CREST launches AI Charter for cybersecurity providers. Here’s why trusted, governed AI matters
July 10, 2026






SECURUS Communications Ltd
Securus is a managed communications Operator, providing next-generation network infrastructure and value added services to Managed Hosting providers and the ‘cloud generation’ of enterprises. Securus priority is to offer communication services that represent excellent value for money and are backed by exceptional levels of support.
Contact Securus
Securus Communications Ltd
Station Road, Landmark house, Hook, England RG27 9HA, GB
T: Enquiries: 03451 283457 | Service Desk: 03451 283458
Securus on LinkedIn | Securus on “X” | https://securuscomms.com
Gibraltar: Friday, 10 July 2026 – 07:00 CET
CREST AI Charter: CREST launches AI Charter for cybersecurity providers. Here’s why trusted, governed AI matters
By: Iain Fraser – Cybersecurity Journalist
Published in Collaboration with:
Securus Communications Ltd
SMECyberInsights.co.uk – First for SME Cybersecurity
Google Indexed P1#1 on: 100726 at 08:50 CET
#SMECyberInsights #SMECybersecurity #SMECyberInsights #SME #CyberSafe #CyberSecurity #Cybersecurity #NCSC #CyberEssentials #CyberResilience
CREST AI Charter: CREST launches AI Charter for cybersecurity providers. Here’s why trusted, governed AI matters – AI is moving quickly into everyday cybersecurity work, but speed of adoption is not the same thing as maturity. Many providers are already using AI to accelerate reporting, scanning, analysis, and workflow tasks, yet buyers still face a basic question: how do you know that AI is being used responsibly? That is what makes the launch of the CREST AI Charter more than just another industry announcement.
It is an attempt to define what trustworthy AI-enabled cybersecurity should look like before the market becomes even more uneven.
According to CREST, the Charter is designed to support the “responsible use of AI across cybersecurity services” and is backed by “more than 60 founding signatory cybersecurity organisations.” The initiative is paired with a set of nine AI Principles intended to create clearer expectations around accountability, transparency, control, security, and resilience.
For SMEs, this is not an abstract governance debate. If your business relies on external cyber specialists for testing, managed security, incident response, or advisory work, AI is increasingly part of the service you are buying — whether it is visible or not.
What CREST has launched
The announcement centres on two linked elements:
* the CREST AI Charter
* the CREST AI Principles
What the Charter is trying to do
CREST says the Charter “commits organisations to support responsible AI adoption and trusted AI-enabled cybersecurity services.” That wording is important because it frames AI not just as an efficiency tool, but as something that must be governed in a way that clients can rely on.
According to the materials provided, the Charter was developed in response to demand from:
* industry
* government
* buyers
The goal is to create greater confidence as AI becomes more embedded in cybersecurity delivery.
What the source says about adoption
The supporting release includes some useful figures that show how normalised AI use is becoming in cyber services.
CREST states:
* 69% of providers are now utilising AI in daily service delivery and workflows
* 76% of providers have increased their AI use over the past year
* in penetration testing, 47% are using AI for reporting
* 44% are using AI for vulnerability scanning and enumeration
Those numbers matter because they shift the conversation. The question is no longer whether AI is entering cybersecurity services. It already has. The real question is whether its use is consistent, accountable, and transparent enough to deserve client trust.
Why this matters for SMEs
Many SMEs buy cybersecurity as a specialist service rather than building large internal teams. That means provider governance matters a great deal.
1. AI is becoming part of the service stack
An SME may commission:
* penetration testing
* vulnerability assessments
* managed detection
* incident response
* threat intelligence
* security reviews
Increasingly, AI may sit behind parts of those services, especially in:
* report drafting
* triage support
* data analysis
* vulnerability identification
* workflow automation
That can create real benefits:
* faster turnaround
* broader analysis
* improved consistency
* lower manual burden
But it also creates new questions:
* how much human review is involved?
* what data is processed by AI tools?
* where is that data handled?
* what records exist of AI use?
* how are hallucinations, errors, or overreach managed?
For SMEs, those are procurement and trust questions, not just technical ones.
2. “Responsible AI” needs to mean something practical
One of the strongest parts of the CREST initiative is that it tries to translate responsible AI from a vague aspiration into operational principles.
The nine principles cover:
* accountability and governance
* transparency of use
* documentation and assurance
* boundaries and control
* data, sovereignty and client control
* security and confidentiality
* secure development of AI tooling
* supply chain assurance
* resilience and business continuity
That is useful because smaller businesses often struggle to judge AI claims made by suppliers. A provider saying “we use AI” tells you almost nothing on its own. A provider showing how it manages control, confidentiality, assurance, and client data tells you much more.
