Detailed write-ups
EU pushes AI Act deadlines for high-risk systems
Following the May 7 Council/Parliament political agreement on the AI Act “omnibus,” coverage this week walked through the practical impact: high-risk system rules (biometrics, critical infrastructure, education, employment, migration, border control) move to December 2, 2027; transparency grace period shortens from six to three months; new prohibitions on “nudifier” applications take effect December 2, 2026; the August 2, 2026 GPAI obligations remain intact. Action: re-sequence compliance projects against the new dates.
Sources: Biometric Update
CISA tells critical organizations to prepare for cyber outages
CISA published guidance urging operators of critical infrastructure to plan for sustained cyber outages — not just rapid recoveries. The shift is from “restore quickly” to “run degraded for days or weeks.” Rehearse manual-mode operations, validate that BCP doesn’t silently assume cloud/SaaS availability, and tighten the link between business continuity and incident response.
Sources: Federal News Network
AI cyber capability is speeding past earlier projections (May 14)
The UK AI Security Institute (AISI) reports that newer models are clearing cyber capability benchmarks that earlier projections placed years out. The board-room implication: AI-augmented adversary timelines compress faster than your patching, detection, and IR maturity curves. Frame this in your next risk briefing.
Sources: Help Net Security
Sophos: 70%+ of organizations hit by identity breaches (May 14)
Stolen credentials, compromised service accounts, and social-engineered employees remain the dominant initial access vectors. Identity is now the largest unfixed plank in most enterprise breach reconstructions. Action: re-audit privileged access lifecycle, service-account hygiene, and phishing-resistant MFA enforcement.
Sources: Help Net Security
What CISOs need to land a board role (May 13)
Boards increasingly want CISOs in director seats, but the credentials gap is real: financial fluency, audit-committee literacy, and the ability to frame security work in board-pack language. CSO Online lays out the path. Pair with the DR20 leadership profiles for context on how today’s board-CISO dynamic was built.
Sources: CSO Online
2026 CSO Award winners (May 13)
Annual honorees are recognized for security work that enables business outcomes — revenue, customer trust, regulatory readiness, growth. A good benchmarking source if you’re building board-facing narratives that frame security as growth enablement rather than cost center.
Sources: CSO Online
Why Agentic AI Is Security’s Next Blind Spot
Agentic AI deployments are expanding the enterprise attack surface faster than governance can keep up. Most boards don’t yet understand the scope: every agent is an identity, every tool the agent can invoke is an attack path, and every workflow is a candidate for autonomous error propagation. Plan to bring this to the next risk-committee meeting.
Sources: The Hacker News
|
