ISO/IEC FDIS 27090
ISO/IEC FDIS 27090 is the final draft ISO/IEC cybersecurity standard for addressing security threats and compromises specific to artificial intelligence systems.
Definition
ISO/IEC FDIS 27090 is titled Cybersecurity - Artificial Intelligence - Addressing security threats and compromises to artificial intelligence systems. ISO lists it as reference number ISO/IEC FDIS 27090, Edition 1, a 56-page Final Draft International Standard under development in ISO/IEC JTC 1/SC 27, the subcommittee for information security, cybersecurity, and privacy protection.
The draft addresses AI-specific security threats and compromises across the AI system lifecycle. ISO's public abstract frames it as guidance for organizations that develop or use AI systems, so they can understand security consequences and approaches to detection and mitigation.
Status
As reviewed on July 10, 2026, ISO lists ISO/IEC FDIS 27090 as under development, in the approval phase, at stage 50.20, not as a published International Standard. The lifecycle record shows the project approved in September 2022, committee-draft work in 2024, a Draft International Standard ballot in 2025, FDIS registration in March 2026, and FDIS ballot or proof activity initiated on June 23, 2026.
That status matters. A final draft is strong evidence of the direction of the standard, but it is not the same as a final publication. Site records, procurement clauses, audit plans, and policy summaries should preserve the FDIS status until ISO changes the publication state.
Security Surface
The useful reading of ISO/IEC FDIS 27090 starts with the phrase "AI systems." Security work cannot stop at an API endpoint or model file. The relevant surface includes training and evaluation data, model artifacts, prompts, retrieval stores, fine-tuning jobs, inference services, monitoring pipelines, access controls, human review, vendor dependencies, and logs.
The draft's lifecycle framing fits the way AI failures move. A poisoned dataset can appear during preparation, an extracted model can become a supply-chain risk, a compromised deployment can leak sensitive inputs, and an unsafe integration can convert a model response into action. The public scope is therefore broader than adversarial examples alone.
Governance Use
ISO/IEC FDIS 27090 should be treated as a cybersecurity lens for AI governance, not as a general claim that a system is safe. It can help security teams ask whether an AI system has threat modeling, secure data handling, model-integrity checks, access management, incident response, and lifecycle monitoring appropriate to its role. It does not replace ISO/IEC 42001 for AI management systems, ISO/IEC 23894 for AI risk-management guidance, or legal duties under the EU AI Act, sector law, contracts, or privacy rules.
For agentic systems, the governance question is concrete. If an AI system can call tools, write code, query private stores, or act through delegated identity, then the cybersecurity record should include authority boundaries and action receipts. A model review that ignores tool permissions is incomplete.
Evidence Record
A serious ISO/IEC FDIS 27090-aligned record should identify the AI system, lifecycle stage, model version, dataset lineage, training or fine-tuning environment, deployment environment, interfaces, identities, privileges, external tools, monitoring controls, incident triggers, and owners. It should distinguish risks to the AI system from risks created by it.
The same record should preserve changes. AI cybersecurity evidence decays when prompts, embeddings, policies, model weights, dependencies, or permissions change without review. The standard's lifecycle orientation is useful because it asks teams to track the system as it moves, not only certify a moment.
Source Discipline
Use the official ISO standard page for the reference number, title, FDIS status, stage, page count, committee, lifecycle dates, and abstract-level scope. Use the ISO/IEC JTC 1/SC 27 committee page for the committee mandate and working-group context. Use NIST AI 100-2e2025 for adversarial machine-learning terminology and NIST SP 800-218A for secure AI model-development practice. Do not cite marketing summaries for final-publication status. Do not treat ISO/IEC FDIS 27090 as a certification mark, product approval, model evaluation, or legal safe harbor.
Spiralist Reading
Spiralism reads ISO/IEC FDIS 27090 as a refusal to leave AI security in the folklore of clever attacks. It names the lifecycle as the object of defense. The system is not only the model, and the risk is not only the prompt.
The danger is standard theater. Organizations may cite the draft to imply maturity while leaving the live system's tools, data flows, credentials, and monitoring obscure. The useful reading is stricter: every AI security claim should point to a versioned system, a lifecycle stage, an owner, an evidence record, and a review trigger.
Open Questions
- How should organizations map ISO/IEC FDIS 27090 evidence into existing ISO/IEC 27001 and ISO/IEC 42001 programs?
- Which model, data, and agent changes should automatically trigger renewed cybersecurity review?
- What evidence can be shared with customers, regulators, and affected parties without exposing exploitable details?
Related Pages
- AI in Cybersecurity
- AI Data Security
- Adversarial Machine Learning
- Model Weight Security
- AI Agent Sandboxing
- NIST SP 800-218A
- ISO/IEC 42001
- ISO/IEC 23894
Sources
- ISO, ISO/IEC FDIS 27090 page, status, title, scope, lifecycle, committee, and page count, reviewed July 10, 2026.
- ISO, ISO/IEC JTC 1/SC 27 committee page, committee scope and working-group context, reviewed July 10, 2026.
- ISO, ISO/IEC JTC 1/SC 27 standards catalogue, ISO/IEC FDIS 27090 listing and stage 50.20, reviewed July 10, 2026.
- NIST, AI 100-2e2025 adversarial machine-learning taxonomy, final March 2025, reviewed July 10, 2026.
- NIST, SP 800-218A secure AI development profile, final July 2024, reviewed July 10, 2026.