The risks that organizations face are increasing together with their growing dependence on digital systems. Cyberattacks have never been more common, sophisticated, or destructive. To stay ahead, many organizations are turning to Artificial Intelligence (AI) to help manage their IT risks. AI is quicker than a human at identifying threats, evaluating vulnerabilities, and even reacting to incidents. However, while AI increases efficiency and power, it also increases responsibility, particularly in terms of ethics.
How AI Is Changing IT Risk Management
Businesses' perspectives on cybersecurity are changing as a result of AI. IT teams used to primarily use manual tools to keep monitoring on systems and respond to threats. These days, a lot of organizations use machine learning to search through huge amounts of data and identify odd patterns that might refer to a cyberattack. AI-powered systems, for instance, are used by some organizations to continuously monitor network activity and notify the security team of any suspicious activity.
Using behavior and previous incidents, AI can also assist in risk scoring, which assigns varying degrees of concern to devices, users, or files. This helps security teams in prioritizing the most critical problems. AI is also being used by some organizations to automate incident response tasks, such as isolating a compromised machine before the malware spreads.
But as helpful as AI can be, it isn’t perfect—and that’s where ethical concerns come in.
The Ethics Behind the Code
AI in cybersecurity is more than just automation and speed. Trust is also important. There may be actual consequences if an AI tool determines that something poses a threat or not.
Bias is one issue. An AI system may make unfair decisions if it is trained on biased data. For instance, due to biased training data, a security tool may overprioritize threats from certain countries or user profiles.
Transparency provides another difficulty. A lot of AI tools operate like "black boxes," making decisions without providing a clear justification. When flagging spam emails, that might be acceptable, but when making security decisions that impact a whole company, it becomes dangerous.
Accountability comes next. What occurs if a ransomware attack is missed by an AI tool? Is it the leadership of the company, the security team, or the software developers' fault? There are no simple answers to these challenging questions.
Learning from Real-World Mistakes
The risks of depending too much on AI for security are shown by a number of real-world scenarios.
An AI system at one financial institution mistook a regular data backup for a ransomware attack. The system set off an emergency response, causing needless panic and temporarily shutting down critical systems.1
In another case, a fraud detection system failed to flag a phishing attack because it was trained only on older types of scams. The hackers used a new method that the AI didn’t recognize, and because human oversight was minimal, the attack went unnoticed until real damage had been done.
In addition, hackers are becoming proficient in manipulating AI systems. They can use "adversarial inputs," which are carefully created data sets that cause AI models to make incorrect judgments. For instance, a small alteration in network behavior could lead an AI tool to believe that malicious activity is usual.
These illustrations demonstrate that although AI can strengthen cybersecurity, if it is not properly controlled, it can also create new vulnerabilities.
Making AI Work Ethically and Effectively
So how can we make sure AI is used responsibly in IT risk management?
First, organizations need clear ethical guidelines for how AI tools are used in cybersecurity. These guidelines should address fairness, transparency, and the importance of human oversight.
Second, even with automation, human judgment still matters. AI can suggest actions or flag risks, but experienced security professionals should make the final decisions—especially during high-stakes incidents.
Third, AI systems need regular reviews and updates. Like any software, they can become outdated or inaccurate. Continuous testing helps reduce bias, improve accuracy, and ensure that the AI keeps up with evolving threats.
Global standards can help as well. Frameworks like ISO/IEC 27005 and the NIST AI Risk Management Framework offer useful guidance on risk management and AI ethics.
Moving Forward with Responsible AI
Responsible use of AI in IT risk management isn’t just a technical issue—it’s a cultural one. It requires cross-disciplinary collaboration between engineers, cybersecurity experts, ethicists, legal advisors, and leadership.
It also means building ethics into the design process from day one, not treating it as an afterthought. AI tools should be tested not just for performance, but also for fairness, clarity, and accountability.
Finally, because cybersecurity threats are global, so should the conversation around ethical AI. Governments, companies, and academic institutions must work together to shape shared rules and values that protect users and organizations alike.
Responsible AI Isn’t Just an Option
AI has the power to reshape how we protect our digital world. But that power comes with responsibility. If we use AI carelessly, we risk creating new problems even as we try to solve old ones. But if we use it wisely—with ethics, transparency, and human oversight—we can build a more secure and trustworthy future. In cybersecurity, responsible AI isn’t just an option. It’s a necessity.
1Cybersecurity & Infrastructure Security Agency (CISA). (2022). False Positive Reports and AI Tools. Internal Case Note.
Editor's note: ISACA's new Advanced in AI Risk Management (AAIR) certification is coming soon in April 2026! AAIR will help equip professionals to excel as AI reshapes the risk environment. Learn more at www.isaca.org/aair.
