Declarable Integration of NIST AI Risk Management into AI-driven ISMS through Policy-as-Code
DOI:
https://doi.org/10.24191/1pd5sq41Keywords:
AI Risk Management, Declarable Security, Policy-as-Code, CybersecurityAbstract
This study proposes a unified framework for declarable cybersecurity risk assessment in AI-driven Information Security Management Systems to enhance trust and assurance through systematic mapping of NIST AI Risk Management Framework actions for automated enforcement within ISO/IEC 27001:2022-compliant environments. A key contribution is a reproducible methodology for transforming NIST AI 600-1 provisions into Policy-as-Code action statements, explicitly aligning them with the CIA triad and the four NIST AI RMF functions of Govern, Map, Measure, and Manage. Using a novel declarability schema, the study validates that 84.9% of AI governance actions can be automated, with Measure being the most declarable function and Detective controls dominating, primarily targeting AI's Model and Output layers. While Integrity is highly emphasized across AI RMF functions, especially Map at 21.7%, Confidentiality and Availability are less represented. The crosswalk from NIST AI RMF to ISO/IEC 27002:2022 reveals strong alignment in Governance, Threat and Vulnerability Management, and Information Security Event Management, but highlights critical gaps in System and Network Security, Identity and Access Management, and Asset Management. This research provides a foundational framework for integrating AI governance into ISMS via Policy-as-Code, enabling traceable, auditable, and standards-aligned security policies for AI systems.
References
Akhtar, Z. B., & Rawol, A. T. (2024). Enhancing cybersecurity through artificial intelligence (AI)-powered security mechanisms. IT Journal Research and Development (ITJRD), 9(1). https://doi.org/10.25299/itjrd.2022.16852
Al-Dhahri, S., Al-Sarti, M., & Abdul, A. (2017). Information security management system. International Journal of Computer Applications, 158(7), 29-33.
Ali, S., Abuhmed, T., El-Sappagh, S., Muhammad, K., Alonso-Moral, J. M., Confalonieri, R., Guidotti, R., Del Ser, J., Díaz-Rodríguez, N., & Herrera, F. (2023). Explainable artificialiIntelligence (XAI): What we know and what is left to attain trustworthy artificial intelligence. Information Fusion, 99, 101805. https://doi.org/10.1016/j.inffus.2023.101805
Badman, A. (2024). What is AI risk management? IBM. Retrieved June 30, 2025, from https://www.ibm.com/think/insights/ai-risk-management
Batool, A., Zowghi, D., & Bano, M. (2025). AI governance: A systematic literature review. AI and Ethics, 5(3), 3265–3279. https://doi.org/10.1007/s43681-024-00653-w
CSA (2025). AI Controls Matrix. Cloud Security Alliance. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
Flehmig, N., Lundteigen, M. A., & Yin, S. (2024). Implementing artificial intelligence in safety-critical systems during operation: Challenges and extended framework for a quality assurance process. IECON 2024 - 50th Annual Conference of the IEEE Industrial Electronics Society. https://doi.org/10.1109/IECON55916.2024.10906021
Fok, R., & Weld, D. S. (2024). In search of verifiability: Explanations rarely enable complementary performance in AI-advised decision making. AI Magazine, 45(3), 317-332. https://doi.org/10.1002/aaai.12182
Habbal, A., Ali, M. K., & Abuzaraida, M. A. (2024). Artificial intelligence trust, risk and security management (AI TRiSM): Frameworks, applications, challenges and future research directions. Expert Systems with Applications, 240, 122442. https://doi.org/10.1016/j.eswa.2023.122442
Hale, M. L., & Gamble, R. F. (2019). Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards. Requirements Engineering, 24, 365–402. https://doi.org/10.1007/s00766-017-0287-5
Hind, M. (2020). IBM FactSheets Further Advances Trust in AI. IBM. Retrieved July 9, 2025, from https://research.ibm.com/blog/aifactsheets
ISO (2018). ISO/IEC 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabulary (5th ed.). International Organization for Standardization. International Electrotechnical Commission.
ISO (2022-a). ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection — Information security management systems — Requirements (3rd ed.). International Organization for Standardization. International Electrotechnical Commission.
ISO (2022-b). ISO/IEC 27002:2022. Information security, cybersecurity and privacy protection — Information security controls (3rd ed.). International Organization for Standardization. International Electrotechnical Commission.
ISO (2023). ISO/IEC 42001:2023. Information technology — Artificial intelligence — Management system (1st ed.). International Organization for Standardization. International Electrotechnical Commission.
Jada, I., & Mayayise, T. O. (2024). The impact of artificial intelligence on organizational cyber security: An outcome of a systematic literature review. Data and Information Management, 8(2), 100063. https://doi.org/10.1016/j.dim.2023.100063
Jeffy, M., & Bello, S. (2025). AI governance in RPA: Ensuring compliance and transparency in automated decisions. ResearchGate. Retrieved July 4, 2025, from https://www.researchgate.net/publication/391633567_AI_Governance_in_RPA_Ensuring_Compliance_and_Transparency_in_Automated_Decisions
Jothimani, A. P. (2022). Enabling secure cloud governance using policy as code [Master's thesis, Chalmers University of Technology. University of Gothenburg].
