AI Defense Automation: The Ethics of Security through AI in Medium Enterprises
Rafael Mehdiyev
Abstract. With the growing adoption of AI in cybersecurity, the process has been made more efficient in terms of threat detection. On the downside, the integration of the technology into SME cybersecurity practices happens in conditions of resource shortages, which makes it difficult not only to implement but also to develop the ethics and governance needed for the appropriate use of the technology. Thus, this research assesses the appropriateness of existing models for guiding AI-enabled security practices among SMEs. For comparative content analysis, six well-known models have been chosen: ISO/IEC 27001:2022, ISO/IEC 27005:2018, NIST CSF, NIST AI RMF, EU AI Act (Regulation (EU) 2024/1689), and ENISA Threat Landscape 2022.
Two gaps in the frameworks' capacity for AI-enabled security practices are revealed. The first one is a domain-integration gap since the ISO/IEC standards are focused on information security and do not consider AI ethics; only the NIST AI RMF and EU AI Act mention issues such as audits of algorithmic bias, explainability, and human involvement. The second is an SME adaptation gap, meaning that no model has provisions specific to the peculiarities of SMEs and gradual implementation. The solution offered in this regard involves the implementation of a three-level governance structure consisting of strategic, operational, and ethics layers based on the ethics-by-design approach in line with ISO 27005 and NIST AI RMF.
Keywords: cybersecurity governance, artificial intelligence, ethical AI, algorithmic bias, medium-sized enterprises, risk-based governance, explainable AI, data privacy, ethics-by-design