownership of the corresponding controls. By understanding where and how AI is being used and recognizing the threats it poses to network and data security, CISOs can effectively guide the development of appropriate controls.
CISOs need to Start with a Secure and Trusted AI Framework
To address these challenges, CISOs need a robust AI security framework. This framework should prioritize several key focus areas to effectively manage and integrate AI technologies into organizational processes. These areas include:
1 | AI Alignment
CISOs need to understand what they are responsible for and ensure the organization's overall AI strategy aligns with security objectives. This includes identifying AI-related security gaps and building and maintaining trust in AI systems by shifting focus from traditional security measures to encompassing the broader implications of AI.
2 | Visibility into AI Use Cases
CISOs must be, or become, key members of AI oversight. It’s imperative that they maintain visibility into the range of AI business cases across the organization, each with unique risks and requirements. This visibility is crucial for creating tailored procedures, controls, and ongoing testing, ensuring each AI business case is addressed appropriately.
3 | Understanding Underlying Technologies
A deep understanding of the technologies and their implementations is necessary. This includes evaluating and prioritizing AI projects based on potential risks and benefits, ensuring a structured AI intake process.
4 | AI Governance and Policies
Establishing detailed AI policies and procedures is critical. This includes specific guidelines and guardrails for cybersecurity, acceptable use, and compliance with relevant regulations, ensuring all AI initiatives operate within a defined and secure framework.
5 | AI Inventory Management
Maintaining a detailed inventory of all AI models and systems within the organization is necessary. Understanding the scope of AI usage, the data involved, and associated security measures leads to better control and management.
6 | Stakeholder Collaboration and Training
Collaboration between various stakeholders, including data scientists, privacy officers, and legal teams, is essential. Providing ongoing training and development resources can help manage AI-related risks effectively.
7 | Continuous Monitoring and Reporting
An ongoing system of monitoring and reporting is vital to confirm that AI models adhere to the trusted AI framework. Regular assessments and validations are necessary to detect and address vulnerabilities promptly.
8 | Adversarial Testing and Resilience Building
Conducting adversarial model testing to simulate potential attacks and identify weak points in AI systems is key. Regularly updating threat models will help address emerging risks and enhance the resilience of AI systems.
9 | Future Proofing AI Governance
Staying proactive in understanding and anticipating the direction of AI governance is crucial. Operationalizing governance structures and maintaining ongoing monitoring and adaptation to emerging threats help to keep AI initiatives secure and aligned with evolving business needs.
10 | System Cards
Introducing AI system cards can provide a transparent way to manage information about AI systems, including trust scores for various pillars such as security and fairness. This helps in communication and control application.
11 | Rethinking AI Work Approaches
Reevaluation of work processes in the context of AI capabilities is essential. Automation of tasks such as threat detection and response, adversarial model testing, and ongoing reporting can bring efficiencies and help free up resources for more strategic initiatives.
A robust AI security framework enables CISOs to map controls to specific AI risks, ensuring that the right guardrails are in place. Close collaboration with organizational stakeholders, including IT security leaders, the Chief Risk Officer, legal, corporate communications, business leads, and employees, is essential. AI governance must account for security, privacy, and ethics.
Client Story: Transforming AI Governance – KPMG Customized Approach for a State Medicaid Agency
KPMG LLP (KPMG) assisted a leading state Medicaid agency in designing a robust AI governance framework. This initiative involved assessing the current governance structures, defining a strategy to enhance them to meet the unique needs of AI, and developing a plan for operationalization. The primary objective was to enable the agency to be a first-mover in technology innovation while adopting a risk-based approach.
Unlocking AI’s Potential
Leadership at the agency sought assistance from KPMG to establish their approach to AI governance, including developing core principles, assessing policies and AI usage guidelines, and prioritizing AI use cases based on risk. The new approach proposed by KPMG helped the agency prioritize impactful AI initiatives, leading to the establishment of
- A GenAI governance committee that includes the CISO and CIO, with core principles for trusted AI development.
- Detailed AI policies and procedures, including a robust AI intake process, establishing new guardrails in cybersecurity and acceptable use.
- AI Security Framework - Developed a tailored AI security framework based on National Institute of Standards and Technology guidelines to meet the agency’s specific requirements.
- Organizational change management supported by robust learning and development resources.
The agency is now ready and better equipped to face what the future of AI brings.
Connecting the Dots: AI Threat Matrix
An AI threat matrix helps link AI business cases with potential network vulnerabilities and cybersecurity threats. This proactive approach enables CISOs to identify and prioritize risks, such as adversarial threats, deepfakes, and data breaches.
CISOs must develop a risk-tiered approach, allocating resources and attention based on the criticality and potential impact of AI initiatives. Understanding data models and architectures underpinning AI systems is crucial for determining security and reliability.
When a new AI use case arises, a well-defined AI security framework demonstrates the CISO's preparedness and commitment to responsible AI adoption. Effective communication with business leaders and collaboration with data scientists, privacy officers, and other key players is essential to help ensure AI development and deployment are secure, ethical, and compliant.
