Blog

min read

Embracing Security in AI: Unpacking the New ISO/IEC 5338 Standard

By

Dor Sarig

and

January 10, 2024

min read

With the rapid evolution of AI, the need for a comprehensive framework to ensure the secure lifecycle of AI systems has never been more pressing. The release of the new ISO/IEC 5338 standard marks a significant milestone in securing AI's future. This standard not only provides a structured approach to AI system lifecycle processes but also places a strong emphasis on security considerations throughout an AI system's development and deployment.

Secure AI Lifecycle: A New Frontier

The ISO/IEC 5338 standard, titled "Information technology — Artificial intelligence — AI system life cycle processes," offers a first-of-its-kind roadmap that integrates security into the very fabric of AI systems. By doing so, it ensures that AI not only serves to innovate but also to protect.

Prioritizing Security from the Ground Up

One of the key takeaways from the standard is the imperative to embed security measures from the inception of an AI system. The recognition of AI's unique vulnerabilities necessitates a proactive stance on security. This means that as AI developers and engineers draft their initial models and algorithms, they must already be considering potential security threats and embedding safeguards against them.

Proactive Risk Management

The ISO/IEC 5338 standard introduces specific processes for continuous risk management, highlighting the volatile nature of AI threats. Unlike traditional IT systems, the risks associated with AI evolve in tandem with the AI models themselves, making ongoing vigilance a necessity. Organizations are encouraged to constantly identify, assess, and mitigate risks, ensuring AI systems remain secure even as they learn and adapt over time.

Data: The Lifeblood of AI Security

Central to the security of AI systems is the management of data. The new standard recognizes the importance of data quality, lineage, and provenance, advocating for meticulous documentation and handling of data. This not only aids in tracking the evolution of AI models but also plays a crucial role in maintaining compliance with privacy regulations and safeguarding sensitive information.

The Role of Continuous Validation

The ISO/IEC 5338 standard introduces the concept of continuous validation, a process that ensures an AI system's performance remains robust and secure over time. By regularly testing the AI system against updated data sets, organizations can detect and address security vulnerabilities, data drifts, or concept drifts that could compromise the system's integrity.

The Human Element in AI Security

Interestingly, the standard underscores the significance of human oversight in the AI lifecycle. It advocates for a balance between automation and human judgment, ensuring that AI decisions, especially those with security implications, can be reviewed and understood by humans, thus maintaining a level of accountability and transparency.

The Future of AI security

The standard sets forth a new paradigm in AI development, one where security is not an afterthought but a foundational principle. As AI continues to reshape industries and touch every aspect of our digital lives, adhering to such standards will be paramount. Organizations that embrace these guidelines will not only lead the way in innovation but also in securing a future where AI can be trusted and utilized to its fullest potential.

For businesses, AI developers, and security professionals, the release of the ISO/IEC 5338 standard is a call to action. It's time to reassess and realign AI strategies with a security-first mindset, ensuring that as we step into the future, we do so with confidence in the safety and reliability of our AI systems.

Planning to integrate AI into your business? Ensure it's secure and ISO-compliant. Reach out to our experts for guidance -> team@pillar.security.

FAQs

What is ISO/IEC 5338 and what does it cover for AI systems?

ISO/IEC 5338, titled 'Information technology — Artificial intelligence — AI system life cycle processes,' is a standard that integrates security into AI systems from development through deployment. It provides a first-of-its-kind roadmap covering risk management, data governance, continuous validation, and human oversight across the entire AI system lifecycle.

How does ISO/IEC 5338 approach risk management differently than traditional IT security frameworks?

Unlike traditional IT security frameworks, ISO/IEC 5338 treats AI risk as dynamic rather than static. Because AI threats evolve in tandem with the models themselves, the standard mandates continuous risk identification, assessment, and mitigation — requiring organizations to maintain ongoing vigilance as AI systems learn and adapt over time.

Why does ISO/IEC 5338 place such emphasis on data quality and provenance in AI security?

Data is central to AI security because vulnerabilities often originate in how training and operational data is managed. ISO/IEC 5338 requires meticulous documentation of data quality, lineage, and provenance to track model evolution, maintain compliance with privacy regulations, and protect sensitive information from exploitation or manipulation.

What is continuous validation in the context of ISO/IEC 5338 and why does it matter for AI security?

Continuous validation, as defined in ISO/IEC 5338, is the practice of regularly testing an AI system against updated datasets to detect security vulnerabilities, data drift, or concept drift before they compromise system integrity. It ensures that an AI system's performance and security posture remain robust as real-world conditions change over time.

How does ISO/IEC 5338 address human oversight in AI security decision-making?

ISO/IEC 5338 explicitly requires a balance between automation and human judgment, particularly for decisions with security implications. AI outputs must remain reviewable and interpretable by humans, ensuring accountability and transparency are preserved. This prevents fully autonomous AI behavior in high-stakes scenarios where unchecked decisions could introduce security or compliance risks.

Subscribe and get the latest security updates

Back to blog

MAYBE YOU WILL FIND THIS INTERSTING AS WELL

From a Copilot to Cluster Admin: inside AtlasOps, our free agent-security CTF

By

Ariel Fogel

and

Eilon Cohen

June 26, 2026

Blog
The Fable Recall Puts the Spotlight in the Wrong Place

By

Eilon Cohen

and

Ariel Fogel

June 14, 2026

Blog
Your agents answer to Hades: how one commit hijacks 4 AI coding tools

By

Ariel Fogel

and

June 10, 2026

Blog