Artificial intelligence (AI) is increasingly embedded in enterprise and public-sector systems. The legal community must understand the emerging standards that govern AI cybersecurity and privacy.

This CLE session introduces attorneys to ISO/IEC 27090 and ISO/IEC 27091—two draft international standards that aim to establish robust frameworks for securing AI systems and managing associated privacy risks. ISO/IEC 27090 focuses on AI system security, including threat surfaces, model robustness, and adversarial resilience. In contrast, ISO/IEC 27091 addresses privacy risks in AI and machine learning systems, including transparency obligations, consent, and data subject rights. Together, these standards offer a roadmap for managing AI-specific risk within broader information governance practices. Both draft standards are expected to complement the ISO portfolio of AI standards (e.g., ISO/IEC 22989, ISO/IEC 42001, ISO/IEC 42005, ISO/IEC 42006, and ISO/IEC 38507).

Attendees will learn how ISO/IEC 27090 and 27091 build on and extend the ISO/IEC 27701 framework by introducing AI-specific controls, risk identification, and governance obligations—particularly in regulated sectors such as healthcare, finance, and critical infrastructure. Practical examples will be discussed to illustrate how an organization might integrate these AI-focused standards into an existing privacy information management systems (PIMS).

By the end of the session, attendees will be able to identify key obligations imposed by ISO/IEC 27090 and 27091, understand their relationship to ISO/IEC 27701, and recognize how these standards can help fulfill legal and regulatory expectations under global privacy laws and cybersecurity mandates. The CLE will also cover legal exposure risks and governance lapses that may arise when AI is deployed without adequate alignment to these evolving international norms. This is a must-attend session for attorneys advising clients on AI governance, cybersecurity compliance, or risk management frameworks.