Posted inNewsletter

Newsletter Issue #1: COSO for GenAI, SWIFT CSCF, FS AI Risk Framework, 2 Years of NIST CSF 2.0

Resource: Internal Control Practices for GenAI

COSO has released a paper on internal control practices for GenAI.

You can download it from the following link:

https://www.coso.org/generative-ai

Here’s a screenshot from the document’s Table of Contents:

Resource: Swift Customer Security Controls Framework

Something I learned recently – SWIFT has a security framework called Swift Customer Security Controls Framework v2026 and banks should attest annually. Apparently, this was triggered by the

https://www2.swift.com/knowledgecentre/rest/v1/publications/cscf_dd/70.0/CSCF_v2026_202507015.pdf

I found it to be one of the best written control frameworks I have seen. Here’s the Table of Contents showing the controls covered:

And here is an overview of all the controls in a well organized table (Page 26):

Resource: AI Risk Management Framework for Financial Services

The Cyber Risk Institute just released the Financial Services AI Risk Management Framework (FS AI RMF). Billed as an industry-led framework built collaboratively, there are some .

Even if you don’t work in financial services but deal with AI governance, risk, or compliance, this is a resource worth bookmarking:

Financial Services AI Risk Management Framework

They have released the following resources as part of the Framework:

  • An AI Adoption Stage Questionnaire
  • A Risk and Control Matrix (RCM)
  • A Guidebook
  • A Control Objective Reference Guide

Here’s a screenshot from the Risk and Control Matrix spreadsheet:

News: Two years of NIST CSF 2.0

NIST has a page highlighting the achievements in the last two years following CSF 2.0’s release.

https://www.nist.gov/blogs/cybersecurity-insights/celebrating-two-years-csf-20

Within this time, CSF has already crossed 3 million views and downloads, making it the most popular NIST technical publication.

The post covers what’s shipped in year two: seven new Informative References mapping CSF 2.0 to frameworks like PCI DSS 4.0.1, CIS Controls 8.1, SP 800-53r5, and ISO/IEC 27001:2022, plus several draft Community Profiles for sectors including AI, manufacturing, semiconductors, transit, and ransomware response.

Link: https://www.nist.gov/blogs/cybersecurity-insights/celebrating-two-years-csf-20

The whole CSF family had been growing in popularity and I had previously wrote about this on my main site.

Link: https://allaboutgrc.com/nist-csfs-popularity/

Podcast: Solving GRC Complexity with Anecdotes By CISO Series

Link: https://cisoseries.com/solving-grc-complexity-with-anecdotes/

A vendor-backed podcast episode where Anecdotes CEO Yair Kuznitsov pitches his AI-agent-driven GRC platform alongside Andrea Bergamini (CIO at Orbia) and Brett Conlon (CISO at American Century Investments).

The podcast covers why automation is hard in GRC, where human oversight still matters when agents are running, and what parts of today’s GRC team might not exist in three years – Yair predicts workflows will vanish.

Andrea and Brett asked some great questions.

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply