ai risk today logo svg bl font
Menu
SUBSCRIBE
SUBSCRIBE
ai risk today logo svg bl font
Menu

AI governance

WitnessAI branded cupcakes displayed at a company event celebrating the firm’s $58 million funding round to expand AI security capabilities

WitnessAI Raises $58 Million To Expand AI Security Platform And Support Global Growth

, , , ,

The funding would support international expansion and new product capabilities to secure enterprise AI systems and agents.

 

WitnessAI announced that it raised $58 million in a new funding round to support global expansion and the development of additional tools to secure artificial intelligence systems and autonomous AI agents.

The company said the financing was led by Sound Ventures, an early investor in OpenAI, Anthropic, and SentinelOne, along with participation from Fin Capital, Qualcomm Ventures, Samsung Ventures, and Forgepoint Capital Partners. Funds will be used to expand operations outside the United States and accelerate product development focused on protecting enterprise use of AI. WitnessAI provides security and compliance tools designed to monitor, control, and reduce risks associated with large language models and AI-powered applications.

According to the company, its platform is intended to help organizations manage risks related to data leakage, unauthorized access, and misuse of AI systems, including emerging AI agents that can autonomously take actions on behalf of users. The tools are designed for enterprises deploying AI across business functions such as customer support, software development, and internal operations.

“AI adoption is accelerating faster than security and governance frameworks can keep up,” said Rick Caccia, chief executive officer and co-founder of WitnessAI, in a statement announcing the funding. “This investment allows us to scale globally and deliver the protections enterprises need as AI systems become more autonomous and pervasive.”

WitnessAI said the funding would also support hiring across engineering, research, and go-to-market teams, as well as the expansion of its international presence to meet demand from multinational organizations.

The company did not disclose a post-money valuation. It said the latest funding builds on prior rounds as enterprise adoption of AI tools continues to expand, prompting organizations to focus more on security, governance, and compliance controls for AI systems.

Kiteworks 2026 data security and compliance risk forecast report cover, highlighting AI governance and data security risks

AI Governance Gaps Leave Most Organizations Unprepared For 2026, Kiteworks Report Finds

, , ,

Most surveyed firms have AI on their roadmaps, but lack controls to govern data security.

 

Key takeaways

  • Universal AI adoption, limited readiness: 100% of surveyed organizations reported plans to deploy agentic AI systems by 2026, but a majority reported lacking core governance and containment controls.
  • Purpose and control gaps: 63% of respondents said they cannot enforce purpose limitations on AI systems, and 60% reported they cannot quickly shut down or contain misbehaving AI agents.
  • Insufficient system isolation: 55% of organizations said they cannot isolate AI systems from broader enterprise networks, increasing the risk of unintended data access.
  • Weak data governance foundations: 61% reported they cannot tag or classify data used by AI systems, and 72% said they do not maintain a software bill of materials for AI models.
  • Limited monitoring and accountability: 60% of respondents said they lack anomaly detection for AI activity, while 33% reported fragmented or missing audit trails for AI systems.
  • Cross-border visibility gaps: 29% cited cross-border AI data transfers as a risk, yet only 36% reported visibility into where AI data is processed, trained, or inferred.


The 2026 Data Security and Compliance Risk Forecast Report by Kiteworks finds that while every organization surveyed intends to deploy agentic artificial intelligence (AI) systems by 2026, a majority lack the governance and containment controls needed to secure those systems and the sensitive data they access.

The report states that although AI adoption is universal among respondents, most organizations cannot enforce basic controls such as purpose limitations on AI agents, rapid shutdown of misbehaving agents, or isolation of AI systems from broader networks. Specifically, 63% cannot enforce purpose limitations, 60% cannot terminate misbehaving agents quickly, and 55% cannot isolate AI systems from wider network access.

According to Kiteworks, 2026 will mark the transition of AI data security from an “emerging concern” to an “operational reality,” driven by gaps between monitoring capability and the ability to contain risky AI behavior. The report identifies a “governance-containment gap” as a central challenge for enterprise data security ahead of the coming year.

