ISO/IEC 27090 AI Cybersecurity: CISO Guide 2026

ISO/IEC 27090, the AI cybersecurity standard, reached Final Draft International Standard (FDIS) status on March 12, 2026. Publication is expected in the second half of 2026, making this the most important compliance preparation window for CISOs deploying AI systems in regulated industries. This guide covers what ISO 27090 requires, how it differs from ISO 42001 and ISO 27001, and the practical implementation roadmap for enterprise security teams.

What Is ISO/IEC 27090?

ISO/IEC 27090 ("Cybersecurity -- Artificial Intelligence -- Addressing security threats and compromises to artificial intelligence systems") is an international guidance standard developed under ISO/IEC JTC 1/SC 27. The official ISO catalog entry confirms FDIS registration on March 12, 2026, with the ballot expected to close before formal publication in H2 2026.

The standard is informative, not normative. It contains no "shall" requirements, which means organizations cannot be certified against it in isolation. This distinguishes it clearly from ISO 27001 and ISO 42001, both of which are requirements standards with third-party audit and certification paths.

Despite the lack of certification, ISO 27090 carries significant practical value. It provides a structured taxonomy of AI-specific attack vectors that ISO 27001's Annex A controls do not address. Security teams using ISO 27001 as their ISMS base will find ISO 27090 fills critical gaps in model security, training pipeline integrity, and inference-time attack mitigations.

The standard applies across the entire AI system lifecycle: design and data collection, training, validation, deployment, and ongoing operation. It covers all organization types and sizes, including public, private, and government entities. Companion standard ISO/IEC 27091 (cybersecurity and privacy for AI) is at DIS stage and expected to follow ISO 27090 into publication.

The Five AI Threat Categories ISO 27090 Addresses

ISO 27090 organizes AI cybersecurity threats into five primary categories. Understanding these categories is the foundation of any implementation roadmap.

Data Poisoning

Data poisoning occurs when an attacker manipulates training data, model parameters, or fine-tuning datasets to alter AI system behavior. Backdoor insertion, accuracy degradation, and targeted misclassification are common objectives.

The threat is more material than security teams typically recognize. Research shows that as few as 250 malicious documents (0.00016% of a training corpus) can successfully poison an LLM regardless of model size. Advanced poisoning attacks achieve average success rates of 89.6% across tested models. Data poisoning can reduce AI model accuracy by up to 27% in image recognition and 22% in fraud detection systems.

Continuous learning systems are especially exposed: operational data ingested post-deployment creates an ongoing poisoning attack surface. In practice, we have seen poisoning manifested through compromised synthetic data pipelines, malicious content embedded in GitHub repositories used as training sources, and tainted fine-tuning datasets supplied via third-party data providers.

Evasion Attacks

Evasion attacks craft inputs that cause a correctly-trained model to misclassify or behave incorrectly on specific samples while appearing normal to human observers. The classic form involves imperceptible pixel perturbations to images that flip a classifier's output without changing what a human sees.

Generative AI systems extend the evasion attack surface. Adversarial instructions embedded in images, audio, or non-textual documents can manipulate multimodal models into omitting, misinterpreting, or exfiltrating information. This is distinct from prompt injection in that it exploits the model's perception of non-textual inputs rather than its instruction-following behavior.

Model Extraction and Theft

Model extraction involves systematically querying a prediction API to collect input-output pairs, then using those pairs to train a surrogate model that approximates the victim's proprietary model. OWASP classifies this as LLM10: Model Theft in the 2025 LLM Top 10.

The attack has dual impact: intellectual property loss (the model itself is often a material business asset) and security posture exposure (the surrogate can be used to accelerate adversarial sample development). This risk is particularly acute for models exposed via public APIs, internal developer APIs without rate limiting, and AI products where the model inference interface is accessible to untrusted parties.

Membership Inference

Membership inference attacks determine whether a specific data record was included in a model's training dataset by exploiting prediction confidence scores, output distributions, or gradient signals. ISO 27090 explicitly addresses "membership inference attacks where the attacker is able to attribute training data membership."

The regulatory implication is direct and severe. If an ML model was trained on patient medical records and an attacker can confirm that a specific individual's record is in the training set, that confirmation reveals the patient's health condition without any traditional data exfiltration. This creates a HIPAA breach with no file access required.

Prompt Injection

Prompt injection ranks first in the OWASP LLM Top 10 for 2025 for the second consecutive year. Direct injection embeds adversarial instructions in user inputs. Indirect injection delivers those instructions through external content sources the model retrieves at runtime: web pages, documents, emails, tool outputs, and database entries.

Production statistics confirm the scale of exposure. Prompt injection appears in over 73% of production AI deployments assessed in security audits. Only 34.7% of organizations have deployed dedicated prompt injection defenses. Multi-hop indirect injection attacks (chains of agents and tools) increased by over 70% year-over-year in 2025-2026.

