AI, IoT, quantum risk, social-engineering threats, and AI governance.
This chapter surveys technologies that change system design, control risk, and the future of assurance work. The goal is not deep engineering mastery, but enough understanding to evaluate governance, reliability, and emerging exposure.
Emerging-technology questions should translate novelty into control consequences. AI, IoT, quantum risk, social engineering, and AI governance all matter because they alter authorization, monitoring, reliability, privacy, or assurance evidence.
| Technology area | Control question | Common ISC trap |
|---|---|---|
| AI and machine learning | Are inputs, outputs, bias, explainability, and oversight controlled? | Treating model output as objective because it is automated. |
| IoT and 5G | Are connected devices inventoried, secured, segmented, and monitored? | Ignoring device-level exposure because the network appears secure. |
| Quantum risk | Which encryption, authentication, or long-term data protections may become vulnerable? | Treating quantum computing as irrelevant because it is future-facing. |
| Social engineering | How can attackers bypass technical controls through people and process? | Assuming technical safeguards stop human-centered attacks. |
| AI governance | Who is accountable for model use, change, monitoring, and misuse risk? | Deploying AI tools without ownership and review controls. |
| Step | What to do | Why it matters on ISC |
|---|---|---|
| 1. Translate the technology into a process | Identify what the tool senses, predicts, automates, connects, secures, or influences. | Control analysis begins with how the technology changes work. |
| 2. Identify new risk surfaces | Look for data quality, device exposure, model bias, authentication weakness, privacy risk, or human manipulation. | Emerging tools often create risks outside traditional control boundaries. |
| 3. Assign governance ownership | Determine who approves use, monitors performance, handles exceptions, and manages change. | Technology without ownership becomes unmanaged risk. |
| 4. Evaluate evidence reliability | Decide whether outputs are explainable, complete, accurate, secured, and reviewable. | Assurance depends on whether the technology’s output can be trusted. |
| 5. Plan monitoring and adaptation | Consider periodic review, threat changes, model drift, vendor dependence, and future cryptographic risk. | Emerging-technology controls must evolve as the environment changes. |
| Checkpoint | Exam use | What to avoid |
|---|---|---|
| Business process affected | Identify what the technology collects, predicts, automates, connects, secures, or influences. | Evaluating the tool as a buzzword instead of a process change. |
| New risk surface | Look for model bias, poor data quality, unmanaged devices, privacy exposure, weak authentication, or social manipulation. | Assuming new technology only adds efficiency. |
| Governance owner | Determine who approves use, monitors performance, handles exceptions, and manages vendor or model changes. | Letting technology operate without accountability. |
| Evidence reliability | Evaluate completeness, accuracy, explainability, access control, logging, and reviewability of outputs. | Treating automated output as inherently reliable. |
| Adaptation plan | Consider model drift, threat evolution, device lifecycle, cryptographic risk, and periodic reassessment. | Designing a one-time control for a risk that changes over time. |