OpenAI warns that frontier AI models could escalate cyber threats, including zero-day exploits. Defense-in-depth, monitoring, and AI security by design are now essential.
The post As Capabilities Advance Quickly OpenAI Warns of High Cybersecurity Risk of Future AI Models appeared first on Security Boulevard.
To transform cyber risk into economic advantage, leaders must treat cyber as a board-level business risk and rehearse cross-border incidents with partners to build trust.
The post Cyber Risk is Business Risk: Embedding Resilience into Corporate Strategy appeared first on Security Boulevard.
Concerns about power imbalance in franchise agreements amid claims over firm’s treatment of small-business owners
The government will consider new laws to correct the power imbalance in franchise agreements in response to the “harrowing stories” of small business people running Vodafone stores.
The move follows allegations of suicide and attempted suicide among shopkeepers who had agreed to deals to run retail outlets for the £18bn telecoms company, which were revealed by the Guardian on Monday.
Continue reading...
© Photograph: Andy Rain/EPA
© Photograph: Andy Rain/EPA
© Photograph: Andy Rain/EPA
I have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature.
Here’s some interesting research on training AIs to automatically exploit smart contracts:
AI models are increasingly good at cyber tasks, as we’ve written about before. But what is the economic impact of these capabilities? In a recent MATS and Anthropic Fellows project, our scholars investigated this question by evaluating AI agents’ ability to exploit smart contracts on Smart CONtracts Exploitation benchmark (SCONE-bench)a new benchmark they built comprising 405 contracts that were actually exploited between 2020 and 2025. On contracts exploited after the latest knowledge cutoffs (June 2025 for Opus 4.5 and March 2025 for other models), Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits collectively worth $4.6 million, establishing a concrete lower bound for the economic harm these capabilities could enable. Going beyond retrospective analysis, we evaluated both Sonnet 4.5 and GPT-5 in simulation against 2,849 recently deployed contracts without any known vulnerabilities. Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476. This demonstrates as a proof-of-concept that profitable, real-world autonomous exploitation is technically feasible, a finding that underscores the need for proactive adoption of AI for defense...
The post AIs Exploiting Smart Contracts appeared first on Security Boulevard.
AI is transforming enterprise productivity and reshaping the threat model at the same time. Unlike human users, agentic AI and autonomous agents operate at machine speed and inherit broad network permissions and embedded credentials. This creates new security and compliance … Read More
The post Ring-fencing AI Workloads for NIST and ISO Compliance appeared first on 12Port.
The post Ring-fencing AI Workloads for NIST and ISO Compliance appeared first on Security Boulevard.
OWASP unveils its GenAI Top 10 threats for agentic AI, plus new security and governance guides, risk maps, and a FinBot CTF tool to help organizations secure emerging AI agents.
The post OWASP Project Publishes List of Top Ten AI Agent Threats appeared first on Security Boulevard.
Source: eSafety Commissioner[/caption]
Source: Created using Google Gemini[/caption]
Research supports these concerns. A Pew Research Center study found:
“The social media ban only really addresses on set of risks for young people, which is algorithmic amplification of inappropriate content and the doomscrolling or infinite scroll. Many risks remain. The ban does nothing to address cyberbullying since messaging platforms are exempt from the ban, so cyberbullying will simply shift from one platform to another.”
Leaver also noted that restricting access to popular platforms will not drive children offline. Due to ban on social media young users will explore whatever digital spaces remain, which could be less regulated and potentially riskier.
“Young people are not leaving the digital world. If we take some apps and platforms away, they will explore and experiment with whatever is left. If those remaining spaces are less known and more risky, then the risks for young people could definitely increase. Ideally the ban will lead to more conversations with parents and others about what young people explore and do online, which could mitigate many of the risks.”
From a broader perspective, Leaver emphasized that the ban on social media will only be fully beneficial if accompanied by significant investment in digital literacy and digital citizenship programs across schools:
“The only way this ban could be fully beneficial is if there is a huge increase in funding and delivery of digital literacy and digital citizenship programs across the whole K-12 educational spectrum. We have to formally teach young people those literacies they might otherwise have learnt socially, otherwise the ban is just a 3 year wait that achieves nothing.”
He added that platforms themselves should take a proactive role in protecting children:
“There is a global appetite for better regulation of platforms, especially regarding children and young people. A digital duty of care which requires platforms to examine and proactively reduce or mitigate risks before they appear on platforms would be ideal, and is something Australia and other countries are exploring. Minimizing risks before they occur would be vastly preferable to the current processes which can only usually address harm once it occurs.”
Looking at the global stage, Leaver sees Australia ban on social media as a potential learning opportunity for other nations:
“There is clearly global appetite for better and more meaningful regulation of digital platforms. For countries considered their own bans, taking the time to really examine the rollout in Australia, to learn from our mistakes as much as our ambitions, would seem the most sensible path forward.”
