NCC Group backs CREST AI Charter for cyber security

NCC Group has become a founding signatory of the CREST AI Charter, which sets out a framework for the use of artificial intelligence in cyber security.

The move places the cyber security company among the first organisations to back a set of industry principles governing how AI is used, supervised and explained to clients. CREST, the cyber security accreditation and membership body behind the charter, said the framework is designed to support trust, transparency, accountability and assurance in AI-enabled services.

AI tools are becoming more common across cyber security work, including threat detection, analysis, testing and reporting. That wider use has increased pressure from customers and regulators for clearer standards on oversight, data handling and decision-making.

NCC Group said its support for the charter reflects its approach to combining human expertise with AI systems in client work. It is backing CREST's nine principles, which cover governance, transparency, auditability, operational controls, data protection, confidentiality, software development, supplier risk and service resilience.

Industry framework

Under the principles, signatories are expected to define the scope and purpose of AI-enabled activities, assess how those activities could affect service delivery and client outcomes, and apply controls that match the scale and risk of the technology in use. The framework also calls for records that make AI use traceable and reviewable, including documentation on validation and quality assurance.

Another section focuses on maintaining human oversight of autonomous or semi-autonomous systems. Suitably competent personnel should review outputs, challenge decisions and intervene where necessary, while technical and procedural controls should prevent AI from being used outside its authorised purpose.

Client data is another central feature of the charter. Signatories are expected to explain how AI-enabled activities may use customer data, whether that data may be used to train models and whether it could move outside agreed jurisdictions. The principles also require transparency around third-party AI suppliers where those tools may affect service delivery, contractual commitments or data handling.

Executive comments

Matt Hull, Vice President, Cyber Intelligence & Response at NCC Group, said the issue for the sector is no longer whether AI is being adopted, but how it is controlled.

"AI is already transforming how cyber security services are delivered. What matters now is how it is governed, validated and applied responsibly. As organisations increasingly rely on AI-driven insight, maintaining trust in how these technologies are applied is critical. By signing the CREST AI Charter, we are reinforcing our commitment to combining deep human expertise with AI-driven capability in a way our clients can trust," Hull said.

CREST said support from firms such as NCC Group shows that providers are seeking common expectations for AI use as deployment widens across the industry.

"We welcome NCC Group as a founding signatory and are encouraged to see leading organisations helping shape the future of trusted AI-enabled cyber security. Whilst AI has the potential to transform cyber security, innovation alone is not enough, and as adoption accelerates, the industry must ensure that trust keeps pace. The CREST AI Charter and Principles were developed to help provide that foundation, bringing together cyber security providers around common expectations for transparency, accountability and assurance. NCC Group's support demonstrates the growing recognition that trusted AI will require industry-backed collaboration," Madden said.

Nine principles

The charter's first principle covers accountability and governance, requiring organisations to assess how AI may affect operational risk, decision-making and service delivery. A second principle on transparency says clients should be informed when AI is used in tools, methods or automations if it could affect the service or associated risks.

Further principles address documentation and auditability, boundaries and control, and data handling, sovereignty and client control. The framework also sets expectations for security and confidentiality, including the protection of prompts, outputs and AI-generated artefacts through technical and organisational controls.

The final areas cover the secure development of AI tooling, assurance over suppliers and business continuity planning. In practice, that means identifying important AI dependencies, assessing the impact if those systems fail and maintaining fallback arrangements where possible.

The emergence of formal guidance from CREST reflects a broader shift in cyber security as AI becomes embedded in routine service delivery. For providers, the challenge is not only to use the technology effectively but also to show customers how it is governed, where responsibility sits and what safeguards apply when automated systems influence analysis, reporting and operational decisions.

The charter says signatories should be transparent with clients about how disruption to AI systems may affect service delivery, service levels, data handling, decision-making, reporting, continuity arrangements and recovery expectations.