Kaur, R., Gabrijelčič, D., & Klobučar, T. (2023). Artificial intelligence for cybersecurity: Literature review and future research directions. Information Fusion, 97, 101804. https://doi.org/10.1016/j.inffus.2023.101804
Kordjamshidi, P., Roth, D., & Kersting, K. (2022). Declarative learning-based programming as an interface to AI systems. Frontiers in artificial intelligence, 5, 755361. https://doi.org/10.3389/frai.2022.755361
Korrapati, R. (2024). Automating compliance in CI/CD pipelines: A modern software development framework. Available at SSRN 5139607. https://dx.doi.org/10.2139/ssrn.5139607
Kreutz, H., & Jahankhani, H. (2024). Impact of artificial intelligence on enterprise information security management in the context of ISO 27001 and 27002: A tertiary systematic review and comparative analysis. In H. Jahankhani, G. Bowen, M. S. Sharif, & O. Hussien (Eds.), Cybersecurity and artificial intelligence (pp. 1–34). Springer. https://doi.org/10.1007/978-3-031-52272-7_1
Kunle-Lawanson, O. (2022). The role of Al in information security risk management. World Journal of Advanced Engineering Technology and Sciences, 7(2), 308-319. https://doi.org/10.30574/wjaots.2022.7.2.0128
Li, B., Qi, P., Liu, B., Di, S., Liu, J., Pei, J., Yi, J., & Zhou, B. (2023). Trustworthy AI: From principles to practices. ACM Computing Surveys, 55(9). https://doi.org/10.1145/3555803
Malik, A., Arshid, K., Noonari, N., & Munir, R. (2025). Artificial intelligence-driven cybersecurity framework using machine learning for advanced threat detection and prevention. Scholars Journal of Engineering and Technology. https://doi.org/10.36347/sjet.2025.v13i06.005
Mitchell, M., Wu, S., Zaldivar, A., Barnes, P., Vasserman, L., Hutchinson, B., Spitzer, E., Raji, I. D., & Gebru, T. (2019). Model cards for model reporting. FAT* ’19: Conference on Fairness, Accountability, and Transparency, January 29–31, 2019, Atlanta, GA, USA. https://doi.org/10.1145/3287560.3287596
Mohamed, N. (2023). Current trends in AI and ML for cybersecurity: A state-of-the-art survey. Cogent Engineering, 10(2). https://doi.org/10.1080/23311916.2023.2272358
NIST (2021). NIST AI 800-204B. Attribute-based access control for microservices-based applications using a service Mesh U.S. Department of Commerce. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-204B
NIST (2023). NIST AI 100-1. Artificial intelligence risk management framework: U.S. Department of Commerce. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.AI.100-1
NIST (2024). NIST AI 600-1. Artificial intelligence risk management framework: Generative artificial intelligence profile. U.S. Department of Commerce. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.AI.600-1
Obisesan, S. M. (2024). Integrating artificial intelligence and cybersecurity frameworks: Challenges and opportunities in e-commerce cybersecurity management. Available at SSRN 5070108. https://dx.doi.org/10.2139/ssrn.5070108
Pigola, A., & De Souza Mierelles, F. (2024). Unraveling trust management in cybersecurity: Insights from a systematic literature review. Information Technology and Management. https://doi.org/10.1007/s10799-024-00438-x
Polemi, N., Praça, I., Kioskli, K., & Bécue, A. (2024). Challenges and efforts in managing AI trustworthiness risks: a state of knowledge. Frontiers in Big Data, 7. https://doi.org/10.3389/fdata.2024.1381163
Polito, C., & Pupillo, L. (2024). Artificial intelligence and cybersecurity. Intereconomics, 59(1), 10-13. https://doi.org/10.2478/ie-2024-0004
Raja, A. K., & Zhou, J. (2023). AI accountability: approaches, affecting factors, and challenges. Computer, 56(4), 61–70. https://doi.org/10.1109/MC.2023.3238390
Salako, A. O., Fabuyi, J. A., Aideyan, N. T., Selesi-Aina, O., Dapo-Oyewole, D. L., & Olaniyi, O. O. (2024). Advancing information governance in AI-driven cloud ecosystem: Strategies for enhancing data security and meeting regulatory compliance. Asian Journal of Research in Computer Science, 17(12), 66–88. https://doi.org/10.9734/ajrcos/2024/v17i12530
Vakhula, O., Kurii, Y., Opirskyy, I., & Susukailo, V. (2024). Security-as-code concept for fulfilling ISO/IEC 27001:2022 requirements. Proceedings of the Workshop Cybersecurity Providing in Information and Telecommunication Systems (CPITS 2024), 3654. https://ceur-ws.org/Vol-3654/paper6.pdf
Webster, N., Burton, A., Hawkins E., Pum, M., & Watson, J. (2023). automated compliance checks with open policy agent (OPA) in multi-cloud. ResreachGate. Retrieved July 9, 2025, from https://www.researchgate.net/publication/392163378_Automated_Compliance_Checks_with_Open_Policy_Agent_OPA_in_Multi-Cloud
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Dmitri Kharchevnikov, Steven Robinett
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright of articles that appear in the journal belongs exclusively to Faculty of Information Science, Universiti Teknologi MARA (Publisher). This copyright covers the rights to reproduce the article, including reprints, electronic reproductions or any other reproductions of similar nature.