The forecast outlines 15 predictions for how AI and data security risks will evolve. These include the rise of centralized AI gateways as control planes, the dominance of data security posture management as a baseline security requirement, and the increasing regulatory focus on training-data controls and audit trails.

The findings show that key governance capabilities are widely missing: 61% of organizations cannot enforce tagging of data used by AI, 72% have no software bill of materials (SBOM) for AI models, 60% lack anomaly detection for AI activity, and 33% have fragmented or absent audit trails.

The report also highlights industry-specific vulnerabilities. Government organizations, despite handling sensitive citizen data, showed high rates of missing purpose-binding and kill-switch controls. Healthcare respondents demonstrated significant gaps in incident response and limited AI anomaly detection. Manufacturing and other sectors reported visibility blind spots in complex supply chains.

Tim Freestone, chief strategy officer at Kiteworks, said the survey results show that AI governance is lagging behind deployment plans: “Every organization surveyed has agentic AI on their roadmap, yet most lack the controls to govern it.”

European Telecommunications Standards Institute building representing publication of ETSI AI cybersecurity standard

ETSI publishes European standard setting baseline cybersecurity requirements for artificial intelligence systems

, , ,

The policy sets baseline cybersecurity requirements for AI models and systems and applies to developers, operators, and data custodians across the AI lifecycle.

 

The European Telecommunications Standards Institute (ETSI) published ETSI EN 304 223 V2.1.1, a European Standard that defines baseline cybersecurity requirements for artificial intelligence (AI) models and systems. The standard was adopted as an official European standard (EN) and addresses security across the AI lifecycle, including design, development, deployment, maintenance, and end-of-life.

ETSI EN 304 223 V2.1.1, titled Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems, replaces earlier technical specifications developed by ETSI’s Technical Committee on Securing Artificial Intelligence (SAI). The document defines high-level principles and provisions that stakeholders, including AI developers, system operators, and data custodians, are expected to follow to protect AI systems from cybersecurity threats.

The standard applies to AI systems that include deep neural networks and other machine learning technologies and covers requirements intended to help safeguard AI models against risks such as data poisoning and adversarial attacks. It outlines baseline controls for secure design, secure development practices, secure deployment, ongoing maintenance, and secure retirement of AI systems.

“This European Standard provides a clear set of baseline cybersecurity requirements to help protect AI systems,” ETSI stated in its release announcing the publication of ETSI EN 304 223.

ETSI’s publication follows a multi-stage standardisation process, with the latest version now formally available in the ETSI deliverables repository. The standard’s adoption as an EN means it will be transposed by national standardisation bodies participating in the European standardisation system, with dates for national adoption and withdrawal of conflicting national standards noted in the document.

Composite illustration representing artificial intelligence concepts from the National Institute of Standards and Technology

DOE Inspector General Identifies AI Governance As A Key Management Challenge

, , ,

Report highlights AI oversight gaps and the need for a governance framework for artificial intelligence within the Department of Energy.


The U.S. Department of Energy’s Office of Inspector General (OIG) released its Management Challenges at the Department of Energy — Fiscal Year 2026 report, identifying artificial intelligence (AI) as one of the agency’s significant management challenges. The special report, required by statute, provides senior DOE officials and policymakers with a high-level view of key risks and areas needing attention.

The OIG noted that the rapid advancement and adoption of AI technologies pose significant challenges for the Department. It stated the DOE should establish a “comprehensive governance framework” to guide development and deployment of AI to address risks and ensure the agency appropriately leverages work done by National Laboratories and other Department components.

The report said the development of common standards, the promotion of best practices, and the mitigation of potential risks could help ensure consistent and effective AI implementation. It also noted that the Department is developing an AI Strategy and Compliance Plan to address ethical concerns, security, governance, and risk management for AI technologies.

According to the OIG, the Department is deploying AI to model energy systems, automate permitting processes, including PermitAI, enhance electrical grid stability, and secure critical infrastructure through platforms such as Lantern at the Oak Ridge National Laboratory. The report also said DOE is exploring siting AI data centers on agency lands to co-locate with high-performance computing assets.