Other specialists continue to warn that the ban on social media could isolate vulnerable teenagers or push them toward more dangerous, unregulated corners of the internet.
CISA and global partners issue new guidance for secure AI integration in operational technology, highlighting risks, governance, behavioral analytics, and OT safety.
The post CISA Releases New AI-in-OT Security Guidance: Key Principles & Risks appeared first on Security Boulevard.
For too long, security has been cast as a bottleneck – swooping in after developers build and engineers test to slow things down. The reality is blunt; if it’s bolted on, you’ve already lost. The ones that win make security part of every decision, from the first line of code to the last boardroom conversation...
The post Cultural Lag Leaves Security as the Weakest Link appeared first on Security Boulevard.
New data shows 90% of NEDs lack confidence in cybersecurity value. CISOs and CIOs must translate cyber risk into business impact.
The post CISOs, CIOs and Boards: Bridging the Cybersecurity Confidence Gap appeared first on Security Boulevard.
Organizations are spending more than ever on cybersecurity, layering defenses around networks, endpoints, and applications. Yet a company’s documents, one of the most fundamental business assets, remains an overlooked weak spot. Documents flow across every department, cross company boundaries, and often contain the very data that compliance officers and security teams work hardest to protect...
The post Closing the Document Security Gap: Why Document Workflows Must Be Part of Cybersecurity appeared first on Security Boulevard.
Australia's fragmented approach to AI oversight—with responsibilities scattered across privacy commissioners, consumer watchdogs, online safety regulators, and sector-specific agencies—required coordination to keep pace with rapidly evolving AI capabilities and their potential to amplify existing harms while creating entirely new threats.
The Australian Government announced establishment of the AI Safety Institute backed by $29.9 million in funding, to monitor emerging AI capabilities, test advanced systems, and share intelligence across government while supporting regulators to ensure AI companies comply with Australian law. The setting up of the AI safety institute is part of the larger National AI Plan that the Australian government officially released on Tuesday.
The Institute will become operational in early 2026 as the centerpiece of the government's strategy to keep Australians safe while capturing economic opportunities from AI adoption. The approach maintains existing legal frameworks as the foundation for addressing AI-related risks rather than introducing standalone AI legislation, with the Institute supporting portfolio agencies and regulators to adapt laws when necessary.
The AI Safety Institute will focus on both upstream AI risks and downstream AI harms. Upstream risks involve model capabilities and the ways AI systems are built and trained that can create or amplify harm, requiring technical evaluation of frontier AI systems before deployment.
Downstream harms represent real-world effects people experience when AI systems are used, including bias in hiring algorithms, privacy breaches from data processing, discriminatory outcomes in automated decision-making, and emerging threats like AI-enabled crime and AI-facilitated abuse disproportionately impacting women and girls.
The Institute will generate and share technical insights on emerging AI capabilities, working across government and with international partners. It will develop advice, support bilateral and multilateral safety engagement, and publish safety research to inform industry and academia while engaging with unions, business, and researchers to ensure functions meet community needs.
The Institute will support coordinated responses to downstream AI harms by engaging with portfolio agencies and regulators, monitoring and analyzing information across government to allow ministers and regulators to take informed, timely, and cohesive regulatory action.
Portfolio agencies and regulators remain best placed to assess AI uses and harms in specific sectors and adjust regulatory approaches when necessary. The Institute will support existing regulators to ensure AI companies are compliant with Australian law and uphold legal standards of fairness and transparency.
The government emphasized that Australia has strong existing, largely technology-neutral legal frameworks including sector-specific guidance and standards that can apply to AI. The approach promotes flexibility, uses regulators' existing expertise, and targets emerging threats as understanding of AI's strengths and limitations evolves.
The government is taking targeted action against specific harms while continuing to assess suitability of existing laws. Consumer protections under Australian Consumer Law apply equally to AI-enabled goods and services, with Treasury's review finding Australians enjoy the same strong protections for AI products as traditional goods.
The government addresses AI-related risks through enforceable industry codes under the Online Safety Act 2021, criminalizing non-consensual deepfake material while considering further restrictions on "nudify" apps and reforms to tackle algorithmic bias.
The Attorney-General's Department engages stakeholders through the Copyright and AI Reference Group to consult on possible updates to copyright laws as they relate to AI, with the government ruling out a text and data mining exception to provide certainty to Australian creators and media workers.
Healthcare AI regulation is under review through the Safe and Responsible AI in Healthcare Legislation and Regulation Review, while the Therapeutic Goods Administration oversees AI used in medical device software following its review on strengthening regulation of medical device software including artificial intelligence.
