Name: AI Privacy Impact Assessment (AIPIA): From Compliance to Competitive Advantage
Start: 2025-12-16T18:00:00Z
End: 2025-12-16T18:00:55.000Z
Location: BrightTALK
Rating: 4.3

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

Traditional identity governance approaches were designed for environments with fewer applications and identities. As organizations scale, they must govern access across hundreds of applications and millions of human and non-human identities, often using manual processes, periodic access reviews, and static roles. In large identity environments, these traditional IGA models reach clear limits, creating visibility gaps, increasing operational effort, and making it difficult to manage access risk consistently across systems.

This session examines where and why these limitations emerge and explores the core capabilities required to govern access effectively as identity environments grow in size and complexity.

Join the session to:

 - Understand how identity and application growth exposes the limits of traditional IGA models
 - Identify why manual processes and periodic access reviews fail to scale
 - Learn how cross-application complexity increases access risk and governance blind spots
 - Explore the importance of visibility and auditability in large identity environments
 - Gain practical insight into the capabilities needed to govern access at enterprise scale

The Limits of Traditional IGA in Large Identity Environments

Security operations are entering a new era defined by AI, automation, and human collaboration. In this session, Sumo Logic will take you inside Dojo AI, a multi-agent platform built to help teams work smarter, not harder.
Margaret Selid, Principal Product Marketing Manager, and Beth Glowacki, Architect Solutions Engineer, share how our AI agents are transforming the SOC experience by reducing alert fatigue, summarizing insights, and accelerating response times while keeping people in control.
We’ll discuss:
● What Intelligent SecOps means in practice and how AI fits in
● How agentic AI reduces noise and improves detection accuracy
● Why human oversight remains key to trust and transparency
● How organizations are preparing their SOCs for the AI era
Walk away with a clear picture of how AI and human intelligence can work together to make security operations faster, more focused, and more resilient.

Building Intelligent Security Operations for the AI Era

This webinar explores the hidden risks in apps leveraging modern AI systems, especially those using large language models (LLMs) and retrieval-augmented generation (RAG) workflows. The speaker will demonstrate how sensitive data, such as personally identifiable information (PII), can be extracted through real-world attacks. This includes techniques like model inversion attacks targeting fine-tuned models, and embedding inversion attacks on vector databases, which are key components in RAG architectures that supply private data to LLMs for answering specific queries.

We’ll talk about various categories of protections and mitigations, painting a picture of how to work with AI features safely and when they are too dangerous to use.

Hidden Risks of Integrating AI: Extracting Private Data with Real-World Exploits

AI risk doesn’t start with the model, it starts with the data feeding it. As sensitive data is pulled into AI tools, analytics workflows, and third-party services, many security teams lose visibility as soon as data moves beyond its original environment.
For security and data leaders, the challenge isn’t recognizing AI risk, it’s knowing where sensitive data enters AI workflows, how it moves once it does, and how to put controls in place early enough to prevent exposure.

In this session, we’ll cover:
● Common ways sensitive data ends up in AI systems, intentionally and unintentionally
● Why existing security and data controls struggle to maintain visibility as AI usage scales
● How to identify and classify high-risk data before it’s used for training, fine-tuning, or inference
● How BigID helps teams spot early risk signals and enforce the right controls automatically

You’ll walk away with a clear approach to protecting sensitive data before it reaches AI models, and a more defensible strategy for securing AI as adoption accelerates into 2026.

How to Secure Sensitive Data Before It Hits AI Models

Join Travis Luckey, CIO of the City of Beaverton, Oregon, as he reviews key elements of the city’s data privacy and security program. He’ll cover what is collected, how that data is classified, and highlight some of the city’s important data governance
 initiatives, such as sensitivity labels and password-less authentication, that help secure private information and ensure it can only be accessed by those with a need to know about it. We’ll save time afterward for questions/conversation.

The key takeaways for attendees can be summarized as (1) understanding how the city safeguards community data through modern security practices, and (2) learning about current initiatives in the city, including sensitivity labeling and password-less
 authentication.

Your Hometown Knows A Lot About You - How Do They Keep That Information Safe?

The Cyber Resilience Act sets mandatory requirements for manufacturers to implement cybersecurity risk management, produce and maintain SBOMs and manage vulnerabilities across the product lifecycle. This session explains obligations and shows practical ways to embed resilience in development and deployment pipelines. It also highlights how preparing now supports readiness for future regulations such as the AI Act, creating innovation and business advantage. 

