"The AI Charter is 'just the start,'" Nick Benson, CEO of CREST, told Infosecurity.
CREST launches a nine‑point framework for AI in cybersecurity
On July 9, CREST, a cyber industry body, published an AI Charter that sets out nine principles for the responsible use of AI in cybersecurity activities. The principles — Accountability and governance; Transparency of use; Documentation and auditability; Boundaries and control; Data handling, sovereignty and client control; Security and confidentiality; Secure development of AI tooling; Supply chain assurance; and Resilience and business continuity — were initially revealed in March and are now the foundation of the charter CREST asked its members and the wider market to adopt.
What signatories pledged under the charter
Signatory firms commit to define clearly the scope and purpose of all AI‑enabled activities and to assess rigorously how those activities affect service delivery, client outcomes, data handling and operational risks. Governance and testing controls are to be proportional to the scale of AI deployment. Transparency is explicit: firms must inform clients whenever AI is used in tools or methodologies and explain benefits, limitations and risks.
The charter requires traceable, reviewable records of AI use and validation and quality assurance processes to support compliance audits. Human oversight is mandatory: even where AI tools operate with varying autonomy, qualified personnel must retain final oversight and the power to intervene, review outputs and challenge decisions.
On data, signatories must disclose whether client data will be used to train models or transferred across jurisdictions, ensuring usage aligns with legal, regulatory and contractual commitments. Security of AI artifacts — prompts, outputs and generated assets — is to be protected by robust confidentiality controls, and secure development and integration practices are required across the AI lifecycle. Supply chain risks must be identified and managed, and firms must prepare practical fallback arrangements and be transparent with clients about how AI failures could affect service levels and recovery expectations.
Who has signed and how widely AI is already used
CREST reported 73 founding signatories to the Charter, representing 10% of the organisation’s members and spanning Europe, North America, the Middle East and Asia‑Pacific. The signatories work across penetration testing, vulnerability assessment, incident response, security operations and threat intelligence.
CREST said it recently found that 69% of cybersecurity providers are now using AI in daily service delivery, and 76% reported that such use has grown in the past year. CREST developed the principles after reviewing existing AI frameworks, incorporating contributions from its members, feedback collected during CRESTCon Leaders Days and validation from its technical committee. A CREST spokesperson told Infosecurity that a key deciding factor in the chosen principles was defining “what sets AI‑driven cyber services apart from traditional ones.”
What this means for technologists, policymakers, and procurement leaders
- Technologists and security teams: Expect to operationalise the charter’s requirements for documentation, auditability, human oversight and secure development. The charter’s emphasis on managing third‑party AI dependencies and protecting prompts and outputs pushes teams to extend security controls into AI development and supply chains.
- Policymakers and regulators: CREST framed the model as “one of self‑regulation, aimed at enabling a functioning, successful market” and said it would “welcome regulators supporting and signposting these principles.” CREST argued that aligning national standards to its principles would promote harmonisation and cross‑border interoperability.
- Affected enterprises and procurement leaders: Firms that buy cybersecurity services should now expect clearer disclosures about when AI is used and whether client data will train models or cross borders, as well as documented fallback arrangements for AI failures and clearer statements about service‑level impacts.
CREST’s next steps and the immediate choice confronting the market
Nick Benson described the Charter as a starting point and urged a rapid move from principles to thorough, independently assessable standards. CREST hopes the Charter will have a “snowball effect” encouraging organisations, governments and providers to adopt the common principles and, in Benson’s words, make “regulation less necessary and the compliance burden lighter.” He also called for regulators to support and signpost the principles and said aligning national standards to the CREST ones will reduce frictional costs for buyers and vendors.
The Charter presents a clear, measurable set of expectations for firms that already embed AI into cyber services: transparency about use, documented audit trails, human oversight, data‑sovereignty protections and plans for resilience. Whether the measure becomes widely adopted as voluntary best practice, the basis for formal standards, or a yardstick regulators will reference depends on the next steps CREST promised — codifying the principles into assessable standards and winning wider endorsement from industry and regulators alike.