The Department of Home Affairs, National Intelligence Community, and law enforcement agencies continue efforts to proactively mitigate serious risks posed by AI. Home Affairs coordinates cross-government efforts on cybersecurity and critical infrastructure protection while overseeing the Protective Security Policy Framework detailing policy requirements for authorizing AI technology systems for non-corporate Commonwealth entities.
AI is likely to exacerbate existing national security risks and create new, unknown threats. The government is preparing for potential AI-related incidents through the Australian Government Crisis Management Framework, which provides overarching policy for managing potential crises.
The government will consider how AI-related harms are managed under the framework to ensure ongoing clarity regarding roles and responsibilities across government to support coordinated and effective action.
The Institute will collaborate with domestic and international partners including the National AI Centre and the International Network of AI Safety Institutes to support global conversations on understanding and addressing AI risks.
Australia is a signatory to the Bletchley Declaration, Seoul Declaration, and Paris Statement emphasizing inclusive international cooperation on AI governance. Participation in the UN Global Digital Compact, Hiroshima AI Process, and Global Partnership on AI supports conversations on advancing safe, secure, and trustworthy adoption.
The government is developing an Australian Government Strategy for International Engagement and Regional Leadership on Artificial Intelligence to align foreign and domestic policy settings while establishing priorities for bilateral partnerships and engagement in international forums.
The Cybersecurity Coalition, an industry group of almost a dozen vendors, is urging the Trump Administration and Congress now that the government shutdown is over to take a number of steps to strengthen the country's cybersecurity posture as China, Russia, and other foreign adversaries accelerate their attacks.
The post Cybersecurity Coalition to Government: Shutdown is Over, Get to Work appeared first on Security Boulevard.
That lengthy standoff over privacy rights versus child protection ended Wednesday when EU member states finally agreed on a negotiating mandate for the Child Sexual Abuse Regulation, a controversial law requiring online platforms to detect, report, and remove child sexual abuse material while critics warn the measures could enable mass surveillance of private communications.
The Council agreement, reached despite opposition from the Czech Republic, Netherlands, and Poland, clears the way for trilogue negotiations with the European Parliament to begin in 2026 on legislation that would permanently extend voluntary scanning provisions and establish a new EU Centre on Child Sexual Abuse.
The Council introduces three risk categories of online services based on objective criteria including service type, with authorities able to oblige online service providers classified in the high-risk category to contribute to developing technologies to mitigate risks relating to their services. The framework shifts responsibility to digital companies to proactively address risks on their platforms.
One significant provision permanently extends voluntary scanning, a temporary measure first introduced in 2021 that allows companies to voluntarily scan for child sexual abuse material without violating EU privacy laws. That exemption was set to expire in April 2026 under current e-Privacy Directive provisions.
At present, providers of messaging services may voluntarily check content shared on their platforms for online child sexual abuse material, then report and remove it. According to the Council position, this exemption will continue to apply indefinitely under the new law.
Danish Justice Minister Peter Hummelgaard welcomed the Council's agreement, stating that the spread of child sexual abuse material is "completely unacceptable." "Every year, millions of files are shared that depict the sexual abuse of children. And behind every single image and video, there is a child who has been subjected to the most horrific and terrible abuse," Hummelgaard said.
The legislation provides for establishment of a new EU agency, the EU Centre on Child Sexual Abuse, to support implementation of the regulation. The Centre will act as a hub for child sexual abuse material detection, reporting, and database management, receiving reports from providers, assessing risk levels across platforms, and maintaining a database of indicators.
The EU Centre will assess and process information supplied by online providers about child sexual abuse material identified on services, creating, maintaining and operating a database for reports submitted by providers. The Centre will share information from companies with Europol and national law enforcement bodies, supporting national authorities in assessing the risk that online services could be used to spread abuse material.
Online companies must provide assistance for victims who would like child sexual abuse material depicting them removed or for access to such material disabled. Victims can ask for support from the EU Centre, which will check whether companies involved have removed or disabled access to items victims want taken down.
The breakthrough comes after months of stalled negotiations and a postponed October vote when Germany joined a blocking minority opposing what critics commonly call "chat control." Berlin argued the proposal risked "unwarranted monitoring of chats," comparing it to opening letters from other correspondents.
Critics from Big Tech companies and data privacy NGOs warn the measures could pave the way for mass surveillance, as private messages would be scanned by authorities to detect illegal images. The Computer and Communications Industry Association stated that EU member states made clear the regulation can only move forward if new rules strike a true balance protecting minors while maintaining confidentiality of communications, including end-to-end encryption.
