What happened
ISO/IEC 27090, 'Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems,' has progressed to FDIS (Final Draft International Standard) status — the last ballot stage before formal publication — per ISO's own standard page (fetched directly, title confirms 'ISO/IEC FDIS 27090'). This is the companion cybersecurity standard to ISO/IEC 42001 (AI management systems), addressing AI-specific threats (model poisoning, prompt injection, inference attacks) across the AI system lifecycle. Multiple industry trackers (LinkedIn/practitioner posts) describe it as one of three ISO AI-security standards 'quietly moving toward publication in 2026.' Exact date of the DIS→FDIS transition within the 07-12–07-18 window could not be independently pinned to a dated press release, but the current FDIS status was confirmed live via direct fetch of iso.org during this research window, and multiple secondary sources place the transition in this timeframe.
Why it matters
27090 will be the primary normative international standard organizations use to map AI-specific cyber threats and controls, complementing ISO/IEC 42001 (AIMS) certification. Once published it will likely become a reference standard for regulators and auditors globally (similar to how 27001 anchors ISMS). Organizations pursuing ISO 42001 certification or preparing for EU AI Act conformity assessments should track this closely as it nears final publication.
Action needed
Begin gap-mapping current AI security controls against the FDIS 27090 draft structure; monitor for final publication (expected imminent given FDIS stage) to align AIMS/ISMS integration work.