OWASP Enables AI Regulation That Works with OWASP AI Exchange

Ricardo Griffith, OWASP Foundation, Global Board Chair

Tuesday, May 6, 2025

OWASP has forged a coalition between the global security community and formal standardization bodies on AI. The ‘AI Exchange’ Project is now driving the creation of AI security standards that protect people and businesses while still allowing innovation to thrive.

By establishing an official liaison partnership with international standardization organizations, the Open Worldwide Application Security Project (OWASP) has opened the door for its community of 8,500 security professionals to contribute directly to critical standards. This partnership has already made a meaningful impact—especially on key standards for AI security. Thanks to the active involvement of OWASP’s practitioners, the draft standards now include clear, practical, and fair requirements.

The result is a more balanced approach to AI regulation: strong enough to prevent harm to individuals, society, and organizations, but flexible enough to support innovation. The foundation of this approach is risk-based thinking—applying just the right amount of security depending on the context rather than enforcing a one-size-fits-all checklist.

Why AI Security Matters

AI security is now a critical concern for three main reasons:

• AI is being connected to everything.
• There are many ways to attack AI systems.
• Most engineers don’t yet know how to make AI secure.

AI has become an ideal target for attackers. That’s why we urgently need clear guidance and effective regulation.

The Role of OWASP in AI Security Standards

In May 2023, the European Commission launched the development of an AI security standard as part of the AI Act. This standard determines which AI products and services are allowed on the European market. It is being developed by CEN/CENELEC, bringing together committees from 34 European member states and liaison organisations. The results are expected to influence global practices—similar to how the GDPR became a global benchmark (the “Brussels Effect”).

Long-time OWASP contributor Rob van der Veer joined the working group as co-editor and brought the threat model that he developed at the Software Improvement Group and donated to OWASP in 2022. During his work for the AI Act, Rob saw firsthand the urgent need for more hands-on expertise—especially from researchers and practitioners.

To solve this, he founded the OWASP AI Exchange in October 2023 at owaspai.org. This open-source project brings together experts to help shape global standards.

Major Milestones:

• OWASP’s official liaison partnership with CEN/CENELEC was approved unanimously by EU member states.
• OWASP contributed 70 pages of expert content to ISO/IEC 27090, the global standard on AI security guidance.
• 40 pages of OWASP contributions were added to the AI Act security standard.
• The OWASP AI Exchange was awarded Flagship Project status for these achievements.

A More Open and Inclusive Way to Create Standards

All contributions are based on the 200 pages of open-source material developed by OWASP AI Exchange, available at owaspai.org. This ensures that the expertise shaping international standards is also accessible to all. It promotes alignment across frameworks, tools, and regulatory guidance.

This open approach brings more voices into the standardization process. Experts who are often underrepresented—such as researchers, data scientists, software engineers, startups, and independent contractors—can now help shape global policy.

As of March 7, 2025, the AI Act security standard has completed consultation, generating over 900 comments from member states, liaisons, and the European Commission. The next step is public review, and the OWASP AI Exchange continues to play a substantial role in the process.

“OWASP is excited about our ongoing partnership with CEN and CENELEC,”
— Andrew van der Stock, Executive Director of the OWASP Foundation, Inc.

“With access to our 8,500 members and more than 100,000 participants across our events, chapters, and projects, we look forward to shaping secure software standards for the future.”

What Do Industry Leaders Think?

Dimitri van Zantvliet, Director Cybersecurity, Dutch Railways (NS), said:

“In the railway sector, innovation and safety must go hand in hand. We are increasingly relying on AI to optimize passenger flows, monitor infrastructure, and enhance security. That makes it critical that regulation is both effective and innovation-friendly.
A risk-based, context-aware approach—like the one OWASP champions—not only supports the responsible use of AI, but ensures that real threats are mitigated without burdening engineers with irrelevant checklists. We need standards written by those who build and defend these systems every day.”

Sri Manda, Chief Security & Trust Officer at Peloton Interactive, said:

“AI regulation is critical for protecting safety and security, and for creating a level playing field for vendors. The challenge is to remove legal uncertainty by making standards really clear, and to avoid unnecessary requirements by building in flexible compliance.
I’m very happy to see that OWASP has taken on these challenges by bringing the security community to the table to ensure we get standards that work.”

What’s Next?

OWASP continues to contribute to international standardization efforts including:

• OWASP CycloneDX is being advanced as a global standard via ECMA
• New collaborations are underway for the Cyber Resilience Act as part of the Open Regulatory Commission Working Group
• OpenCRE has been adopted as a central standards hub by the Cloud Security Alliance, major vendors, and Dutch security standards.

Want to Contribute?

Would you like to help shape the future of security standards?

• For AI, join the OWASP AI Exchange: https://owaspai.org/contribute/
• For other topics, join the OWASP Slack channel: #regulations-and-standards-liaison