Key Takeaways:
 • Understand CRA requirements for software and device makers.
 • Learn how SBOM and vulnerability handling affect compliance.
 • See examples of compliance by design practices in action.
 • Foresight into upcoming regulations and frameworks, such as the AI Act.

Preparing for CRA: What Manufacturers, Developers, and Security Leaders Need to Know

This presentation shows what kind of information is online about people and companies, how I find and use that information in social engineering campaigns, and most importantly how to take back some level of control to protect our privacy. Most of it is focused on personal privacy - how this information got out there in the first place, why it's not a good thing, how to find and delete it, all mixed in with my personal experience of going through this process. It also contains examples of successful social engineering campaigns demonstrating exactly how seemingly innocent information can be used against an individual or organization.

How to Protect Yourself From People Like Me

The path to the boardroom is often hidden from view, leaving many aspiring directors unsure of how the process really works. In this episode, we shine a spotlight on the mechanics of board-member selection, from how nominating committees identify candidates to the role networks, skills, and emerging competencies like cybersecurity and ESG play in shaping the pipeline. Joining us are experts from a leading executive search firm and seasoned industry leaders with direct experience in selecting board members. Together, they will reveal what differentiates candidates, how boards make decisions, and what it truly takes to earn a seat at the table.

Behind Closed Doors: How Board Members Really Get Selected

AI is being deployed faster than most security teams can govern it. Whether it’s shadow AI models running without approval or sensitive data flowing into third-party tools without scrutiny, the result is the same: heightened regulatory risk and operational blind spots. Most organizations don’t have a clear system for AI oversight, leaving models and the data that fuels them outside the lines of compliance and control.

This session unpacks how to bring structure to the chaos. From cataloging every AI model and its data inputs to enforcing usage policies and surfacing accountability metrics, CISOs can – and must – take the lead in governing enterprise AI.

Key Takeaways

● Catalog Models and Data: Build visibility across all AI models in use, including third-party and shadow tools, and map their data sources.
● Set Clear AI Usage Policies: Define what’s allowed, what’s not, and what needs review – ensuring alignment across security, legal, compliance, and the business.
● Align with Governance Requirements: Ensure your AI programs meet regulatory, ethical, and corporate mandates before external frameworks mandate it.
● Monitor and Report: Put oversight in motion with active monitoring, risk scoring, and audit-ready reporting across your AI footprint.
● Get Ahead of Regulation: With global regulatory frameworks still catching up, internal governance is your best defense – and offense – for safe, scalable AI adoption.

Actionable Oversight for Enterprise AI: Governing Models, Data, and Risk

AI is in your business now, often outside policy and visibility. Adversaries, regulators, and your own teams are moving fast. 

The result: unmanaged risk from shadow AI, agentic systems, and a surge of machine identities (tokens, API keys, service accounts) that can act without oversight. Traditional IAM alone won’t contain it. This CISO briefing lays out a board-ready operating model for AI governance at speed and scale. We’ll define decision rights, an enterprise AI register, and risk tiers that drive controls. We’ll show how to bound agent actions, enforce least privilege for non-human identities, protect data and models, and produce continuous, audit-ready evidence. Expect plain language, real examples, and a focus on measurable outcomes: faster approvals, smaller blast radius, clearer accountability, and defensible reporting. 

Leave with a 90-day plan and a concise set of KPIs/KRIs any executive can track to prove coverage, reduce exposure, and enable safe, profitable AI adoption across the enterprise.

CISO Briefing: Board-Ready AI Governance at Speed and Scale

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

Public sector organizations and enterprises worldwide face increasingly sophisticated cyber threats that can disrupt operations, erode trust, and compromise mission success. Cyber resilience, defined as the ability to anticipate, withstand, recover from, and adapt to cyber events is now a critical component of national, organizational, and digital security strategies.

This session explores how cyber resilience strengthens deterrence and operational continuity across sectors by ensuring systems and data remain available, trustworthy, and secure - even under attack. Central to this is data centricity: treating data as the most valuable asset and ensuring its protection, governance, and accessibility at all times. By safeguarding data through classification, encryption, access control, and continuous monitoring - aligned with Zero Trust and proactive data security principles - organizations can deny adversaries the opportunity to disrupt essential services or degrade decision-making.

Participants will gain insights into how building resilience at the data and system levels not only protects critical operations but also establishes confidence, credibility, and deterrence in a globally connected environment.