The management challenges report applies across the Department’s diverse missions, including national security, scientific research, energy production, and environmental cleanup, and reflects the OIG’s oversight work over the previous year. The report was transmitted to the Secretary of Energy on December 17, 2025.

Sedgwick company logo

Sedgwick Highlights Artificial Intelligence Risks In 2026 Global Risk Forecasting Report

, , ,

Annual report identifies preparedness gaps and governance challenges related to artificial intelligence use.

 

Key takeaways

  • Most organizations report limited preparedness for artificial intelligence (AI) risks despite increased governance activity.
  • AI adoption is outpacing formal risk management, controls, and oversight frameworks.
  • Executives cite regulatory uncertainty and operational risk as leading AI-related concerns.

Sedgwick released its 2026 Global Risk Forecasting Report, which identifies AI as a growing risk area for organizations across industries. This article focuses specifically on the AI-related findings within the broader report, which also addresses catastrophe, supply chain, workforce, and global risk trends.

The report is based on research conducted by Sedgwick specialists and survey responses from senior executives at large multinational organizations. According to Sedgwick, the AI section is intended to assess organizations’ preparedness to manage operational, legal, and governance risks associated with expanding AI use.

Sedgwick reported that while AI adoption continues to accelerate, formal risk management has not kept pace. Survey data showed that 70% of respondents said their organizations have established AI risk committees, but only 14% said they are fully prepared to manage AI-related risks across their operations. An additional 31% said they are struggling to keep up with AI risk preparation.

Key AI-related findings from the report include:

  • A majority of organizations have implemented some form of AI governance, but few report enterprise-wide readiness.
  • Risk committees are more common than documented policies, controls, or monitoring processes.
  • Respondents cited concerns about data quality, regulatory compliance, model oversight, and unintended consequences.
  • AI-related risks are increasingly viewed as an enterprise issue rather than a technology-only concern.

The report notes that organizations face challenges aligning AI deployment with existing risk, compliance, and insurance frameworks. Sedgwick said gaps in oversight may increase exposure to claims, regulatory scrutiny, and operational disruption as AI systems are embedded into core business processes.

“Navigating risk in 2026 requires organizations to address AI risks with the same rigor applied to other enterprise exposures,” said Mike Arbour, CEO of Sedgwick, in an official statement accompanying the report. “Governance, accountability, and preparedness will be essential as AI use expands.”

Sedgwick said the AI findings are intended to help organizations evaluate current controls, identify gaps, and align AI governance with broader risk management strategies. The company noted that AI-related risk considerations are expected to remain a central focus for executives as adoption continues across functions and industries.

OpenAI logo

OpenAI Updates Model Behavior Rules To Add Teen Protections

, ,

New Under-18 principles define how ChatGPT should interact with teenage users.


OpenAI updated its Model Specification to include protections that guide how its AI models interact with adolescent users aged 13 to 17 under its new Under-18 (U18) Principles framework. The Model Spec is the company’s internal set of rules, values, and behavioral expectations for its AI systems, including ChatGPT.

The U18 Principles are intended to shape ChatGPT’s behavior with teen users by prioritizing safety and age-appropriate support. They establish commitments to “put teen safety first,” encourage real-world support and offline relationships, treat teens according to their developmental stage, and be transparent about expectations.

According to OpenAI, the updated guidelines are grounded in developmental science and were shaped with input from external experts, including the American Psychological Association (APA). In a quoted statement, Dr. Arthur C. Evans Jr., CEO of the American Psychological Association, said the association “encourages AI developers to offer developmentally appropriate precautions for youth users” and stressed the importance of supervised and discussed use of AI with trusted adults. 

The update clarifies how safety considerations apply when “higher-risk areas” arise in conversations with teens. OpenAI says the assistant should apply stronger guardrails and offer safer alternatives, and when there is imminent risk, it should urge teens to contact emergency services or crisis resources.