Active CVEs with production impact include GitHub Copilot (CVSS 9.6) and Cursor IDE (CVSS 9.8), both involving prompt injection in developer toolchain contexts.

ISO 27090 vs. ISO 42001 vs. ISO 27001: The Compliance Stack

These three standards address distinct but complementary concerns:

| Standard | Focus | Type | Certifiable | |----------|-------|------|-------------| | ISO 27001:2022 | Information security management system (ISMS) | Requirements | Yes | | ISO 42001:2023 | AI management: governance, ethics, lifecycle accountability | Requirements | Yes | | ISO 27090 FDIS 2026 | AI cybersecurity: adversarial threats and mitigations | Guidance | No |

ISO 27001 provides the foundational ISMS and risk treatment framework. Its Annex A controls address access management, cryptography, incident response, and supplier security, but do not address ML-specific attack surfaces.

ISO 42001 adds the AI governance layer: accountability, transparency, bias mitigation, impact assessments, and full AI system lifecycle management. It is the right standard for organizations subject to EU AI Act high-risk AI system obligations.

ISO 27090 extends ISO 27001's risk analysis scope to AI-specific components: training datasets, ML pipelines, model artifacts, and inference interfaces. It provides the technical depth that ISO 42001's governance focus does not supply.

The recommended compliance stack: ISO 27001 (ISMS base) + ISO 42001 (AI governance) + ISO 27090 (AI security threats). For a deeper look at ISO 42001 implementation, see our ISO 42001 certification guide.

Control Mapping: Threats to Technical Mitigations

ISO 27090 provides control guidance organized around the threat taxonomy above. Here is a practical mapping for security teams:

Data Poisoning Controls:

• Data provenance tracking and supply chain verification for all training datasets
• Anomaly detection on training data distributions pre- and post-ingestion
• Differential privacy techniques during model training to limit per-record influence
• Continuous monitoring of model performance metrics to detect post-deployment drift from poisoning

Evasion Attack Controls:

• Adversarial training: incorporate adversarial examples in training data to improve model resilience
• Input validation and preprocessing pipelines to detect statistical outliers before inference
• Ensemble methods that reduce single-model attack surface
• Output confidence monitoring with thresholds that flag anomalously low-confidence predictions

Model Extraction Controls:

• API rate limiting and query volume monitoring per client identity
• Output perturbation to reduce extraction fidelity (rounding confidence scores, adding calibrated noise)
• Behavioral anomaly detection on API usage patterns
• Access controls and authentication on all model inference endpoints

Membership Inference Controls:

• Differential privacy in model training with documented privacy budgets
• Output generalization: return aggregate predictions rather than per-record confidence scores where feasible
• Regular membership inference attack testing against production models
• Data minimization: limit training data to what is necessary for stated model objectives

Prompt Injection Controls:

• Input sanitization and allowlisting for LLM-facing user inputs
• System prompt isolation with architectural separation between instruction context and user data context
• Output filtering and content classifiers to detect anomalous or out-of-policy model outputs
• Agentic workflow containment: minimal permissions for tool calls, human-in-the-loop approval for high-risk actions

NIST AI 100-2e2025 (published March 2025) provides a directly complementary adversarial ML taxonomy with attack-to-mitigation mappings closely aligned with ISO 27090's structure.

Implementation Roadmap: Gap Assessment to Audit Readiness

ISO 27090's guidance structure does not prescribe a certification audit, but structured implementation prepares organizations for ISO 27001 evidence reviews, SOC 2 audits, and EU AI Act conformity assessments. A phased approach works well:

Phase 1: AI Asset Inventory and Risk Assessment (Weeks 1-4)

Document all AI systems in production and development: model types, training data sources, inference interfaces, and data flows involving personal or sensitive information. For each system, apply the ISO 27090 threat taxonomy. Assign risk ratings to each threat category per system. This inventory becomes the foundation for targeted control investment and is required evidence for ISO 27001 Annex A control selection.

Phase 2: Control Gap Analysis (Weeks 5-8)

Map existing security controls (from your ISO 27001 or SOC 2 control library) against the ISO 27090 control guidance for each identified threat. Gaps typically cluster in: adversarial testing absence, API rate limiting configuration, differential privacy gaps in model training, and lack of output monitoring for LLM deployments.

Phase 3: Control Implementation (Weeks 9-20)

Prioritize controls by residual risk. Prompt injection and data poisoning controls typically deliver the highest risk reduction per implementation effort. Integrate adversarial testing into your ML deployment pipeline before production release. Implement API security controls for all model inference endpoints. Establish continuous monitoring for model performance drift.

