Twenty-five years ago Jay Bavisi founded EC Council after 9/11, with a simple premise: if attackers understand systems thoroughly, defenders must understand them equally well. This idea led to the creation of the Certified Ethical Hacker (CEH), which has become one of the most recognized authorities in the field of cybersecurity.
Bavisi believes we are at a similar tipping point again – this time with artificial intelligence.
Technology is developing rapidly. The workforce does not. And just like in the early days of software development, much of the focus is on the capabilities of AI, not on how to implement it safely, responsibly, or at scale.
“We're back to an era where building something seems cool,” Bavisi told me. “In the early days of web development, security and governance were secondary. We're doing the same thing again with AI – functionality first, use cases first, and then asking what the risk is.”
This is the gap the EC Council is seeking to fill with the largest expansion of its portfolio in 25 years: four new AI certifications and a revamped Certified CISO program.
The skills gap is not hypothetical
The data behind this push is not subtle. IDC estimates that the risk of unmanaged AI could reach $5.5 trillion globally. Bain predicts that the AI and cybersecurity training gap will affect 700,000 people in the United States alone. Both the IMF and the World Economic Forum have come to the same conclusion: access to technology is not the limitation – people are.
I've spent the last few years talking to executives about artificial intelligence, and the tone has changed. At first, almost everyone insisted that AI would not replace jobs. It became almost ritualistic. Sure, understandable, but not entirely honest.
Recently, the method of communication has changed. Some roles will disappear. This is no longer controversial. The more accurate phrase has always been: AI probably won't take your job, but someone who knows how to use AI better than you do. This is a real risk and a real opportunity.
What the EC Council actually introduces
The new certifications are based on the EC Council's ADG framework: Adopt, Defend, Govern. This is intended to empower organizations to think consciously about AI, rather than default to “just buy a subscription and see what happens.”
“It's not just about choosing Claude, Gemini or GPT,” Bavisi said. “Your data, customer information and business processes are being sucked in. You need a guardrail.”
Four certifications are role specific:
- Artificial Intelligence Fundamentals (AIE) it is the basic fluency of artificial intelligence – practical, not theoretical.
- Certified AI Program Manager (C|AIPM) focuses on implementing AI programs with responsibility and risk management in mind.
- Certified Responsible Artificial Intelligence Governance and Ethics Professional (C|RAGE) eliminates management gaps by aligning with frameworks such as NIST AI RMF and ISO/IEC 42001.
- Certified Offensive AI Security Specialist (COASP) teaches practitioners how to attack LLM systems so they know how to defend them.
The latter seems particularly on-brand. This is essentially CEH's thinking applied to AI: you can't protect what you don't understand.
Why is this not academic
Bavisi shared a recent example that puts the urgency of the matter into perspective. EC-Council took part in a controlled test involving ten of the world's largest insurance companies. They compared traditional human pen testing with an AI-based approach.
Over three rounds, people discovered a total of 5 vulnerabilities. Artificial intelligence found 37.
This is not an indictment of human skill. It's a reminder that AI doesn't get tired, forget, or operate within the same constraints. Work won't disappear, but expectations about how work is done are changing dramatically.
The role of the CISO is also changing
In addition to AI certifications, EC-Council has updated its Certified CISO program to version 4. Security leaders are now responsible for systems that learn, adapt, and make decisions autonomously, but most CISOs weren't trained for this a decade ago.
The updated curriculum reflects this reality – less checklist security, more governance, risk accountability and accountability in AI-powered environments.
Why it matters
Certifications don't magically make someone an expert. I've collected enough of them over the years to know that. But they matter. They open the door. They signal basic competencies. And now this signal has more weight than usual.
“There are cloud engineers and GRC specialists everywhere asking the same question,” Bavisi said. “How do you manage governance and risk with AI? Until now, there has been no real framework or real training programs.”
AI is not slowing down. The workforce needs to catch up. EC-Council is betting that structured role-based education – based on practical reality, not hype – can help fill this gap. Considering what they did with CEH, this is a bet worth considering.
