Skip to main content
Packetlabs Company Logo
Blog

Understanding the CREST AI Charter and Principles

Authored By Packetlabs

Understanding the CREST AI Charter and Principles

Artificial intelligence (AI) is transforming the cybersecurity industry at an unprecedented pace.

From threat detection and incident response to vulnerability management and penetration testing, AI-powered tools are becoming a core component of modern cybersecurity operations. However, as organizations increasingly rely on AI-enabled services, questions surrounding trust, transparency, accountability, and governance have become critical.

To address these concerns, CREST has introduced the CREST AI Charter and a comprehensive set of AI Principles designed to support responsible AI adoption across the cybersecurity sector. These principles provide a practical framework that helps cybersecurity providers, clients, regulators, and practitioners confidently navigate the evolving landscape of AI-enabled cybersecurity services.

Why Trust Matters in AI-Powered Cybersecurity

The cybersecurity industry has always been built on trust. Organizations depend on security providers to protect sensitive data, identify vulnerabilities, and defend against evolving threats.

As AI becomes integrated into these services, maintaining trust becomes even more important.

AI offers significant benefits, including:

  • Faster threat detection and response

  • Enhanced security analytics

  • Improved operational efficiency

  • Greater scalability of cybersecurity services

  • Better decision-making through advanced data analysis

However, AI also introduces new risks. Organizations may have concerns about how AI systems are trained, how decisions are made, where data is stored, and whether AI-generated outputs can be trusted. Without proper governance and transparency, these concerns can undermine confidence in AI-enabled cybersecurity services.

The CREST AI Charter seeks to address these challenges by promoting responsible AI use throughout the cybersecurity ecosystem.

What is the CREST AI Charter?

The CREST AI Charter is a voluntary commitment that brings together organizations that support the responsible use of AI within cybersecurity. The charter recognizes the importance of shared principles, professional standards, transparency, and industry collaboration.

Organizations that become CREST AI Charter signatories publicly commit to supporting responsible AI practices and recognize the CREST AI Principles as a practical foundation for AI-enabled cybersecurity services.

The charter aims to:

  • Promote trust in AI-enabled cybersecurity services

  • Establish accountability and transparency standards

  • Encourage responsible innovation

  • Strengthen collaboration across the cybersecurity industry

  • Support clients in understanding how AI is being used

With dozens of founding signatories spanning multiple countries, the initiative demonstrates a growing industry commitment to ethical and trustworthy AI deployment in cybersecurity.

The Nine CREST AI Principles

At the heart of the charter are nine foundational principles that guide responsible AI use in cybersecurity.

1. Accountability and Governance

Organizations must clearly define the scope and purpose of AI-enabled activities. This includes assessing how AI may impact service delivery, decision-making, data handling, and operational risk.

Strong governance frameworks ensure that appropriate oversight, testing, and controls are applied based on the scale and risk profile of AI systems.

2. Transparency of Use

Transparency is essential for building trust. Organizations should inform clients when AI technologies, methodologies, automations, or third-party AI solutions are being used as part of service delivery.

Clients should understand:

  • How AI is being used

  • The benefits of AI implementation

  • Potential limitations

  • Associated risks

This transparency enables informed decision-making and promotes confidence in cybersecurity engagements.

3. Documentation and Auditability

AI-enabled cybersecurity services should maintain comprehensive documentation regarding:

  • AI usage

  • Service delivery processes

  • Validation procedures

  • Quality assurance activities

  • Review mechanisms

Maintaining audit trails helps ensure AI use remains traceable, reviewable, and accountable. Documentation also supports internal governance and external assurance requirements.

4. Boundaries and Control

Human oversight remains a critical component of responsible AI deployment.

Organizations should ensure qualified personnel oversee AI-enabled activities, particularly when autonomous or semi-autonomous capabilities are involved. Security professionals must review outputs, challenge decisions when necessary, and intervene appropriately.

AI systems should operate within clearly defined organizational and client-approved boundaries to prevent misuse or unintended outcomes.

5. Data Sovereignty and Client Control

Data management is one of the most significant concerns surrounding AI adoption.

Organizations should clearly communicate:

  • Whether client data may be used for model training

  • Whether data is transferred outside agreed-upon jurisdictions

  • How client information is stored and protected

  • What controls govern data access and processing

This principle reinforces legal, contractual, and regulatory compliance while preserving client trust.

6. Security and Confidentiality

Cybersecurity providers must apply robust technical and organizational controls to protect:

  • Client data

  • AI prompts

  • AI-generated outputs

  • Associated artifacts

Organizations should also be transparent about how client information is secured when AI-enabled activities are conducted. Security and confidentiality remain non-negotiable components of responsible AI adoption.

