For decades, information security worked on a simple assumption: software is deterministic. Input parameter A into system B, and you’ll get result C every time, bounded by the strict logic a programmer wrote. Security controls (whether static code analysis, input validation, or access control matrices) were built around that predictability.

Artificial intelligence breaks that assumption.

Generative AI and autonomous agent architectures move enterprise systems into probabilistic, non-deterministic, and increasingly autonomous territory. ISC2 acknowledged this on April 2, 2026 by publishing Exam Guidance for Artificial Intelligence, which maps AI security topics across the eight existing CISSP domains. (For more on that guidance, see AI Security for the CISSP: What’s Changed.)

This article, the first in a series, covers the Domain 1 material: foundational concepts, governance frameworks, and the administrative controls a CISSP candidate needs.

Concept Coverage

To evaluate AI risk on the exam (or in practice), you need the vocabulary. Questions may test whether you can place a specific risk at the right point in the system lifecycle.

What is Generative AI?

Generative AI or Gen AI is ubiquitous and you’ve probably been using many associated services for a couple of years. Gen AI refers to AI systems that create new content (text, images, code, audio) rather than just analyze existing data. Examples span many aspects of our digital lives: text (Claude, ChatGPT, Gemini), images (DALL-E, Stable Diffusion), video (Sora, Runway), music (Suno), voice synthesis (ElevenLabs), and code (Cursor). When a vendor says their platform is “powered by GenAI,” they mean it produces output, not just classifies or scores inputs.

What is an AI Model?

An AI model is a mathematical structure trained on a dataset to recognize patterns, make predictions, or generate outputs, without being explicitly programmed with step-by-step rules. After training, the model is the brain of the AI system. It holds everything the system “learned” as numbers (the weights and biases) that determine how it responds to any new input.

While traditional software uses code written by human developers to process inputs (Input → Rules → Output), an AI model uses statistical weights and biases derived from training data to produce its output (Input → Statistical Weights → Output).

What is a Large Language Model (LLM)?

A Large Language Model (LLM) is a specialized subset of generative AI built on a deep neural network architecture (specifically the Transformer architecture) that uses “self-attention” mechanisms to model relationships between words in a sequence.

LLMs are trained on internet-scale text to understand, summarize, translate, predict, and generate “human-like” language. The training data is measured in tokens: a token is what the model treats as a unit of text, usually a word or a piece of a word. Modern LLMs are trained on trillions of them.

What is a Prompt?

A prompt is everything you (or the system) hand to the AI on a single request. That includes the user’s question, any instructions the application has added behind the scenes, and any documents or chat history the model is pulling in. It’s also the only entry point an attacker has, which is the entire basis of prompt injection (see below).

Training vs. Inference: The AI Lifecycle

You need to distinguish the two operational phases of an AI model’s life:

• Training is how the model gets built. The system shows the algorithm a big dataset over and over, and each pass nudges the weights and biases until the model gives the “right” answer often enough to ship. The dataset used is the training data, and if it’s biased, missing important cases, or just bad, the model can never outperform what it was shown.

• Inference is what the model does once it’s running. Every time someone asks a chatbot a question or a fraud detector scores a transaction, that’s inference: one run of the trained model. Almost everything a CISSP encounters in the enterprise is inference. Training is a much heavier, much rarer event.

Each phase has a different attack surface and calls for different controls.

The Training Phase (Development Lifecycle):

• The Process: The algorithm is exposed to a training dataset and adjusts its internal parameters (weights and biases) until it can perform its target task.

• Secure SDLC Focus: A sensitive supply-chain and development phase. The priority is the integrity of the training dataset.

• Primary Threat: Data poisoning. If an attacker injects malicious or biased records into the training pool, they can permanently alter the model’s behavior or implant hidden backdoors.

The Inference Phase (Production Operations):

• The Process: The trained model runs in production (API endpoint, web application, autonomous agent) and processes live inputs.

• Operational Security Focus: The priority is validating inputs and sanitizing outputs.

• Primary Threat: Prompt injection and model hijacking, where attackers manipulate live runtime inputs to execute unauthorized commands or bypass safety boundaries. Simon Willison coined the term “prompt injection” in September 2022. The Samsung ChatGPT IP-leak incident in April 2023 was its first widely-reported corporate consequence.