Phase 4: Evidence Collection and Audit Readiness (Weeks 21-26)

Document control implementations against the ISO 27090 threat categories. Prepare evidence packages suitable for ISO 27001 Annex A reviews and SOC 2 processing integrity trust service criteria. If EU AI Act conformity assessment is in scope, map ISO 27090 controls against Article 9 (risk management system) and Article 15 (accuracy, robustness, and cybersecurity requirements).

Sector Applications: Healthcare, Fintech, and SaaS

Healthcare: HIPAA + ISO 27090

Membership inference attacks create a direct HIPAA breach vector that requires no traditional data exfiltration. If an AI model trained on patient records confirms training set membership for a specific patient, the attacker learns the patient's health condition from the confirmation alone. The proposed HIPAA Security Rule update (finalization expected in 2026) requires annual security risk assessments that explicitly include AI systems. ISO 27090 membership inference controls map directly to HIPAA requirements for integrity controls and risk analysis of AI-enabled protected health information processing.

Fintech: SOC 2 + ISO 27090

SOC 2 Type II audits evaluate security, availability, processing integrity, confidentiality, and privacy. AI model deployments must satisfy all five criteria. Evasion attacks against fraud detection models directly threaten processing integrity. Model extraction attacks against proprietary risk scoring models threaten confidentiality. ISO 27090 controls for these categories supplement SOC 2 control documentation and provide auditors with evidence of AI-specific risk treatment.

SaaS: EU AI Act Readiness

Full EU AI Act enforcement begins August 2, 2026. High-risk AI systems (as defined in Annex III) must demonstrate compliance with Article 15 requirements for accuracy, robustness, and cybersecurity. ISO 27090 evasion attack controls and adversarial testing requirements provide direct evidence for Article 15 conformity assessments. SaaS organizations operating in the EU that implement ISO 27090 controls now will have documented evidence ready for notified body requests rather than facing a reactive compliance sprint after the deadline.

Cloud AI Compliance: AWS Bedrock, Azure OpenAI, Google Vertex AI

ISO 27090 responsibility does not transfer to your cloud AI provider. The shared responsibility model applies: providers secure the infrastructure; customers secure the AI system configuration, data, and application layer.

AWS Bedrock is the first major cloud provider to achieve ISO 42001:2023 certification and meets SOC 2 Type II, ISO 27001, and HIPAA requirements at the infrastructure level. However, customers are responsible for prompt injection defenses, output filtering, and data poisoning controls in their Bedrock application deployments.

Azure OpenAI provides GDPR compliance, FedRAMP authorization, and ISO 27001 coverage at the infrastructure level. Azure AI Content Safety and Prompt Shields address some ISO 27090-relevant controls, but system prompt protection, rate limiting, and output monitoring require customer-side configuration.

Google Vertex AI is in the process of FedRAMP High authorization. Customers deploying Gemini through Vertex are responsible for indirect prompt injection risks from external content retrieval, a customer-controlled exposure that provider certifications do not cover.

An accurate AI security posture requires mapping ISO 27090 controls to your specific configuration on each platform. Provider certification coverage does not extend to your AI system application layer.

How BeyondScale's AI Security Assessment Maps to ISO 27090

BeyondScale's AI Security Assessment provides structured testing across all five ISO 27090 threat categories. The assessment methodology includes:

• Red-team adversarial testing: direct and indirect prompt injection across deployed models and agent workflows
• Model security review: API exposure analysis, rate limiting verification, output perturbation testing, and extraction resistance evaluation
• Training pipeline audit: data provenance verification and poisoning vector identification in continuous learning systems
• Membership inference testing: privacy attack simulation against models trained on personal or sensitive data
• Control mapping report: gap analysis documenting your current control posture against ISO 27090 threat categories, suitable for ISO 27001 evidence packages and SOC 2 audit support

For organizations under EU AI Act Article 15 requirements, or pursuing HIPAA and SOC 2 compliance for AI-enabled products, the assessment produces an evidence package directly supporting conformity assessment submissions.

Conclusion

ISO/IEC 27090 provides the first internationally standardized threat taxonomy for AI cybersecurity, filling gaps that ISO 27001 and ISO 42001 leave open. The FDIS registration in March 2026 means the standard's structure is finalized. Organizations that implement ISO 27090 controls now gain a measurable security improvement, not just compliance preparation, because data poisoning, prompt injection, and model extraction are active threats in production AI deployments today.

The implementation window before full ISO 27090 publication is an advantage. Building your control framework now means the published standard confirms existing controls rather than triggering a reactive gap-closure sprint.

Start with an AI asset inventory and threat classification against the five ISO 27090 categories. Then run adversarial testing against your highest-risk deployed models. Book an AI Security Assessment to map your current control posture against ISO 27090 requirements and receive a gap analysis report your security and compliance teams can act on immediately.