Compliance Risks and Hidden Liabilities for CISOs

Artificial intelligence regulation is evolving fast, and many businesses may already be violating key provisions without realizing it. Under the strict compliance requirements of the EU AI Act, some AI-powered security tools could put organizations at legal risk. But some companies may already be using high-risk AI applications without security teams even knowing, warned Jonathan Armstrong, partner at Punter Southall Law.

See Also: A Modern Approach to Data Security

“For many organizations, you wouldn’t necessarily know that you’re using them,” Armstrong said. “We kicked off an AI project, for example, for a client. They were trying to look at the AI applications that they had live in the business. They thought there’d be three or four. They did the sort of poll around the business. I was on holiday. They’d found 54 by the time I came back from holiday, and it wasn’t a long holiday.”

The growing compliance burden could shift even greater personal liability to CISOs because the board and other executives are unlikely to understand or act on security concerns related to AI tools. “I think a regulator is more likely to focus on personal liability for the CISO because the theory is that the CISO should have plugged the gaps on the board,” he said. “And that really shouldn’t be the CISO’s responsibility.”

In this video interview with Information Security Media Group, Armstrong also discussed:

• The hidden compliance risks in AI-driven security tools and HR applications;
• How AI risk assessments differ from traditional cybersecurity audits;
• Why global businesses must prepare for EU enforcement under the Brussels Effect.

Armstrong is a lawyer specializing in compliance and technology. He is regarded as one of the foremost cybersecurity experts and is active in advising clients on GDPR compliance and AI risks and opportunities.