EC-Council launches AI governance framework & tool

EC-Council has launched its Adopt, Defend, Govern AI framework and a free AI readiness self-assessment tool. The framework was developed with input from practitioners at Citi, JPMorgan Chase, Microsoft, KPMG, Deloitte and Salesforce.

The framework is intended to give companies a practical model for securing and governing artificial intelligence systems as adoption moves beyond pilot projects into broader operational use.

It sets out three pillars, 12 minimum controls and nine governance surfaces, with references to existing standards and frameworks including the EU AI Act, ISO/IEC 42001, the NIST AI Risk Management Framework, the OWASP Top 10 for LLM and Agentic AI, and MITRE ATLAS.

The model addresses risks linked to prompt injection, adversarial manipulation, model exploitation, data poisoning and compromise in AI supply chains. It is designed for use across AI systems, agentic AI environments, multi-model architectures and large language model ecosystems.

The launch comes as companies face growing pressure to show they can manage AI risk while deploying the technology more widely across business operations. EC-Council cited industry findings showing that only 1% of leaders believe their AI governance arrangements have reached maturity, while 78% of executives say they would not be confident of passing an AI governance audit within the next 90 days.

Global AI spending is projected to reach USD $2.5 trillion in 2026, according to figures cited by EC-Council. That increase has intensified scrutiny of whether governance structures, internal controls and security testing are keeping pace with implementation.

Three pillars

The Adopt pillar focuses on aligning AI deployment with business objectives, operational readiness, workforce capability and implementation accountability. Defend centres on protecting AI systems from security threats. Govern covers oversight, auditability, accountability and risk management across enterprise operations.

The structure also introduces nine deployment overlays and three autonomy tiers intended to address technical, societal, operational and systemic AI risk. It is meant to reduce fragmentation for organisations trying to map internal controls to several external standards at the same time.

The self-assessment tool launched alongside the framework is designed to help organisations evaluate their governance posture before weaknesses become entrenched at scale. According to EC-Council, it measures AI maturity across governance readiness, implementation discipline, operational resilience, security posture and accountability structures, then maps those findings to a prioritised implementation roadmap.

The result is intended to give boards, regulators and executive teams an evidence-based view of AI exposure and governance preparedness. The tool is being offered free of charge.

Training push

EC-Council has also introduced three AI certifications tied to the framework: Certified AI Program Manager, Certified Offensive AI Security Professional, and Certified Responsible AI Governance and Ethics Professional.

The new courses are intended to support workforce development in AI governance, offensive AI security and responsible AI implementation. The move extends EC-Council's long-standing focus on cybersecurity training into an area where governance, testing and operational responsibility increasingly overlap.

Jay Bavisi, Group President of EC-Council, said the framework was created in response to a gap between AI deployment and the controls needed to manage it. "Most organizations approached AI with a deploy-first mindset, prioritizing speed while governance and security struggled to keep pace. The result is that organizations are now scaling AI systems faster than they can securely govern them. The ADG Framework was developed to restore operational discipline, establish accountability, and help organizations operationalize AI responsibly before governance failures become systemic business liabilities," Bavisi said.

Contributors from large companies said the framework reflects a cross-functional approach to AI governance rather than a purely technical compliance exercise. Kathy Baxter, Principal Architect, VP of Responsible AI & Tech at Salesforce, AI Advisory Board Member, and contributor to the ADG Framework, said the model could be used across sectors and operating environments.

"The framework's three pillars reflect the cross-functional model that leading AI organizations like Salesforce have used to scale AI responsibly. It establishes a solid, replicable blueprint across any industry, deployment model, or regulatory environment," Baxter said.

Lewis V. Adams, VP, Enterprise AI & Capital Productivity Transformation at Citi, AI Advisory Board Member, and contributor to the ADG Framework, said the model was designed to convert broad standards into practical internal controls. "The ADG Framework is the operating model that enterprise AI has been missing. It turns abstract standards into auditable practices and resolves the real tension between delivery speed and safety. For a board, that is the difference between scaling a fleet of agents with confidence and taking a leap of faith," Adams said.

Another contributor highlighted the emphasis on measurable indicators and security testing. "The industry doesn't lack AI frameworks; it lacks operational clarity. The ADG framework places a strong emphasis on AI security, particularly in addressing adversarial risks and model vulnerabilities, while also mapping to broader governance and regulatory expectations. What's especially valuable is its inclusion of measurable indicators, which helps organizations move from high-level principles to more actionable and trackable AI risk management as they transition into real-world deployment," said ShanShan Pa, Global Head of AI & Data Governance at GlobalLogic, AI Advisory Board Member, and contributor to the ADG Framework.