Use Suitable AI Models to Augment Software Security Testing
Where your organisation builds software, use appropriate artificial intelligence tools to strengthen, not replace, your existing security testing of that software.
Plain language
If your organisation writes its own software (whether a website, an app, or an internal system), it should test that software for security weaknesses before and after release. This control says you can use suitable artificial intelligence (AI) tools to help do that testing better, for example by spotting coding flaws faster or covering more of the code. The AI is meant to add to your normal security testing, not be your only safety check, and you need to choose AI tools that are genuinely fit for the job.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
June 2026
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Suitable AI models are used to augment software security testing.
Why it matters
If AI security testing is poorly chosen or relied on alone, real coding flaws can slip through into released software, exposing it to attackers and putting customer data and reputation at risk.
Operational notes
Reassess the chosen AI tools periodically as both the tools and your software change, and keep confirming that AI findings are still reviewed by a person rather than accepted automatically.
Implementation tips
- The development team lead decides which parts of your security testing AI can help with (for example scanning code for known flaws or generating extra test cases) and writes this into your testing checklist so it is done consistently on every release.
- The person responsible for tool selection trials two or three AI security testing tools against a sample of your own code, then chooses one based on how accurately it finds real flaws rather than on marketing claims.
- The development team runs the AI security testing alongside your existing manual and automated tests, treating AI findings as one input to review rather than as the final word, so a human still confirms each result before it is fixed or dismissed.
- The team lead sets a rule that no AI security tool is given access to sensitive source code or customer data unless the vendor's terms confirm that data is not stored or used to train their models, and records this check before adopting any tool.
- The quality or security reviewer keeps a short record for each release listing which AI tools were used, what they checked, and what was found, so there is proof the AI testing actually happened and was acted on.
Audit / evidence tips
- Askthe development team to show their security testing process for a recent software release Look atwhere AI tools fit into that process and confirm they sit alongside other testing Goodshows AI is one documented step among several, not the only check
- Askhow they chose the AI security testing tool they use Look atevidence of a trial or comparison against their own code and clear selection reasons Gooddescribes testing the tool's accuracy on real examples, not just picking the cheapest or best-known product
- Askthe output or findings from the AI security testing on a recent release Look ata record of what flaws the AI raised and what the team did about each one Goodshows findings were reviewed by a person and either fixed or justifiably dismissed
- Askwhether sensitive code or data is exposed to the AI tool and how that is controlled Look atthe vendor's data handling terms and an internal check confirming code is not retained or used for training Goodpoints to a documented review of those terms before the tool was adopted
- Askhow they confirm the AI testing is genuinely improving results rather than just adding noise Look atcomparison of flaws found with and without the AI, or feedback on false alarms Goodshows the team monitors the tool's usefulness and adjusts how they use it
Cross-framework mappings
How ISM-2122 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-2122 requires organisations to use suitable AI models to strengthen their software security testing | |
| Annex A 8.29 | ISM-2122 requires the use of suitable AI models to augment security testing for organisational software | |
| handshake Supports (2) expand_less | ||
| Annex A 8.27 | ISM-2122 requires using AI models to augment software security testing, enhancing defect discovery | |
| Annex A 8.28 | ISM-2122 requires using suitable AI models to augment software security testing, boosting vulnerability detection and supporting secure c... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.