What happened
On July 9, 2026, CREST — the international membership body that accredits penetration testing, incident response, threat intelligence, and SOC providers (and runs government-recognized schemes like UK NCSC CHECK, CBEST, and Dubai Cyber Force) — launched the CREST AI Charter, backed by 60-73 founding signatory firms across 17+ countries. The Charter is built around nine principles for responsible AI use in cybersecurity service delivery: accountability and governance, transparency of use, documentation and auditability, boundaries and control (human oversight), data handling/sovereignty/client control, security and confidentiality, secure development of AI tooling, supply chain assurance, and resilience/business continuity. The principles were originally previewed in March 2026 and finalized following CREST technical working group input and validation from CRESTCon industry events. CREST has stated it will develop formal, independently-assessable AI security standards as a follow-on to the Charter, alongside collaborative working groups and research.
Why it matters
This is the first cross-border industry self-regulatory framework specifically governing how cybersecurity service providers (who hold privileged access to client systems) may use AI in their own service delivery — as distinct from frameworks governing AI systems as a target of attack (e.g., OWASP LLM Top 10, MITRE ATLAS) or AI as a product to be secured (NIST AI RMF). Because CREST accreditation underpins recognized national schemes (UK NCSC CHECK, Bank of England CBEST, Dubai DESC Cyber Force, UK CAA ASSURE), CREST's AI principles could become a de facto baseline that regulators and buyers point to when assessing AI-enabled penetration testing, red teaming, and SOC services — CREST itself says it is seeking government/regulator endorsement to reduce future compliance fragmentation.
Action needed
Security service buyers should ask providers whether they are CREST AI Charter signatories and request the transparency/documentation artifacts the Charter mandates (AI use disclosure, human-oversight controls, data sovereignty terms). Providers should map internal AI tooling practices against the nine principles now, ahead of CREST's planned formal, auditable standard.