Why It’s Hard to Secure

AI systems introduce three architectural properties that legacy security frameworks can’t fully manage:

Non-Determinism

Generative AI models don’t produce identical outputs for identical inputs. LLMs are the clearest example: each next token is picked from a probability distribution, so the same prompt can produce two slightly different answers on two different calls. Image, music, and video models work the same way. Traditional security testing depends on reproducibility: find a bug, baseline behavior, confirm a fix. Non-determinism breaks all three.

The Black-Box Problem

A trained neural network has millions or billions of internal parameters. Decisions emerge from those parameters all at once. There’s no sequence of if-then rules a human can follow. When a model denies a credit application or flags a transaction as fraud, no one can point to the specific reason. The model just produces an output.

In terms of the CISSP, that hits Traceability: the ability to verify, audit, and recreate why an action was taken. After an incident, reconstructing what the AI “saw” and “decided” requires specialized logging of the inputs that went in (prompts, retrieved documents, prior context) plus the outputs and confidence scores that came back. Without that logging, you can’t answer what every regulator, auditor, and exec will ask after an AI incident: “Why did it do that?”

Hallucinations

A hallucination is when a generative model confidently produces false information that looks plausible. The model generates output based on statistical patterns in its training data. There’s no internal step that checks whether that output is true. So it can invent names, citations, statistics, or quotes that don’t exist.

The CISSP implication is direct. AI outputs are unverified data. The professional who acts on them is the one who answers for it, in court and in the boardroom.

Frameworks and Regulation

Governments and standards bodies are still catching up to AI. Domain 1 expects you to know how the major frameworks fit into a compliance posture.

Standardized Security Frameworks

NIST AI Risk Management Framework (AI RMF 1.0) is the most cited voluntary framework for structuring an AI security program. It organizes work into four core functions:

• Govern: Establish a culture of risk management, policies, and organizational alignment.

• Map: Contextualize the AI system, identify boundaries, and map specific risks.

• Measure: Quantify, analyze, and track identified risks through empirical testing.

• Manage: Allocate resources to respond to mapped and measured risks dynamically.

These aren’t sequential steps. Govern sits across the whole framework as the policy and accountability layer, while Map, Measure, and Manage form a continuous feedback loop on top of it. In practice, Govern is also the function organizations may underinvest in the most.

The 40-page framework gives you the principles. The companion NIST AI RMF Playbook is where the operational guidance lives. If you’re implementing rather than briefing, you need both. NIST has also published a Generative AI Profile (NIST AI 600-1) that applies the four functions to GenAI-specific risks like hallucinations, data exposure, and misuse.

ISO/IEC 42001 (Artificial Intelligence Management System) is the certifiable counterpart to the NIST framework: a third-party-auditable management system that adds an outward-facing AI System Impact Assessment (consequences for external individuals and groups) on top of an ISO 27001-style structure. It also aligns with EU AI Act compliance expectations, which makes it the more useful choice for companies with European exposure. The most common pattern is to deploy NIST first to build taxonomy and lifecycle discipline, then layer ISO 42001 on top for external attestation. The common failure mode is starting both at once and finishing neither.

Global AI Regulation

CISSPs don’t need to be lawyers, but you do need to understand regulatory risk. The most prominent example is the EU AI Act, which classifies AI systems by risk tier:

• Unacceptable Risk: Systems that threaten human safety or rights (e.g., government social scoring) are banned outright.

• High Risk: Systems used in critical infrastructure, medical devices, or employment. These require pre-market assessments, logging, and human-in-the-loop oversight.

• Limited Risk (Specific Transparency): Chatbots, deepfakes. Users have to be told they’re interacting with AI.

• Minimal/No Risk: Spam filters, video games. No additional regulatory intervention required.

The Act reaches beyond the EU. Article 2 says it applies to anyone selling an AI system into the EU, anyone using one inside the EU, and any company anywhere whose AI outputs end up being used in the EU. If you have European customers, you’re in scope no matter where you’re headquartered.

Data, Bias, and Ethics

AI security still depends on the CIA triad, but integrity grows to include Data Quality and AI Ethics.

Data Quality (Garbage In, Garbage Out)

If the training dataset is poisoned, incomplete, or fundamentally skewed, the model’s outputs will be flawed, and the integrity of every downstream corporate decision goes with them. Security leaders need to vet data pipelines for accuracy, representativeness, and absence of tampering.

