Guidelines  ·  2026-07-16

CREST Launches AI Charter with Nine Principles for AI-Enabled Cybersecurity Services

GuidelinesMedium impactGlobal
On July 9, 2026, CREST — the international membership body that accredits penetration testing, incident response, threat intelligence, and SOC providers (and runs government-recognized schemes like UK NCSC CHECK, CBEST, and Dubai Cyber Force) — launched the CREST AI Charter, backed by 60-73 founding signatory firms across 17+ countries. The Charter is built around nine principles for responsible AI use in cybersecurity service delivery: accountability and governance, transparency of use, documentation and auditability, boundaries and control (human oversight), data handling/sovereignty/client control, security and confidentiality, secure development of AI tooling, supply chain assurance, and resilience/business continuity. The principles were originally previewed in March 2026 and finalized following CREST technical working group input and validation from CRESTCon industry events. CREST has stated it will develop formal, independently-assessable AI security standards as a follow-on to the Charter, alongside collaborative working groups and research.
This is the first cross-border industry self-regulatory framework specifically governing how cybersecurity service providers (who hold privileged access to client systems) may use AI in their own service delivery — as distinct from frameworks governing AI systems as a target of attack (e.g., OWASP LLM Top 10, MITRE ATLAS) or AI as a product to be secured (NIST AI RMF). Because CREST accreditation underpins recognized national schemes (UK NCSC CHECK, Bank of England CBEST, Dubai DESC Cyber Force, UK CAA ASSURE), CREST's AI principles could become a de facto baseline that regulators and buyers point to when assessing AI-enabled penetration testing, red teaming, and SOC services — CREST itself says it is seeking government/regulator endorsement to reduce future compliance fragmentation.
Security service buyers should ask providers whether they are CREST AI Charter signatories and request the transparency/documentation artifacts the Charter mandates (AI use disclosure, human-oversight controls, data sovereignty terms). Providers should map internal AI tooling practices against the nine principles now, ahead of CREST's planned formal, auditable standard.
CREST AI Charter (official)Infosecurity Magazine - New AI Security Charter Backed by Over 70 Cyber FirmsComputer Weekly - Cyber body Crest launches AI security charterCompare the Cloud - CREST AI Charter signs up 60 cybersecurity firms across 17 countries on launch day
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →