Mapping AI Security Standards

The UK Government’s AI Cyber Security Code of Practice was created by the Department for Science, Innovation and Technology (DSIT) in collaboration with the National Cyber Security Centre (NCSC) and published in early 2025. This work was then used as the basis for the European Telecommunications Standards Institute’s (ETSI) international standard, ETSI EN 304 223: “Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems” which was published in December 2025.

How do other recommendations around the world compare with the ETSI EN? Working with DSIT, we’ve reviewed over 60 other AI security standards, recommendations and legislation from around the world and mapped over 2000 requirements and recommendations to the 13 ETSI EN 304 223 Principles and Provisions. The purpose of this is to help organisations and individuals to understand AI security standards and to ultimately help in defragmenting all the different technical requirements out there. Copper Horse has created https://aisecuritymapping.com/ to provide a visual home for this information, where these mappings are viewable by each ETSI EN Principle, with mind maps to help navigate the information. This work follows on our work on IoT and Application security mappings using a similar methodology.

The ETSI EN 304 223 Principles are split into five lifecycle stages: Design, Development, Deployment, Maintenance and End of Life. Both the ETSI Principles and mapped requirements were found to be weighted more towards Design and Development with around 80% of the requirements mapped against these stages. This shows the where the industry is focused when it comes specifically to AI Security, however it’s possible that the other lifecycle stages are already better covered by existing non AI specific documentation.

The most mapped Principle was Principle 2: “Design your AI system for security as well as functionality and performance” with over 300 requirements mapped to it. This broader definition covered several distinct areas as well as any other requirements to do with security in design that weren’t covered anywhere else.

Below, you can see an example mapping from the site showing all the recommendations mapped to Principle 13, grouped by document and then organisation. Individual recommendation nodes are clickable to view the actual text and document nodes have links to their publicly viewable sources. Principle 13 (decommissioning and end of life) had the fewest requirements mapped to it with only a small proportion of the reviewed documents covering this area. As it’s less complex than the rest, this map is useful to demonstrate the format. To create these mind maps we reverse engineered the Mind Meister .mind format so that we could directly generate maps from the captured spreadsheet data and automate the process.

Example Mind Map for Principle 13 — Principle 13 Mind Map Visual Representation

Mapping External References

One of the most useful exercises we conducted in our previous work on IoT was to look at which organisations the source documents referred to in their reference sections. We’ve repeated it for this AI standards mapping work. When aggregated, this provides a good picture of the overall organisational landscape, which voices are being heard and which things are deemed the most important or relevant (or just popular!), from news articles to blogs, to other international standards.

The mapping is coloured by organisation type. Organisations with more external references to them appear larger in the map and have a darker coloured centre.

Something new we did this time was to create a second version of this map which excludes any self-references i.e. where a mapped document references another document from the same organisation. One of the biggest changes this map highlights is the International Organization for Standardization (ISO) appears far less important as most of the captured references to it actually came from other ISO documents (shown with a red arrow in both versions of the map). Both sets of maps and the data they were built from are available on the website to look at.

AI document reference maps, one including self references and one excluding them. Highlighting the difference for ISO — Reference map comparison (self references included/excluded) – highlighting ISO’s use of self references

Other information about the site

We’ve also increased accessibility to the site, by allowing users to change the view; this uses higher contrast colours along with different shapes to distinguish between organisation types.

As always, we’ve made the all of the data available for download in variety of open data formats, under a CC 4.0 license. A full document repository of the source documents is also on the site, with all the reviewed documents. We’ve done this to preserve the materials, based on our previous experience of broken links and documents being removed from sites over time.

We hope you like it!

Categories:AI

Tags:ai AI security cyber security Mapping security security mapping standards

James Govey

Copper Horse specialises in tackling future security challenges across many domains and industries from AI, automotive, mobile and IoT. We provide a wide range of services including engineering solutions throughout the product lifecycle from requirements to product security investigations. We offer security training and have a huge range of consulting expertise to help in areas such as mobile telecoms and connected products security. If you have an interesting and complex security problem, we are here to help.

Share

Related Posts

Vulnerability Disclosure in IoT: Not Even Halfway There

Copper Horse and Arm launch white paper on IoT security by design