Former Pirate MEP Patrick Breyer, who has been advocating against the file, characterized the Council endorsement as "a Trojan Horse" that legitimizes warrantless, error-prone mass surveillance of millions of Europeans by US corporations through cementing voluntary mass scanning.
The European Parliament's study heavily critiqued the Commission's proposal, concluding there aren't currently technological solutions that can detect child sexual abuse material without resulting in high error rates affecting all messages, files and data in platforms. The study also concluded the proposal would undermine end-to-end encryption and security of digital communications.
Statistics underscore the urgency. 20.5 million reports and 63 million files of abuse were submitted to the National Center for Missing and Exploited Children CyberTipline last year, with online grooming increasing 300 percent since negotiations began. Every half second, an image of a child being sexually abused is reported online.
Sixty-two percent of abuse content flagged by the Internet Watch Foundation in 2024 was traced to EU servers, with at least one in five children in Europe a victim of sexual abuse.
The Council position allows trilogue negotiations with the European Parliament and Commission to start in 2026. Those negotiations need to conclude before the already postponed expiration of the current e-Privacy regulation that allows exceptions under which companies can conduct voluntary scanning. The European Parliament reached its negotiating position in November 2023.
The EU’s Cyber Resilience Act is reshaping global software security expectations, especially for SaaS, where shared responsibility, lifecycle security and strong identity protections are essential as attackers increasingly “log in” instead of breaking in.
The post The Cyber Resilience Act and SaaS: Why Compliance is Only Half the Battle appeared first on Security Boulevard.
AI-generated code is reshaping software development and introducing new security risks. Organizations must strengthen governance, expand testing and train developers to ensure AI-assisted coding remains secure and compliant.
The post Securing AI-Generated Code in Enterprise Applications: The New Frontier for AppSec Teams appeared first on Security Boulevard.
SANTA CLARA, Calif., Nov 25, 2025 – Recently, NSFOCUS Generative Pre-trained Transformer (NSFGPT) and Intelligent Security Operations Platform (NSFOCUS ISOP) were recognized by the internationally renowned consulting firm Frost & Sullivan and won the 2025 Global Competitive Strategy Leadership for AI-Driven Security Operation [1]. Frost & Sullivan Best Practices Recognition awards companies each year in […]
The post NSFOCUS Receives International Recognition: 2025 Global Competitive Strategy Leadership for AI-Driven Security Operation appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
The post NSFOCUS Receives International Recognition: 2025 Global Competitive Strategy Leadership for AI-Driven Security Operation appeared first on Security Boulevard.
Enterprise GenAI success depends on more than models—security, observability, evaluation, and integration are critical to move from fragile pilots to reliable, scalable AI.
The post Securing GenAI in Enterprises: Lessons from the Field appeared first on Security Boulevard.
In this episode, we discuss the first reported AI-driven cyber espionage campaign, as disclosed by Anthropic. In September 2025, a state-sponsored Chinese actor manipulated the Claude Code tool to target 30 global organizations. We explain how the attack was executed, why it matters, and its implications for cybersecurity. Join the conversation as we examine the […]
The post AI Agent Does the Hacking: First Documented AI-Orchestrated Cyber Espionage appeared first on Shared Security Podcast.
The post AI Agent Does the Hacking: First Documented AI-Orchestrated Cyber Espionage appeared first on Security Boulevard.
Do you think cyberattacks are headlines anymore? Given the frequent occurrences, it has turned headlines into a day-to-day reality, and that’s scarier! Organizations that are big names to small organizations that are still growing, every one of them is being hit one way or the other. From supply chain attacks to data breaches, the impact […]
The post Making A Cyber Crisis Plan! Key Components Not To Be Missed appeared first on Kratikal Blogs.
The post Making A Cyber Crisis Plan! Key Components Not To Be Missed appeared first on Security Boulevard.
As organizations enter 2026, the real threat isn’t novel exploits but blind spots in supply chain security, proximity attack surfaces, and cross-functional accountability. This piece explains why fundamentals must become continuous, operational disciplines for modern cyber resilience.
The post What the DoD’s Missteps Teach Us About Cybersecurity Fundamentals for 2026 appeared first on Security Boulevard.
From prompt injection to cascading agent failures, GenAI expands the enterprise attack surface. A governance-first, security-focused approach—rooted in trusted data, guardrails, and ongoing oversight—is now critical for responsible AI adoption.
The post Governing the Unseen Risks of GenAI: Why Bias Mitigation and Human Oversight Matter Most appeared first on Security Boulevard.
For every organization, no matter the size or industry, the integrity and security of data is more crucial than ever as it faces the possibility of a cyber breach everyday. But what separates a company that bounces back quickly from one that suffers irreparable damage? The answer largely resides in how promptly and accurately the […]
The post Master how to report a breach for fast and effective cyber incident response first appeared on TrustCloud.