Dive into our thinking:
Enhancing Security Operations with AI: KPMG and Microsoft Security Copilot
KPMG and Microsoft are helping organizations harness the power of Microsoft Security Copilot—an AI-powered security solution generating insights from applications across Microsoft’s security stack. This phased deployment approach helps integrate AI capabilities throughout SOC workflows, driving efficiency and effectiveness. Our long-standing alliance with Microsoft and our Trusted AI framework allows us to customize solutions that help to meet each organization’s needs, delivering measurable value.
Download PDFAI Governance: Elevating CISOs to Valued Business Partners
AI governance presents a unique opportunity for CISOs to shift from a back-office function to becoming essential business partners. By anticipating and addressing potential risks before they become issues, CISOs can add significant value to AI initiatives.
The KPMG Trusted AI Framework: Going Further
The KPMG Trusted AI Framework offers a detailed approach to maintaining the trustworthiness and security of AI systems by emphasizing robust measures across multiple domains. This AI-centric framework provides a thorough set of criteria for evaluating AI, guiding organizations in implementing specific controls to help mitigate potential risks and vulnerabilities.
By establishing a strong foundation for AI governance and risk management, similar to the structure of the KPMG Trusted AI Framework, organizations can effectively leverage the transformative power of AI technologies while maintaining the highest standards of security, privacy, and ethics. This alignment ensures that AI initiatives are consistently managed within a secure and governed environment, enhancing resilience and fostering trust in the deployment and use of AI systems.
Balancing AI Adoption with Secure AI Deployment
Organizations are under pressure to quickly operationalize AI use cases, but security must not hinder AI adoption, as this could affect revenue and competitive advantage. CISOs play a crucial role in balancing business urgency with secure AI deployment, making their involvement in governance essential.
By gaining a deep understanding of AI technology, CISOs can identify where existing security measures can be enhanced to meet AI-specific control needs. For instance, expanding traditional application security testing to include adversarial AI model testing requires knowledge of the differences between deterministic applications and AI models.
CISOs should also assess their technology stack to pinpoint existing investments that can be leveraged for AI, thereby maximizing current resources. This approach allows them to focus new investments on genuine gaps, ultimately reducing the threat landscape.
To be effective, CISOs must comprehend the underlying technology and its implementation. This necessitates a strategic approach to identifying, addressing, and prioritizing AI-related risks and controls. For instance, while organizations may have technology that monitors previously identified AI models, they might lack the tools to detect undocumented AI models, which is crucial for creating a comprehensive AI inventory.
To learn more about how a robust AI security framework can support your organization's needs, visit KPMG Cybersecurity Solutions page.
The Imperative for CISOs
The evolving cyber landscape requires CISOs to be proactive, strategic, and collaborative in managing AI security. Adopting a robust and trusted AI framework will enable CISOs to guide their organizations confidently into the future, balancing innovation with security and ensuring resilience in an ever-changing environment.
By taking the initiative now, CISOs can guide their organizations in responsibly and effectively leveraging AI, thereby elevating their roles from cybersecurity technicians to strategic business partners.
Proactive cybersecurity to help you guard against tomorrow’s threats today
As cyber threats grow in sophistication, CISOs must navigate an increasingly complex landscape of risks and vulnerabilities. With expanding regulatory requirements and the continuous evolution of attack methods, maintaining a robust cybersecurity posture is more critical than ever.
At KPMG, we understand these challenges and provide targeted solutions to address them effectively. Today's CISOs need strategies that are both adaptable and multifaceted to stay ahead of ever-evolving threats. KPMG combines cutting-edge technology, actionable insights, and unparalleled expertise to help you prioritize and address your most critical cyber and tech risk challenges.
Our team leverages the latest in AI-driven analytics and industry best practices to deliver proactive, tailored solutions that fortify your security posture. Our cybersecurity and tech risk solutions are designed to enable your organization to anticipate threats, respond swiftly, and emerge stronger. From predictive threat intelligence to rapid incident response, KPMG is your partner in navigating cyber risk with confidence and agility.
KPMG Cyber and Tech Risk Services
Advanced Threat Detection
Stay ahead of sophisticated cyber adversaries with AI and machine learning that detect and mitigate threats before they can impact your operations. Our solutions offer real-time threat intelligence and automated response mechanisms to keep your defenses strong and adaptive.
Enhanced Access Management
Effective identity and access management (IAM) is critical for controlling access to your systems and data. Automating IAM processes improves security and operational efficiency, ensuring only authorized users have access based on stringent, dynamic policies.
Regulatory Compliance
Stay compliant with evolving regulations and standards such as GDPR, CCPA, and industry-specific mandates. Our compliance services minimize regulatory risks and potential fines while streamlining audit and reporting processes.
Data Protection and Privacy
Ensure the integrity and privacy of data wherever it resides – on-premises, in the cloud, or in hybrid environments. Our strategies encompass robust encryption, DLP solutions, and strict access controls to protect against breaches and unauthorized access.
No results found.
Ransomware recovery
We helped a Fortune 500 manufacturing company recover from a terrifying ransomware attack and reinforce their IT security.