AI Ethics & Societal Adaptation

Ethics on the CISSP exam comes back to the ISC2 Code of Ethics (act honorably, protect society). In an AI context, that translates to:

• Fairness: Algorithmic decisions shouldn’t exhibit systemic bias against protected groups.

• Transparency: Stakeholders should be able to understand how a model reaches its conclusions.

• Human Oversight: Critical actions, especially those affecting livelihoods, physical safety, or financial assets, need human validation rather than fully automated execution.

The Disinformation Suite: Deepfakes and Automated Misinformation

Two non-technical AI threats sit squarely in Domain 1’s governance and societal-adaptation area. Deepfakes (AI-generated voice, image, or video impersonations) are now used in executive-targeting fraud and social engineering, blurring the line between identity verification and content verification. Automated misinformation campaigns use generative AI to produce false content at industrial scale and distribution speed, complicating brand defense, election integrity, and customer trust. Both call for governance responses (executive verification protocols, public-communications playbooks, third-party content-authenticity standards) rather than purely technical ones, which is why they belong in a Domain 1 risk conversation, not a firewall ruleset.

Building the Program

How do you turn the regulatory and architectural concepts into something operational? Start with administrative and organizational changes.

The Chief AI Officer (CAIO) or “AI Czar”

When organizations adopt AI at scale, a leadership gap often opens between the CISO (security) and the CDO/CIO (data and enablement). Enter the Chief AI Officer.

The CAIO aligns AI strategy with business goals, manages AI-specific compliance, and coordinates with the CISO on security architecture. If you don’t have a CAIO, a formal AI Governance Board (legal, compliance, engineering, security) fills the void.

The AI Acceptable Use Policy (AUP)

Before buying expensive security tools, set clear guidelines. An AI AUP should explicitly define:

• Approved Platforms: Distinguish approved enterprise-tier AI platforms (which guarantee data privacy) from public, consumer-grade tools (which may ingest user prompts for training).

• Classification Constraints: Restrict sensitive intellectual property, source code, and PII from being submitted to unauthorized external LLMs.

• Code Review Requirements: Any software written with AI coding tools goes through standard SAST/DAST security reviews before deployment.

Verify then Trust

For AI, every input (prompt) sent to a model needs sanitization to prevent prompt injection, and every output coming back gets treated as untrusted, hostile data. You can’t assume the model will always return benign, safe, or accurate content. The pattern echoes Zero Trust’s “never trust, always verify,” applied to LLM I/O. The OWASP LLM Top 10 (LLM01: Prompt Injection) is the canonical taxonomy.

Cost-Benefit Analysis

AI deployments have real resource overhead. Beyond software subscriptions, deep learning needs GPU compute and storage at scale. A formal cost-benefit analysis weighs efficiency gains against the costs of implementation, continuous monitoring, model retraining, and new compliance liabilities.

Adapting Your Existing Program

Your existing Domain 1 risk management processes also need to adapt to AI-related assets:

• Asset Inventory: Build a registry of AI models, training datasets, fine-tuning pipelines, and vector databases. Treat them as critical enterprise assets.

• Risk Register Integration: Document new threat profiles (prompt injection, training data poisoning, model inversion, and AI-augmented attacks like automated phishing and vulnerability discovery at scale) and assign risk owners.

• Third-Party Risk Management (TPRM): When evaluating SaaS vendors, audit AI usage. Do they use customer data to train their models? Are their LLM dependencies hosted in secure environments?

In the Next Article...

With governance and policy in place, the next article moves to Domain 2 (Asset Security): how to classify, protect, and dispose of the data pipelines, model weights, and compute assets that drive AI in the enterprise.

I’m building a CISSP prep platform centered on the idea that the exam tests your judgment and application of concepts, not rote memorization. It includes an adaptive CAT practice-exam engine, concept-coverage analytics, question-by-question scoring, exam-readiness tracking, mindset pattern analysis, weak-area drills, a custom study planner built around your schedule and requirements, my integrated book, and spaced repetition. It’s in limited beta. To request an invite (free extended Pro access in exchange for your feedback), join the waitlist at academy.balancedsec.com, and I’ll send invites on a rolling basis.