Featuring:
Travis Rosiek, Public Sector CTO, Rubrik (https://www.linkedin.com/in/travis-rosiek-3255b669/)

Cyber Resilience as Deterrence

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

This session explores building cyber resilience using the NIST Cybersecurity Framework 2.0's Identify, Protect, Detect, Respond, and Recover approach to minimize operational impact from cyber incidents.

Discover how real-world attacks compromise backups, resulting in lengthy and uncertain recovery periods that may compel organizations to revert to outdated manual processes. The key focus: Leveraging AI to rapidly identify clean data, detect threats early, and enable quick recovery with minimal operational disruption.

Featuring:
Jim McGann, CMO, Index Engines (https://www.linkedin.com/in/mcgann/)

AI with Intention: Threat Detection and Trusted Data Recovery

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

With resilience, our aim is to “remain viable amidst adversity.” We prevent what we can, presuming a certain number of incidents will occur, forcing us to detect and recover. We know relying solely on technical controls is no longer sufficient. Malicious actors are increasingly focused on social engineering. We also know that one-third of incidents begin outside of our enterprise. We must focus on a collaboration of people, process, technology, and the organization across the entire cyber life cycle inside and outside of our enterprise.

This session will walk through the underlying principles to guide your journey while discussing the role of the Business Impact Analysis (BIA), the Operational Resilience Framework (ORF), and the Cyber Resilience Capability Maturity Model (CR-CMM) as tools to achieve your resilience objectives.

Featuring:
Alex Sharpe, Principle, Sharpe, LLC (https://www.linkedin.com/in/alex-sharpe-3rd/)
Mark Orsi, CEO, GRF (https://www.linkedin.com/in/markorsi/)

Principles and Tools for your Resilience Journey

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

Resilience in security ensures an organization's ability to anticipate, detect, withstand, recover, and adapt to cyber threats. To counter the ever-evolving cyber threat landscape, organizations rely on cybersecurity tools to prevent, detect, and respond to cyberattacks. 

This presentation will compare these tools to the NIST 800-160 and MITRE ATT&CK models, highlighting any remaining gaps and challenges. This research employs a systematic literature review and case study approach to examine the present state of cybersecurity tools and their applicability. This research adopts the Resilience Engineering Theory to review and evaluate the resilience of cybersecurity tools.

Featuring:
Oluwatomisin Giwamogorewa, Cybersecurity Doctoral Candidate, Marymount University (https://www.linkedin.com/in/ogiwamogorewa/)
Oluwatobi Babatunde, Cybersecurity Doctoral Candidate, Marymount University (https://www.linkedin.com/in/oluwatobi-babatunde)
Ricky Katsuya, Cybersecurity Doctoral Candidate, Marymount University (www.linkedin.com/in/ricky-katsuya-51071421)

Cyber Resilient Tools: Current Innovations and Future Challenges

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

Users fundamentally face risks that vary among different ICT sectors, constantly evolve, and require reasonable allocations of resources and actions. 

As cybersecurity incidents and related losses continue to increase, multiple private and public sector activities and actions have emerged as different understandings of what is reasonable. In legal terms "reasonable cybersecurity" is the duty of care that an organization owes its customers. However, what is reasonable remains largely undefined and no global compilation exists of its use for cybersecurity purposes.

Featuring:
Curtis Dukes, EVP & GM Security Best Practices, Center for Internet Security (CIS) (https://www.linkedin.com/in/curtis-dukes-aa9966129/)

Reasonable Cybersecurity: Emerging New Developments

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

Major cyber incidents expose gaps in critical asset protection, raising the question: how can MITRE ATT&CK help strengthen cyber resilience?

This presentation explores how MITRE ATT&CK reveals lessons learned from real-world incidents - starting from Groups, through TTPs and Mitigations, to the intersection with cyber resilience via the MITRE Cyber Resiliency Engineering Framework (CREF). It demonstrates how ATT&CK with the CREF Navigator can help organizations shift from reactive threat tracking to proactive, resilience-oriented planning. By analyzing cyber incidents and IT disruptions, we underscore how MITRE ATT&CK can serve not only as a threat-tracking tool but also as a valuable reference for strengthening cyber resilience against both evolving adversaries and technological disruptions.