The company said the Model Spec’s teen protections build on other efforts, including parental controls that allow adults to tailor ChatGPT experiences for teens, and new expert-vetted resources for families. It also noted that it is in the early stages of rolling out an age prediction system on ChatGPT’s consumer plans that would automatically apply the U18 experience when an account is believed to belong to a minor. If age cannot be confidently determined, OpenAI said it would default to the U18 experience and provide adults with a way to verify their age.

The updated Model Spec and U18 Principles remain part of OpenAI’s intended model behavior and will continue to be refined.

Anthropic logo

Anthropic Publishes Compliance Framework Ahead Of California AI Transparency Law Taking Effect

, ,

The framework outlines how the company will comply with California’s Transparency in Frontier Artificial Intelligence Act (SB 53) by assessing and disclosing catastrophic risk management practices.


Anthropic, an artificial intelligence developer, published a compliance framework ahead of the January 1, 2026, implementation of California’s Transparency in Frontier Artificial Intelligence Act, also known as Senate Bill 53. The framework describes how the company will assess and manage catastrophic risks from advanced AI systems and fulfill disclosure requirements under the new law.

SB 53, enacted by the California Legislature and signed by Governor Gavin Newsom in late September 2025, establishes transparency and safety obligations for frontier AI developers. The law applies to companies whose AI systems meet specific “frontier” criteria, requiring them to publish risk assessment frameworks, report critical safety incidents, and include whistleblower protections.

Anthropic’s publicly released “Frontier Compliance Framework” details how the company evaluates and mitigates risks such as cyber offense, chemical, biological, radiological and nuclear threats, AI sabotage, and loss of control for its most capable models. It also lays out a tiered system for evaluating model capabilities, explains mitigation approaches, and describes protections for model assets and incident response procedures.

The document will serve as Anthropic’s compliance framework for SB 53 and other regulatory requirements, while the company’s Responsible Scaling Policy remains a voluntary safety policy outlining broader best practices.

“The law balances the need for strong safety practices, incident reporting, and whistleblower protections – while preserving flexibility in how developers implement these safety measures,” Anthropic said in its announcement.

Under SB 53, covered developers must make key safety documents publicly available, report significant incidents within 15 days, and provide protections for employees who raise compliance concerns or report severe risks. The statute takes effect January 1, 2026, and represents the first state-level requirement for AI safety and transparency in the United States.

OWASP logo with AI security graphic

OWASP Releases First Top 10 Risk List For Agentic AI Applications

, ,

The list identifies key security risks and mitigation guidance for autonomous artificial intelligence systems.


The Open Worldwide Application Security Project (OWASP) released its first OWASP Top 10 for Agentic Applications, a list of principal security risks and mitigation guidance for autonomous artificial intelligence (AI) systems that make decisions and take actions with limited human oversight. The list was published by the OWASP GenAI Security Project following more than a year of research and review by industry practitioners, security researchers, and technical contributors.

The Top 10 list outlines categories of security concerns, including agent goal hijacking, tool misuse and exploitation, identity and privilege abuse, supply chain vulnerabilities, unexpected code execution, memory and context poisoning, insecure inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents. These categories are intended to help organizations identify and address risks specific to agentic AI applications, which differ from those associated with traditional software vulnerabilities.

The guidance applies to technology developers, security teams, and organizations that deploy or manage agentic AI systems. The project describes agentic AI as systems capable of planning, coordinating, accessing data, interacting with tools, and executing workflows without continuous human control.

“The OWASP Top 10 for Agentic Applications is grounded in deep technical analysis and broad industry collaboration,” said Hyrum Anderson, senior director of AI and security at Cisco, in an OWASP statement. “The rigor behind this list provides more than a summary of concerns – it’s a thoroughly validated foundation you can safely anchor your security attention to.”

OWASP said the list is part of a broader portfolio of resources the GenAI Security Project has published, including threat modelling guides and development best practices designed to help practitioners secure agentic AI from design through deployment.

The Top 10 for Agentic Applications complements OWASP’s existing security frameworks and serves as a shared reference for risk identification and mitigation as autonomous AI adoption grows.