The post Master how to report a breach for fast and effective cyber incident response appeared first on Security Boulevard.
how proper JWT governance helps your organization stay compliant with SOC 2, ISO 27001, and GDPR. Explore best practices, governance frameworks, and how SSOJet ensures secure token management.
The post JWT Governance for SOC 2, ISO 27001, and GDPR — A Complete Guide appeared first on Security Boulevard.
In this episode, we discuss the newly released OWASP Top 10 for 2025. Join hosts Tom Eston, Scott Wright, and Kevin Johnson as they explore the changes, the continuity, and the significance of the update for application security. Learn about the importance of getting involved with the release candidate to provide feedback and suggestions. The […]
The post OWASP Top 10 for 2025: What’s New and Why It Matters appeared first on Shared Security Podcast.
The post OWASP Top 10 for 2025: What’s New and Why It Matters appeared first on Security Boulevard.
When a wooden horse was wheeled through the gates of Troy, it was welcomed as a gift but hid a dangerous threat. Today, organizations face the modern equivalent: the Trojan prompt. It might look like a harmless request: “summarize the attached financial report and point out any potential compliance issues.” Within seconds, a generative AI..
The post The Trojan Prompt: How GenAI is Turning Staff into Unwitting Insider Threats appeared first on Security Boulevard.
Source: Department of the Treasury’s Office of Foreign Assets Control (OFAC)[/caption]
The demand started at 1.4 billion conversations.
That staggering initial request from The New York Times, later negotiated down to 20 million randomly sampled ChatGPT conversations, has thrust OpenAI into a legal fight that security experts warn could fundamentally reshape data retention practices across the AI industry. The copyright infringement lawsuit has evolved beyond intellectual property disputes into a broader battle over user privacy, data governance, and the obligations AI companies face when litigation collides with privacy commitments.
OpenAI received a court preservation order on May 13, directing the company to retain all output log data that would otherwise be deleted, regardless of user deletion requests or privacy regulation requirements. District Judge Sidney Stein affirmed the order on June 26 after OpenAI appealed, rejecting arguments that user privacy interests should override preservation needs identified in the litigation.
The preservation order forces OpenAI to maintain consumer ChatGPT and API user data indefinitely, directly conflicting with the company's standard 30-day deletion policy for conversations users choose not to save. This requirement encompasses data from December 2022 through November 2024, affecting ChatGPT Free, Plus, Pro, and Team subscribers, along with API customers without Zero Data Retention agreements.
ChatGPT Enterprise, ChatGPT Edu, and business customers with Zero Data Retention contracts remain excluded from the preservation requirements. The order does not change OpenAI's policy of not training models on business data by default.
OpenAI implemented restricted access protocols, limiting preserved data to a small, audited legal and security team. The company maintains this information remains locked down and cannot be used beyond meeting legal obligations. No data will be turned over to The New York Times, the court, or external parties at this time.
The New York Times filed its copyright infringement lawsuit in December 2023, alleging OpenAI illegally used millions of news articles to train large language models including ChatGPT and GPT-4. The lawsuit claims this unauthorized use constitutes copyright infringement and unfair competition, arguing OpenAI profits from intellectual property without permission or compensation.
The Times seeks more than monetary damages. The lawsuit demands destruction of all GPT models and training sets using its copyrighted works, with potential damages reaching billions of dollars in statutory and actual damages.
The newspaper's legal team argued their preservation request warranted approval partly because another AI company previously agreed to hand over 5 million private user chats in an unrelated case. OpenAI rejected this precedent as irrelevant to its situation.
Complying with indefinite retention requirements presents significant engineering challenges. OpenAI must build systems capable of storing hundreds of millions of conversations from users worldwide, requiring months of development work and substantial financial investment.
The preservation order creates conflicts with international data protection regulations including GDPR. While OpenAI's terms of service allow data preservation for legal requirements—a point Judge Stein emphasized—the company argues The Times's demands exceed reasonable discovery scope and abandon established privacy norms.
OpenAI proposed several privacy-preserving alternatives, including targeted searches over preserved samples to identify conversations potentially containing New York Times article text. These suggestions aimed to provide only data relevant to copyright claims while minimizing broader privacy exposure.
Recent court modifications provided limited relief. As of September 26, 2025, OpenAI no longer must preserve all new chat logs going forward. However, the company must retain all data already saved under the previous order and maintain information from ChatGPT accounts flagged by The New York Times, with the newspaper authorized to expand its flagged user list while reviewing preserved records.