3. Trusted AI matters more in cybersecurity than in many other services
Cybersecurity providers often have access to:
* sensitive networks
* internal systems
* source code
* vulnerability data
* security logs
* confidential business information
That makes AI governance particularly important. If AI tools are used carelessly in this context, the risks may include:
* data leakage
* weak auditability
* unreliable outputs
* insecure tooling
* uncontrolled third-party dependencies
CREST’s release makes this point directly, noting that providers are often granted “privileged access to sensitive systems, networks and data” and that responsible AI use is therefore “critical to maintaining trust, accountability and reducing risk.”
What SMEs should do now
The launch of the Charter gives SMEs a helpful reason to improve how they assess cyber providers.
Questions SMEs should ask providers
1. Do you use AI in service delivery?
Ask where it is used: reporting, scanning, triage, analysis, or automation.
2. What human oversight is in place?
AI-assisted output should not be accepted blindly, especially in security assessments or incident response.
3. How is client data handled within AI tools?
Clarify confidentiality, storage, jurisdiction, retention, and access controls.
4. Do you align with recognised AI governance principles?
CREST’s Charter and principles offer a useful benchmark.
5. Can you document and explain AI-supported findings?
Black-box security advice is not especially reassuring, even when wrapped in very confident slides.
6. How do you manage supply chain risk in AI tooling?
AI vendors and embedded models introduce third-party dependencies that should be governed carefully.
7. What happens if AI tools fail or produce poor output?
Providers should be able to explain resilience, fallback processes, and quality assurance.
Simple SME evaluation table
Below is a practical way to think about this when reviewing suppliers.
| Provider question | Why it matters | What good looks like |
| Where do you use AI? | Helps reveal scope and exposure | Clear explanation of use cases |
| Who checks the output? | Reduces risk of bad decisions | Named human review and sign-off |
| How is our data protected? | Prevents leakage or misuse | Strong controls, clear boundaries |
| Do you follow formal principles? | Shows governance maturity | Alignment with frameworks such as CREST |
| Can you evidence assurance? | Supports trust and auditability | Documentation, controls, review processes |
The practical takeaway is simple: AI capability is not enough on its own. Governed AI capability is the real differentiator.
The bigger takeaway
The CREST AI Charter matters because it reflects a broader market shift. AI in cybersecurity is no longer experimental window dressing. It is becoming part of everyday delivery. That creates opportunities for faster, better, and more scalable services — but also stronger pressure to prove those services are safe, controlled, and worthy of trust.
For SMEs, this is good news if it leads to better provider discipline. Smaller organisations often have the least time to interrogate technical detail and the most to lose if a provider uses emerging tools carelessly. Industry-backed principles can help buyers ask smarter questions and avoid being dazzled by automation for its own sake.
The most useful mindset here is straightforward: do not ask only whether your cyber provider uses AI. Ask whether they use it in a way that is secure, explainable, and accountable.
FAQs
1. What is the CREST AI Charter?
The CREST AI Charter is an industry initiative designed to support responsible AI adoption and trusted AI-enabled cybersecurity services. It is backed by more than 60 founding signatory organisations.
2. Why should SMEs care about the Charter?
Because many SMEs buy cybersecurity from external providers. If those providers are using AI in assessments, reporting, detection, or incident response, SMEs need confidence that it is being used responsibly and with proper oversight.
3. What do the CREST AI Principles cover?
They cover nine areas, including accountability, transparency, documentation, boundaries and control, data sovereignty, security, secure AI development, supply chain assurance, and resilience.
Lost your data? Don’t panic. R3 can help! Real data recovery services from a real UK lab!
Data loss can happen at any time and can happen in the most unexpected ways. As long as your device hasn’t been stolen R3 can recover your data from the most unlikely disasters. From their wholly secure state of the art Recovery Lab they can deploy the very best data recovery service as quickly as possible.
Contact R3 Data Recovery
Security House, Windsor St, Sheffield S4 7WB,
T: Enquires 800 999 3282 | Emergency: 07511 051360
R3 On LinkedIn | https://www.r3datarecovery.com/
What is a VPN & Does my SME Need one? A VPN is a Virtual Private Network a method of securing your communications credentials. When it comes to SMEs, the choice of VPNs can significantly impact the security and efficiency of their operations. NordVPN secures your Internet data with military-grade encryption, ensures your activity remains private and helps bypass geographic content restrictions online. Join NordVPN Today and Save up to 73% and Get 3 months Extra Free – Rude Not to …!
SMECYBER Insights – Helping Keep Small Business CYBERSafe!
Launched in 2020 by Cybersecurity Journalist Iain Fraser and his team at IfOnly… SMECYBERInsights was developed to be the go-to platform providing definitive, reliable & actionable Cybersecurity News, Intel, Awareness & Training specifically written and curated for Small Business & Enterprise Owners, Partners and Directors throughout the UK. #SMECyberInsights #SMECyberSecurity #CyberAttack #CyberAwareness #Compliance #DDoS #Fraud #Ransomware #ScamAlert #SME #SmallBusiness #SmallBusinessOwner #ThreatIntel
