ISC2 Insights sat down with security advisor Luca Lumini, CISSP, to discuss AI and cybersecurity risk management.
Drawing on Lumini’s professional experience, particularly in the insurance industry, we discussed how the introduction of AI tools into the risk management process has brought with it both increases in speed and analysis, but has also added new elements of complexity and risk in itself. Using AI to make risk decisions brings with it the need for more careful monitoring of automated processing of information and analysis of recommendations to ensure that decisions are based on solid ethical foundations as well as being accurate.
The Changing Risk Profile of AI-Driven Cybersecurity
A major theme throughout the discussion was the importance of ethical governance. Lumini argued that AI ethics should not be viewed solely as a technology or security issue. Instead, responsibility for overseeing AI-related risks must sit at board level. Drawing on his experience in Europe and Spain, he highlighted how the EU AI Act is helping drive this shift by placing accountability on organizational leadership rather than technical departments alone. As AI applications expand beyond cybersecurity into broader business functions, governance must involve a wider range of stakeholders who can provide business context, oversight and accountability.
Lumini offered practical examples of how AI is being deployed in highly data-driven environments. Insurance organizations use AI to analyze claims, contracts, liabilities and customer information to streamline processes and improve efficiency. However, he stressed that AI systems are only as effective as the quality, integrity and accuracy of the data they consume. As a result, governance frameworks must focus on managing data throughout its lifecycle rather than concentrating solely on the underlying technology.
Responsibilities within organizations are evolving to support this approach. Alongside security teams, roles such as chief data officers, data privacy officers and legal counsel are becoming critical participants in AI governance. These groups help ensure that AI systems operate ethically, comply with regulations and protect organizational reputation. Ultimately, however, responsibility remains with boards, which must provide oversight and ensure appropriate controls are in place.
The Value of Regulation
Lumini is supportive of the legislation, arguing that regulations often provide the motivation organizations need to invest in security, governance and risk management. He views legislative efforts like the EU AI Act as valuable frameworks. He believes they can help organizations understand how to approach AI governance while providing references to recognized standards and good practices that can be incorporated into internal controls and processes.
Looking ahead, Lumini identified agentic AI and the rise of a digital workforce as the most significant challenges on the horizon. While AI agents may be capable of acting independently to achieve objectives, their behavior can be difficult to predict. He believes organizations must maintain strong human oversight and supervision as these technologies mature, ensuring AI adoption progresses in a controlled, responsible and trustworthy manner.
ISC2 Spotlight on Artificial IntelligenceOn July 14 and 15, 2026, you can join leading experts for practical insights, strategic clarity and actionable guidance around AI security in our ISC2 Spotlight virtual event. Across two days of challenging and thought-provoking sessions, we’ll explore how the latest technologies are transforming threat detection, incident response, data protection, risk management and more — and what it means for day-to-day operations. Sessions include:
This free virtual event is for ISC2 Members, Candidates and Associates. Cybersecurity professionals in every stage of their career are encouraged to participate. Attendees can earn 6.25 CPE credits for joining the ISC2 Spotlight sessions. Learn more and register for the ISC2 Spotlight on Artificial Intelligence. |