"Our long-term roadmap includes advanced security features designed to keep your data private, including client-side encryption for your messages with ChatGPT. We will build fully automated systems to detect safety issues in our products. Only serious misuse and critical risks—such as threats to someone’s life, plans to harm others, or cybersecurity threats—may ever be escalated to a small, highly vetted team of human reviewers." - Dane Stuckey, Chief Information Security Officer, OpenAI
The case transforms abstract AI privacy concerns into immediate operational challenges affecting 400 million ChatGPT users. Security practitioners note the preservation order shatters fundamental assumptions about data deletion in AI interactions.
OpenAI CEO Sam Altman characterized the situation as accelerating needs for "AI privilege" concepts, suggesting conversations with AI systems should receive protections similar to attorney-client privilege. The company frames unlimited data preservation as setting dangerous precedents for AI communication privacy.
The litigation presents concerning scenarios for enterprise users integrating ChatGPT into applications handling sensitive information. Organizations using OpenAI's technology for healthcare, legal, or financial services must reassess compliance with regulations including HIPAA and GDPR given indefinite retention requirements.
Legal analysts warn this case likely invites third-party discovery attempts, with litigants in unrelated cases seeking access to adversaries' preserved AI conversation logs. Such developments would further complicate data privacy issues and potentially implicate attorney-client privilege protections.
The outcome will significantly impact how AI companies access and utilize training data, potentially reshaping development and deployment of future AI technologies. Central questions remain unresolved regarding fair use doctrine application to AI model training and the boundaries of discovery in AI copyright litigation.
Also read: OpenAI’s SearchGPT: A Game Changer or Pandora’s Box for Cybersecurity Pros?
The GRC platform market is witnessing strong growth as organizations across the globe focus on strengthening governance, mitigating risks, and meeting evolving compliance demands. According to recent estimates, the market was valued at USD 49.2 billion in 2024 and is projected to reach USD 127.7 billion by 2033, growing at a CAGR of 11.18% between 2025 and 2033.
This GRC platform market growth reflects the increasing need to protect sensitive data, manage cyber risks, and streamline regulatory compliance processes.
As cyberthreats continue to rise, enterprises are turning to GRC platforms to gain centralized visibility into their risk posture. These solutions help organizations identify, assess, and respond to potential risks, ensuring stronger governance and reduced operational disruption.
The market’s momentum is also fueled by heightened regulatory scrutiny and the introduction of new compliance frameworks worldwide. Businesses are under pressure to maintain transparency, accuracy, and accountability in their governance and reporting processes — areas where a GRC platform adds significant value.
By integrating governance, risk, and compliance management into one system, companies can make informed decisions, reduce human error, and ensure consistent adherence to evolving regulations.
The GRC platform market is segmented based on deployment model, solution, component, end-user, and industry vertical.
Deployment Model: The on-premises deployment model dominates the market due to enhanced security and customization options. It is preferred by organizations handling sensitive data or operating under strict regulatory environments.
Solution Type: Compliance management holds the largest market share as businesses prioritize automation of documentation, tracking, and reporting to stay audit-ready.
Component: Software solutions lead the market by offering analytics, policy management, and workflow automation to streamline risk processes.
End User: Medium enterprises represent the largest segment, focusing on scalable solutions that balance security and efficiency.
Industry Vertical: The BFSI sector remains a key adopter due to its complex regulatory landscape and high data security requirements.
Several factors contribute to the rapid expansion of the GRC platform market:
Escalating Cyber Risks: As cyber incidents become more frequent and sophisticated, organizations seek to integrate cybersecurity measures within GRC frameworks. These integrations improve detection, response, and recovery capabilities.
Evolving Compliance Standards: Increasing regulatory pressure drives adoption of GRC solutions to ensure businesses stay aligned with global standards like GDPR, HIPAA, and ISO 27001.
Automation and Efficiency: Advanced GRC software reduces manual reporting and enhances accuracy, enabling faster audit responses and improved decision-making.
Operational Resilience: A robust GRC system ensures business continuity by minimizing vulnerabilities and improving crisis management strategies.
North America currently leads the GRC platform market, supported by mature digital infrastructure and strong regulatory frameworks. Meanwhile, the Asia-Pacific region is emerging as a key growth area, driven by increased cloud adoption and a rising focus on data privacy.
In the coming years, integration with AI, analytics, and threat intelligence tools will transform how organizations approach governance and risk. The market is expected to evolve toward more predictive and adaptive compliance solutions.
As organizations expand their digital ecosystems, threat intelligence has become a vital part of effective risk management. Platforms like Cyble help enterprises identify, monitor, and mitigate emerging cyber risks before they escalate. Integrating such intelligence-driven insights into a GRC platform strengthens visibility and helps build a proactive security posture.
For security leaders aiming to align governance with real-time intelligence, exploring a quick free demo of integrated risk and compliance tools can offer valuable perspective on enhancing organizational resilience.