Creators Coalition on AI official webpage

Hollywood Creators Form Coalition On AI To Set Industry Standards

,

A group of film, television, and media creators, including many A-listers, announced the formation of the Creators Coalition on AI, establishing an industry-wide body to pursue shared standards and practices for the use of artificial intelligence in creative fields. The coalition is detailed on its official website, which outlines its objectives and founding members.

The Creators Coalition on AI (CCAI) is described as an “agnostic convening organization” intended to serve as a central hub for cross-industry discussion about how generative AI is affecting the entertainment industry and creative communities. The coalition’s founding statement says that its work builds on several months of effort to align on broad principles for responsible AI implementation.

CCAI’s stated goals include promoting transparency, consent, and compensation for content and data used in AI systems; protecting jobs and planning for workforce transitions; establishing guardrails against misuse and deepfakes; and safeguarding human creativity in the artistic process. The group says it will convene an AI advisory committee to develop shared definitions, standards, and best practices.

Eighteen founders from across the entertainment sector are listed on the coalition’s site, including filmmaker Daniel Kwan, producer Jonathan Wang, actors Joseph Gordon-Levitt and Natasha Lyonne, and producer and former Academy of Motion Picture Arts and Sciences president Janet Yang. The website notes more than 500 additional creators have signed on as supporters.

“We recognize both the immense business potential of this technology and its capacity to unlock genuine creative progress,” the group said in its founding announcement, adding that the coalition is committed to “responsible, human-centered innovation.”

The coalition’s launch follows multiple high-profile agreements and advances in generative AI that have accelerated industry attention on the technology’s impact on creative labor and rights. The initiative is positioned as a forum for coordinated action rather than formal regulation.

Freddie Mac introduces AI governance for lenders

Freddie Mac Updates Selling Guide to Require AI Governance Policies

, ,

Government-sponsored enterprise will mandate lenders using artificial intelligence to implement oversight frameworks in loan origination and servicing.

 

Freddie Mac announced revisions to its Single-Family Seller/Servicer Guide that will require mortgage sellers and servicers to establish formal governance policies for the use of artificial intelligence and machine-learning technologies. The changes, outlined in Bulletin 2025-16, take effect March 3, 2026.

Under the updated guidance, lenders that use AI or machine learning in connection with mortgages sold to or serviced on behalf of Freddie Mac must demonstrate that they have comprehensive processes in place governing the deployment and oversight of these systems. The policies must address risk management, transparency, and compliance with applicable laws.

Freddie Mac’s bulletin specifies that seller/servicers must show clear procedures for “mapping, measuring, and managing” risks associated with AI tools, and that these procedures be transparent and effectively implemented across their organizations.

The revisions apply to AI and machine-learning systems used in loan origination, underwriting, servicing, and other areas that affect loans sold to Freddie Mac. Firms affected by the mandate will need to adjust internal practices and documentation to meet the new requirements before March 2026.

Freddie Mac did not provide specific enforcement details but indicated that compliance with the AI governance framework will be part of the eligibility criteria for selling loans to the government-sponsored enterprise.

The move by Freddie Mac follows broader industry and regulatory attention on the use of AI in the housing finance sector. In early December, the U.S. Government Accountability Office urged the Federal Housing Finance Agency, which oversees Freddie Mac and Fannie Mae, to issue more explicit guidance on fair-lending requirements related to AI use, citing potential risks tied to automated systems in homebuying and mortgage lending.

The FHFA’s 2025 Scorecard previously directed both enterprises to strengthen AI risk management frameworks and to assess the benefits and risks of expanded use of the technology in the mortgage market.

Industry analysts have noted that lenders increasingly rely on AI and machine-learning tools for tasks such as credit assessment, fraud detection, and automated underwriting, prompting regulators and market participants to focus on governance and accountability practices. The Freddie Mac update aligns with these developments by formalizing expectations for the responsible deployment of AI among its seller and servicer partners.

Affected lenders and servicers are reviewing internal systems to prepare for the March compliance deadline, adjusting policies and documentation to meet Freddie Mac’s new requirements ahead of the effective date.

Load More