7. Secure Development of AI Tooling

AI systems themselves must be developed and maintained securely.

Organizations should implement secure development practices throughout the AI lifecycle, including:

  • Design

  • Development

  • Testing

  • Deployment

  • Maintenance

Regular reviews help ensure AI tools remain reliable, effective, and appropriately governed over time.

8. Supply Chain Assurance

Many cybersecurity services rely on third-party AI technologies and providers.

Organizations must identify these dependencies and assess their associated risks, including:

  • Security risks

  • Compliance concerns

  • Operational resilience

  • Data handling implications

Appropriate supplier governance and risk management processes should be implemented to address third-party AI dependencies. Transparency regarding these relationships is also essential when they may impact service delivery or client data.

9. Resilience and Business Continuity

Organizations should assess how AI dependencies could affect service continuity.

Potential AI disruptions may include:

  • Service outages

  • Model failures

  • Infrastructure issues

  • Third-party provider disruptions

Appropriate contingency plans, fallback procedures, and recovery strategies help ensure cybersecurity services remain resilient even when AI systems become unavailable. Clients should also understand how disruptions may affect service delivery expectations.

How the CREST AI Charter Benefits Cybersecurity Providers

The charter provides cybersecurity organizations with a structured framework for implementing AI responsibly.

Key benefits include:

Enhanced Client Trust

Clients increasingly demand transparency regarding AI use. Following recognized industry principles demonstrates commitment to responsible practices and builds confidence.

Competitive Differentiation

Organizations that align with established AI governance frameworks can differentiate themselves in a crowded cybersecurity marketplace.

Improved Risk Management

The principles help identify and mitigate risks related to AI governance, data handling, supply chain dependencies, and operational resilience.

Regulatory Readiness

As governments introduce AI regulations and compliance requirements, organizations that adopt governance frameworks early will be better positioned to meet future obligations.

Industry Leadership

Participation in initiatives such as the CREST AI Charter demonstrates leadership and commitment to advancing responsible AI use across the cybersecurity profession.

The Future of AI in Cybersecurity

AI adoption within cybersecurity is expected to accelerate significantly over the coming years. Security operations centers, managed security service providers, penetration testing firms, threat intelligence teams, and compliance professionals are all exploring new ways to leverage AI capabilities.

Emerging applications include:

  • AI-assisted penetration testing

  • Automated threat hunting

  • Security analytics

  • Vulnerability prioritization

  • Incident response automation

  • Threat intelligence correlation

  • Security reporting and documentation

As these technologies mature, industry frameworks like the CREST AI Charter will play an increasingly important role in ensuring AI is deployed responsibly, transparently, and securely.

Organizations that embrace these principles today will be better positioned to maximize AI's benefits while maintaining the trust of clients, regulators, and stakeholders.

Conclusion

Artificial intelligence is rapidly reshaping the cybersecurity landscape, offering powerful opportunities to improve efficiency, strengthen defenses, and enhance service delivery. However, successful adoption depends on maintaining trust, accountability, transparency, and strong governance.

The CREST AI Charter provides a practical framework for achieving these goals. Through its nine AI Principles, the charter establishes clear expectations for responsible AI use across cybersecurity services, helping organizations navigate emerging challenges while fostering confidence among clients and stakeholders.

As AI becomes an integral part of cybersecurity operations, adherence to established principles such as accountability, transparency, security, data sovereignty, and resilience will be essential. Organizations that prioritize responsible AI adoption today will be best positioned to thrive in the next generation of cybersecurity.

Packetlabs is honored to be one of the founding AI Charter signatories spanning across Europe, North America, the Middle East, and Asia-Pacific, reflecting a shared commitment to responsible AI use in cybersecurity and representing a broad cross-section of the industry across:

Contact Us

Join our newsletter

Packetlabs Company Logo
  • Toronto | HQ401 Bay Street, Suite 1600
    Toronto, Ontario, Canada
    M5H 2Y4
  • San Francisco | Outpost580 California Street, 12th floor
    San Francisco, CA, USA
    94104
  • Calgary | Outpost421 - 7th Ave SW, Suite 3000
    Calgary AB, Canada
    T2P 4K9
  • Australia | OutpostPacketlabs Pty Ltd.
    ABN 14 691 178 542
    Level 24, 1 O'Connell St
    Sydney NSW 2000
Cyber Right NowCREST LogoCREST AI Signatory AICPA SOC 2 LogoG2Clutch 2023 Certification Logo