AI’s mosaic effect turns harmless data into sensitive insight. Learn why traditional access control fails and how REBAC secures AI-driven environments.
The post The Mosaic Effect: Why AI Is Breaking Enterprise Access Control appeared first on Security Boulevard.
AI’s growth exposes new risks to data in use. Learn how confidential computing, attestation, and post-quantum security protect AI workloads in the cloud.
The post AI Demands Laser Security Focus on Data in Use appeared first on Security Boulevard.
See how Morpheus AI transforms managed security economics—delivering 24/7 autonomous coverage, unified data, and exponential returns without increasing headcount.
The post How MSSPs Turn Security Alerts Into Exponential Revenue With Morpheus AI appeared first on D3 Security.
The post How MSSPs Turn Security Alerts Into Exponential Revenue With Morpheus AI appeared first on Security Boulevard.
As LLMs, agents and Model Context Protocols (MCPs) reshape software architecture, API sprawl is creating major security blind spots. The 2025 GenAI Application Security Report reveals why continuous API discovery, testing and governance are now critical to protecting AI-driven applications from emerging semantic and prompt-based attacks.
The post Why API Security Will Drive AppSec in 2026 and Beyond appeared first on Security Boulevard.
As AI investments surge toward $1 trillion by 2027, many organizations still see zero ROI due to hidden security and cost risks. Discover how aligning FinOps with security practices helps identify AI-related vulnerabilities, control cloud costs, and build sustainable, secure AI operations.
The post Using FinOps to Detect AI-Created Security Risks appeared first on Security Boulevard.
Cryptojacking silently hijacks compute power, inflates cloud bills, and erodes performance. Beyond financial losses, it exposes deep security risks, damages reputation, and drains productivity—making proactive detection and prevention essential for every organization.
The post The Real Cost of Cryptojacking appeared first on Security Boulevard.
System Audit is a mandatory technical and compliance assessment introduced by SEBI and implemented by the National Stock Exchange (NSE). Its primary purpose is to ensure that every trading member or broker operates secure, reliable, and compliant IT systems capable of safeguarding investors and market operations. Note that this audit isn’t a superficial formality. It […]
The post NSE System Audit – What is it and Who Needs It? appeared first on Kratikal Blogs.
The post NSE System Audit – What is it and Who Needs It? appeared first on Security Boulevard.
AI agents are transforming governance and compliance from slow, manual processes into real-time, autonomous systems. By eliminating data silos, automating risk assessments, and enabling multi-modal collaboration, enterprises can achieve governance at Mach speed.
The post AI Agents Mark the End of Traditional GRC appeared first on Security Boulevard.
The Federal Communications Commission will vote next month to rescind a controversial January 2025 Declaratory Ruling that attempted to impose sweeping cybersecurity requirements on telecommunications carriers by reinterpreting a 1994 wiretapping law.
In an Order on Reconsideration circulated Thursday, the FCC concluded that the previous interpretation was both legally erroneous and ineffective at promoting cybersecurity.
The reversal marks a dramatic shift in the FCC's approach to telecommunications security, moving away from mandated requirements toward voluntary industry collaboration—particularly in response to the massive Salt Typhoon espionage campaign sponsored by China that compromised at least eight U.S. communications companies in 2024.
On January 16, 2025—just five days before a change in administration—the FCC adopted a Declaratory Ruling claiming that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) "affirmatively requires telecommunications carriers to secure their networks from unlawful access to or interception of communications."
CALEA, enacted in 1994, was designed to preserve law enforcement's ability to conduct authorized electronic surveillance as telecommunications technology evolved. Section 105 specifically requires that interception of communications within a carrier's "switching premises" can only be activated with a court order and with intervention by a carrier employee.
The January ruling took this narrow provision focused on lawful wiretapping and expanded it dramatically, interpreting it as requiring carriers to prevent all unauthorized interceptions across their entire networks. The Commission stated that carriers would be "unlikely" to satisfy these obligations without adopting basic cybersecurity practices including role-based access controls, changing default passwords, requiring minimum password strength, and adopting multifactor authentication.
The ruling emphasized that "enterprise-level implementation of these basic cybersecurity hygiene practices is necessary" because vulnerabilities in any part of a network could provide attackers unauthorized access to surveillance systems. It concluded that carriers could be in breach of statutory obligations if they failed to adopt certain cybersecurity practices—even without formal rules adopted by the Commission.
CTIA – The Wireless Association, NCTA – The Internet & Television Association, and USTelecom – The Broadband Association filed a petition for reconsideration on February 18, arguing that the ruling exceeded the FCC's statutory authority and misinterpreted CALEA.
