CSO Online: Five AI Risk Management Frameworks for Shoring Up Key Gaps

5 AI risk management frameworks for shoring up key gaps

Organizations racing to embed AI into business operations are realizing that the risk management frameworks they’ve relied on for decades aren’t built for the behaviors, failure modes, and ethical complexities AI systems introduce.

Fortunately, a new generation of AI-specific frameworks has emerged to give organizations a structured way to identify where AI can go wrong, what controls to put in place, and how to demonstrate responsible AI use to regulators, customers, and investors. Not all of these emerging frameworks address the same problem. Some focus on governance and organizational accountability, others on technical security controls, threat modeling, or regulatory compliance. Choosing the right one for your organization depends on where your most pressing gaps reside.

…

Here are five frameworks worth considering for your AI risk management needs.

Lewis Brisbois Calls Remote Staff to Offices After Cyberattack

One of the largest US law firms ordered remote workers back to offices after a cyberattack prompted it to block outside access to internal networks.

Lewis Brisbois on June 10 told lawyers and staff that all remote and hybrid employees must work from its offices or bring firm-issued computers home with them. The firm appeared to be scrambling to obtain more computers and devices for those employees.

“Until additional equipment can be purchased and distributed, those on remote or hybrid schedules will need to either work from the office or bring their current office computer setup home,” Elijah Bernal, an office administrator overseeing the firm’s vendor relationships, wrote in a June 10 email viewed by Bloomberg Law.

Lewis Brisbois did not immediately respond to a request for comment. The firm, founded in Los Angeles, has more than 1,600 attorneys across the country, according to its website. It’s not clear if hackers were able to successfully infiltrate the firm’s network.

AI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to Ask

To better understand the current state of artificial intelligence (AI) in cybersecurity, SecurityWeek spoke with dozens of security practitioners, researchers, vendors, analysts, and AI experts.

The result is a comprehensive snapshot of how AI is being used across the security landscape today.

Organized into five key topic areas, this report examines the role of AI through multiple lenses: whether it can be trusted, how organizations are using it, how it can be misused by legitimate insiders, how it is being exploited by cyber adversaries, and where the technology is likely headed next.

The five topics are:

• Generative AI (gen-AI)

• Agentic AI

• Shadow AI

• Machine learning (ML)

• Artificial general intelligence (AGI)

Taken together, these perspectives provide a practical assessment of AI’s opportunities, risks, and likely evolution in cybersecurity.

Ransomware Attack on Mackay Sugar Disrupts Australian Mills: Cybersecurity Incident Analysis and Lessons Learned

On 10 June 2026, a ransomware attack attributed to the The Gentlemen group disrupted operations at two mills operated by Mackay Sugar, Australia’s second-largest sugar producer. The incident halted sugar milling and cane haulage at the Farleigh and Racecourse mills, impacting over 1,300 family-owned farms and the regional supply chain.

…

On 16 June 2026, The Gentlemen ransomware group claimed responsibility, threatening to release stolen data within ten days. As of the latest updates, the specific data compromised remains unknown, and the full extent of the damage has not been disclosed.

The incident highlights the vulnerability of critical infrastructure in the agricultural sector to ransomware attacks and underscores the potential for cascading effects on food production and regional economies. Mackay Sugar is working with authorities and stakeholders to restore operations and mitigate the impact.

When Your Productivity Tools Become a Regulatory Problem: Shadow AI and the GLBA Safeguards Rule

Your employees are trying to be more productive. That is a good thing. But the tools they are reaching for, the AI-powered meeting summarizers, the spreadsheet analyzers, the browser extensions that draft investor briefs in seconds, may be quietly creating one of the most significant regulatory exposures your company faces right now.

It is called “Shadow AI,” and it is not just an IT headache. For financial institutions and the businesses that serve them, it is a direct path to regulatory liability under the FTC’s GLBA Safeguards Rule.

What Shadow AI Actually Looks Like

Shadow AI is not the sinister-sounding technology its name implies. It is an employee pasting a customer account summary into ChatGPT to draft a talking-points memo. It is a financial analyst uploading a client portfolio spreadsheet into a free-tier AI tool to generate trend analysis. It is a sales manager using an embedded AI assistant inside a video conferencing platform to auto-generate meeting notes that include client names, account numbers, and loan details.

"Shadow AI" Triggers First SEC Form 8-K for Unauthorized AI Use: What Financial Institutions and Public Companies Need to Know

On May 5, 2026, a Pennsylvania-based regional bank, Community Bank, the wholly owned subsidiary of CB Financial Services, Inc. (CB), detected a cybersecurity incident caused by the use of an unauthorized AI application which exposed sensitive customer information.

Unlike the usual cybersecurity incident involving an attack on the company's systems by a third-party bad actor or sabotage by an internal party, the exposure of confidential information in this case arose from the improper use of AI, presumably by a bank employee who turned to the unauthorized AI for efficiencies in handling customer information. Two days later, CB determined the incident was material and filed a Form 8-K under Item 1.05.

…

The incident reflects a rapidly emerging and underappreciated organizational risk colloquially known as Shadow AI, which refers to the growing practice of employees independently using large language models and other AI tools without organizational approval or security review.