Este artigo está disponível apenas em inglês no momento.
The CISO's AI Governance Brief: Cybersecurity Obligations, AI Attack Surfaces, and NIS 2
AI expands the attack surface, creates new cybersecurity obligations under NIS 2 and sector-specific regulation, and introduces adversarial AI risks most security programs have not addressed. The CISO's practical briefing.
Key Takeaways
AI systems create three new attack surfaces that traditional security programs typically do not cover: the training data pipeline, the model itself, and the AI inference infrastructure.
NIS 2 Directive (EU) and equivalent critical infrastructure cybersecurity rules explicitly apply to AI systems used in essential services — supply chain security obligations now extend to AI vendors.
Adversarial AI — attacks designed to manipulate AI outputs rather than compromise systems — is an active threat in financial services, fraud detection, and content moderation. Traditional security controls do not detect it.
The EU AI Act requires providers and deployers of high-risk AI to implement cybersecurity measures proportionate to the risk — this creates a new cybersecurity compliance obligation beyond sector-specific rules.
Three immediate actions: add AI systems to your asset inventory and threat model, review AI vendor contracts for security obligations, and assess your incident response plan for AI-specific failure scenarios.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The three new attack surfaces AI creates
Every CISO understands the traditional attack surface: networks, endpoints, applications, people. AI adds three new attack surfaces that most security programs have not systematically addressed, and that traditional security controls are not designed to detect or prevent.
The training data pipeline is the first. AI models learn from data — and that data can be poisoned. Data poisoning attacks introduce malicious data into the training pipeline to manipulate the model's behaviour in ways that are difficult to detect after the fact. A credit model trained on poisoned data might systematically approve fraudulent applications. A fraud detection model might systematically miss a specific type of fraud. These attacks require security controls at the data collection, processing, and ingestion stages — controls that most data pipelines do not have.
The model itself is the second attack surface. Models can be stolen, inverted, or extracted — techniques that allow an attacker to reconstruct a model (and therefore the sensitive training data it was trained on) by querying it repeatedly. For organisations that have trained models on sensitive customer data, model extraction represents a data breach that bypasses traditional data security controls entirely. The model can also be manipulated through prompt injection in generative AI systems — inputs designed to override the model's instructions and make it behave in unintended ways.
The AI inference infrastructure — the systems that run AI models in production — is the third. This includes the GPUs, APIs, and orchestration infrastructure that AI systems depend on. Compromise of this infrastructure can allow an attacker to manipulate AI outputs in real time without attacking the model or training data directly.
NIS 2 and AI: the cybersecurity compliance dimension
The NIS 2 Directive, effective across the EU from October 2024, creates significant cybersecurity obligations for essential and important entities — and their supply chains. If your organisation operates in a critical sector (energy, transport, banking, financial market infrastructure, healthcare, digital infrastructure), and uses AI systems in those operations, NIS 2 cybersecurity obligations apply to those AI systems and their vendors. This is not a future development — it is current law with enforcement teeth: fines up to €10 million or 2% of global turnover for essential entities.