The new FCC agreed with these concerns, finding three fundamental legal flaws in the January ruling:
Enforcement Authority: The Commission concluded it lacks authority to enforce its interpretation of CALEA without first adopting implementing rules through notice-and-comment rulemaking. CALEA section 108 commits enforcement authority to the courts, not the FCC. The Commission noted that when it previously wanted to enforce CALEA requirements, it codified them as rules in 2006 specifically to gain enforcement authority.
"Switching Premises" Limitation: Section 105 explicitly refers to interceptions "effected within its switching premises," but the ruling appeared to impose obligations across carriers' entire networks. The Commission found this expansion ignored clear statutory limits.
"Interception" Definition: CALEA incorporates the Wiretap Act's definition of "intercept," which courts have consistently interpreted as limited to communications intercepted contemporaneously with transmission—not stored data. The ruling's required practices target both data in transit and at rest, exceeding section 105's scope.
"It was unlawful because the FCC purported to read a statute that required telecommunications carriers to allow lawful wiretaps within a certain portion of their network as a provision that required carriers to adopt specific network management practices in every portion of their network," the new order states.
Rather than mandated requirements, the FCC pointed to voluntary commitments from communications providers following collaborative engagement throughout 2025. In an October 16 ex parte filing, industry associations detailed "extensive, urgent, and coordinated efforts to mitigate operational risks, protect consumers, and preserve national security interests.
These voluntary measures include:
The government-industry partnership model of collaboration has enabled communications providers to respond swiftly and agilely to Salt Typhoon, reduce vulnerabilities exposed by the attack, and bolster network cyber defenses," the industry associations stated.
The Salt Typhoon attacks, disclosed in September 2024, involved a PRC-sponsored advanced persistent threat group infiltrating U.S. communications companies as part of a massive espionage campaign affecting dozens of countries. Critically, the attacks exploited publicly known common vulnerabilities and exposures (CVEs) rather than zero-day vulnerabilities—meaning they targeted avoidable weaknesses rather than previously unknown flaws.
The FCC noted that following its engagement with carriers after Salt Typhoon, providers agreed to implement additional cybersecurity controls representing "a significant change in cybersecurity practices compared to the measures in place in January."
While rescinding the broad CALEA interpretation, the FCC emphasized it continues pursuing targeted cybersecurity regulations in specific areas where it has clear legal authority:
"The Commission is leveraging the full range of the Commission's regulatory, investigatory, and enforcement authorities to protect Americans and American companies from foreign adversaries," the order states, while maintaining that collaboration with carriers coupled with targeted, legally robust regulatory and enforcement measures, has proven successful.
The FCC also set to withdraw the Notice of Proposed Rulemaking that accompanied the January Declaratory Ruling, which would have proposed specific cybersecurity requirements for a broad array of service providers. The NPRM was never published in the Federal Register, so the public comment period never commenced.
The Commission's new approach reflects a bet that voluntary industry cooperation, supported by targeted regulations in specific high-risk areas, will likely prove more effective than sweeping mandates of questionable legal foundation.
So long and thanks for all the fish: Peter Williams admits to selling unpatched iPhone bugs to a shady Russian broker.
The post US Defense Contractor Boss Sold Zero Days to Russia — Cops a Plea appeared first on Security Boulevard.
Generative AI is transforming identity and access management by enabling adaptive authentication, real-time threat detection, and smarter cybersecurity.
The post How Can Generative AI Transform the Future of Identity and Access Management appeared first on Security Boulevard.
If your software serves federal missions, you face twin pressures to move faster and prove exactly what's in your software.
The post Transforming Software Compliance with AI SBOM Management appeared first on Security Boulevard.
A new Vanta survey of 3,500 IT and business leaders reveals that 72% believe cybersecurity risks have never been higher due to AI. While 79% are using or planning to use AI agents to defend against threats, many admit their understanding lags behind adoption—highlighting the urgent need for stronger governance, risk, and compliance (GRC) frameworks for AI.
The post Survey Surfaces Greater Appreciation for AI Risks appeared first on Security Boulevard.
As businesses increasingly rely on AI chatbots, securing conversational AI is now mission-critical. Learn about common chatbot vulnerabilities, AI risk management strategies, and best practices — from data encryption and authentication to model protection — to safeguard user trust, privacy, and compliance in the digital era.
The post When Chatbots Go Rogue: Securing Conversational AI in Cyber Defense appeared first on Security Boulevard.
Cyber insurance is no longer just a safety net; it’s a catalyst for change. With premiums climbing and coverage shrinking, insurers are forcing organizations to modernize security operations, embrace AI-driven risk quantification, and tighten governance. Here’s how forward-looking leaders are turning insurance pain into long-term resilience.
The post The Cyber Insurance Crunch: Turning Rising Premiums Into Security Wins appeared first on Security Boulevard.
Login