Featuring:
Lorenzo Vacca, Cybersecurity Manager, RSM Italy (https://www.linkedin.com/in/lorenzo-vacca/)

Applying MITRE ATT&CK for Cyber Resilience: A Lessons-Learned Approach

Sign up for this talk here, or for ALL sessions of the ISSA International Cyber Resilience Awareness Day Virtual Summit here: https://issa.brighttalk.com/summit/7595/

Cyber defenders need a clear understanding of how security controls and capabilities align with their threat identification efforts, risk assessments, and security control programs. To support this, MITRE CTID has developed an open-source repository of mappings connecting security controls and capabilities to adversarial behaviors as described in MITRE ATT&CK. These mappings provide a foundation for a threat-informed approach by meeting the following objectives:

- Application of threat-informed analysis and decision-making to security control program design and implementation.
- Connect the design and implementation of controls to the adversary behaviors they mitigate.
- Improve management and board reporting with respect to control investment and threat protection.

Featuring:
Tiffany Bergeron, Chief Architect, Mappings Program - Center for Threat-Informed Defense, MITRE (https://www.linkedin.com/in/tiffany-bergeron/)

Unite ATT&CK and Security Controls for a Resilient Future

The rapid adoption of AI is introducing serious new risks and vulnerabilities that will not be caught and/or remedied by traditional risk management approaches. This presentation will highlight a number of those new risk and vulnerability areas, and discuss the prudent ways that we might go about performing a better risk assessment process, so as to develop contingency plans for the inevitable failures and damages sustained as a result of this very rapid adoption process. A sample of recent legal cases related to these new risks and vulnerabilities will be covered, with an emphasis on what can be done, so as to prevent similar problems at the viewer's organization.

Safety Nets for Artificial Intelligence Risk Management Failures

Existing risk management policies, and the related business processes, which may have been appropriate for the traditional information technology environment, will not be workable in the AI environment. In this presentation, we’ll discuss what’s markedly different between the traditional information technology risk management environment, and the new AI risk management environment. For example, there is a risk of model stealing with publicly facing AI systems, but no such risk is found in traditional publicly facing systems. Likewise, the result provided by a certain query submitted to a Generative Artificial Intelligence (GAI) system may not be the same from day to day, but no such phenomenon is present with traditional information systems. Similarly, the great power of AI systems can be used to overcome traditional privacy-protection mechanisms such as anonymization, and this has not been previously encountered with traditional information systems. Also covered in this presentation will be suggested managerial and technical responses to these differences, such as an AI Acceptable Use Policy and an AI Life Cycle Process. Some recent legal developments in the AI risk management area will also be briefly covered.

Why AI Needs Its Own Risk Management Policies and Processes

GDPR became one of the first forcing functions to get teams to implement baseline engineering policies within their organization(s), but we continue to see organizations paying fines. Validating external claims made by organizations and helping to evolve policies requires a robust cultural shift. In this talk we'll discuss examples of privacy policy converted to engineering verification scenarios to help engineers or privacy champions embed privacy policy verification(s) within product cycles so policies stay current.

Privacy for the People by the People

This presentation will discuss how to ensure your company has AI policies and plans in place based on industry best practices and applicable regulations.  It will take into consideration the developing frameworks and other quickly evolving regulations. We will discuss the prioritization of ethical and legal use in AI software as well as how to work with relevant stakeholders to understand business considerations and risks.  We will also show how AI can present real opportunities for cybersecurity and why you shouldn’t be afraid to implement it.

A CISO Guide to AI and Privacy

ISSA International Privacy SIG Series 2025

This presentation explores how organizations can transform privacy from a compliance obligation into a driver of trust and innovation. It introduces the concept of an AI Privacy Impact Assessment (AIPIA) — a structured approach to identifying, assessing, and mitigating privacy risks across the AI lifecycle. By integrating principles from global standards such as GDPR, ISO/IEC 42001, ISO/IEC 23894, and the NIST AI RMF, AIPIA helps ensure that AI systems remain transparent, accountable, and aligned with ethical and regulatory expectations. The session highlights how privacy impact assessments uncover risks like data misuse, bias, or inference leakage and translate them into actionable governance measures. Ultimately, it positions privacy as a cornerstone of responsible AI adoption—enhancing organizational resilience, stakeholder confidence, and long-term competitive advantage.

AI Privacy Impact Assessment (AIPIA): From Compliance to Competitive Advantage

Privacy

cybersecurity

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Network infrastructure professionals understand that a reliable and secure infrastructure is crucial to enabling business execution. Join the network infrastructure community to interact with thousands of IT professionals. Browse hundreds of on-demand and live webinars and videos to learn about the latest trends in network computing, SDN, WAN optimization and more.

Network Infrastructure

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

AI Privacy Impact Assessment (AIPIA): From Compliance to Competitive Advantage

Presented by

About this talk

Information Systems Security Association