A guiding North Star for cyber risk strength
KPMG helped a FORTUNE 500 omnichannel retailer's enterprise risk team assess and strengthen cloud risk management practices.

Take a Deeper Dive into our Cybersecurity Insights
Access the latest KPMG insights to learn valuable facts, trends and guidance for CISOs about navigating the complexities of AI risk and innovation.

An Illustrative AI Risk and Controls Guide
Start designing practical controls to manage your organization's AI risks.

Emphasizing resilience in cybersecurity practices
Best practices for boosting your cybersecurity resilience that include protection, detection, rapid response and recovery strategies.

Emphasizing resilience in cybersecurity practices
Best practices for boosting your cybersecurity resilience that include protection, detection, rapid response and recovery strategies.

Be organizationally and operationally resilient when — and where — it matters
During an IT outage, cyber-attack, or any significant functional disruption, organizations must focus on restoring critical operations in minutes and hours, not days and weeks.

Building resilience in a hyperconnected world
Most enterprises are operationally dependent on a broad third-party ecosystem that must be equally resilient in the face of disruption.
Meet our team
Our KPMG Cyber and Tech Risk team offers clients unparalleled expertise and access to cutting-edge technology, ensuring robust protection against evolving cyber threats. By leveraging a unique blend of functional, industry, and technological experience, our professionals help organizations navigate the complex landscape of cybersecurity with confidence. Our specialists are skilled in areas such as AI-driven threat detection, cloud security, identity and access management, and advanced data privacy. We empower your organization to embrace technological advancements safely and confidently, transforming your cybersecurity posture from reactive to proactive.


