The cybersecurity and GRC landscape is shifting faster than at any point in history: AI governance mandates, operational technology regulations, quantum cryptography timelines, and an explosion of state and international privacy laws. The SCF Living Control Set is designed to absorb these changes continuously. Here is what is coming and how to prepare.
Each trend below represents a material shift in the regulatory, threat, or technology landscape that GRC programs must address. The SCF response shows how the Living Control Set already accounts for each.
The EU AI Act is the world's first comprehensive AI governance law, creating risk-tiered obligations for AI system developers, deployers, and operators. In the US, multiple AI executive orders, NIST AI RMF, and emerging state AI laws are creating a patchwork of AI governance requirements. Key requirements materializing: AI risk assessments, AI system inventories, model documentation, bias testing, human oversight for high-risk AI decisions, and incident reporting for AI failures.
SCF has incorporated AI governance controls into relevant domains, covering AI system inventory, AI risk assessment, algorithmic bias controls, human oversight requirements, and AI incident response. The SCF GOV, RA, and DCH domains are the primary locus of AI governance controls, mapped to both the EU AI Act and NIST AI RMF.
NIST finalized its first post-quantum cryptography standards in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA). The critical threat is "harvest now, decrypt later," where adversaries are collecting encrypted communications today, planning to decrypt them once quantum computing matures. Organizations must inventory all cryptographic usage, classify data by sensitivity, and develop a PQC migration roadmap.
The SCF CRY (Cryptography) domain already includes controls for cryptographic algorithm inventory, key management lifecycle, and algorithm agility, the foundational capabilities required for PQC migration. SCF CRY controls are mapped to NIST SP 800-175B and the emerging NIST PQC standards.
Operational Technology (OT) and Industrial Control Systems (ICS) are the fastest-growing attack surface in critical infrastructure. Nation-state actors have pre-positioned in US and allied critical infrastructure networks. OT security is fundamentally different from IT security. Availability takes precedence over confidentiality, patch cycles are measured in years, and many systems cannot accept agents or interruptions.
The SCF includes OT/ICS-specific controls across NET (network segmentation), IAC (remote access for OT), CFG (baseline configurations for ICS), and IRO (OT-aware incident response) domains. SCF controls map to IEC 62443, NIST SP 800-82, and the CISA cross-sector CPG for critical infrastructure operators.
Following SolarWinds and Log4Shell, software supply chain security has become a federal and enterprise priority. Executive Order 14028 mandated SBOM for federal software procurement. The EU Cyber Resilience Act, effective 2027, will require security by design, vulnerability disclosure, and SBOM for all products with digital elements sold in the EU.
The SCF TPM (Third-Party Management) domain covers SBOM requirements, secure software development lifecycle controls, and third-party component management. SCF controls map to the NIST SSDF, EO 14028 requirements, and the EU Cyber Resilience Act.
Privacy law has gone from a niche compliance area to a global operational requirement. GDPR catalyzed a global wave: Brazil's LGPD, India's DPDP Act, China's PIPL, and now 20+ US states with comprehensive privacy laws. The fragmentation is the problem, as each law has different scope triggers, rights timeframes, breach notification windows, and enforcement mechanisms.
The SCF PRI (Privacy) domain and DPMP (Data Privacy Management Principles) were specifically designed for this fragmented landscape. As new privacy laws are enacted, the SCF maps them via STRM. Organizations implementing the SCF already have the foundational controls that satisfy laws that have already been mapped. As new privacy laws are enacted, the SCF will map to them as well.
Zero Trust is no longer a framework aspiration. It is a federal mandate. CISA's Zero Trust Maturity Model and OMB M-22-09 require all federal agencies to reach Advanced ZTA maturity. Commercial organizations face growing pressure from cyber insurers, enterprise customers, and sector regulators to demonstrate ZTA implementation. The ZTA journey typically spans 3–5 years.
The SCF IAC (Identity & Access Control), NET (Network Security), and CFG (Configuration Management) domains map directly to the five pillars of Zero Trust. SCF controls map to CISA ZTA Maturity Model, NIST SP 800-207, and DoD ZTA Reference Architecture.
Threat actors are leveraging AI to automate reconnaissance, generate targeted phishing at scale, create deepfake audio/video for BEC fraud, and accelerate vulnerability discovery. The barrier to entry for sophisticated cyberattacks has dropped dramatically. Defensive response requires AI-aware security awareness training, out-of-band verification procedures, AI-powered detection tools, and updated incident response playbooks.
The SCF SAT (Security Awareness Training) and IRO (Incident Response) domains are updated to address AI-enabled social engineering and deepfake scenarios. The SCF’s threat modeling controls in the RA domain now include AI-augmented threat actor profiles and TTP relevant to LLM-assisted attacks.
Every other major cybersecurity framework, including NIST CSF, ISO 27001, and CIS Controls, updates on a multi-year cycle. By the time a new version is published, it is already behind the regulatory and threat landscape it was designed to address.
The SCF CCF™ is a Living Control Set, updated continuously by the volunteer SCF Council as new laws, regulations, frameworks, and threat landscapes emerge. When the EU AI Act was finalized, the SCF incorporated AI governance controls. When NIST published its PQC standards, the SCF updated its CRY domain. When new US state privacy laws pass, the SCF maps them to PRI controls via STRM.
Organizations using the SCF do not need to trigger a full program redesign every time a new regulation lands. They need to run a gap assessment against the updated SCF LCS and address new or modified controls. The foundational program they already built absorbs the change.
The SCF's Response to Emerging Trends
When a new regulation, framework, or threat materializes, the SCF Council evaluates it, maps it via STRM to existing or new SCF controls, and releases an updated version of the LCS. Organizations already using the SCF only need to run a delta gap assessment, not rebuild their program from scratch.
Emerging trends require proactive monitoring. Organizations that wait for compliance deadlines to begin program changes routinely miss them. The PDCA cycle for trend response should run on a 6-month cadence minimum.
Monitor SCF LCS release notes, CISA alerts, regulatory calendars, and industry threat intelligence. Identify emerging trends with material compliance or risk implications. Assess applicability to your organization’s scope, sector, and geography.
Run a delta gap assessment against the updated SCF LCS for newly applicable controls. Prioritize remediation by MCR status (legally mandatory) and risk impact. Execute control implementation projects with defined owners and timelines.
Conduct CDPAS assessment against newly applicable controls using ERL evidence requirements. Score control maturity using SCR-CMM. Validate that implementation satisfies the specific requirements of newly applicable laws or frameworks.
Close remaining gaps. Update the USG scope to reflect new regulatory triggers. Communicate program status to board and executives per SEC/NIS2/DORA disclosure requirements. Schedule next trend monitoring cycle.
%20(white).png)
.png)