On April 2, 2026, ISC2 quietly published a document that matters for anyone studying for a CISSP, CCSP, or pretty much any credential in their portfolio. It’s called the Exam Guidance for Artificial Intelligence, and it maps exactly where AI security concepts now appear across more than 50 core cybersecurity exam domains. This isn’t a future plan or a press release about things they intend to do. It’s the result of a three year exam refresh cycle that’s already complete.
If you’re studying for an ISC2 cert right now, AI is already part of what you’re expected to know. And if you passed your exam two years ago and haven’t thought about AI security since, your knowledge base has a gap that’s only getting wider. I’ve been tracking how the major certification bodies are responding to AI, and ISC2’s approach here is worth understanding because it affects the largest population of certified security professionals in the world.
ISC2’s AI guidance covers all nine certification exams in their portfolio, mapping AI concepts across more than 50 cybersecurity domains. If you hold or are pursuing any ISC2 credential, this affects you.
What ISC2 Actually Did (Two Separate Things)
Some of the coverage I’ve seen lumps two distinct ISC2 moves together, so let me separate them because they serve different purposes and affect different people.
The first happened back in July 2025. ISC2 launched the Building AI Strategy Certificate, which is a lighter weight continuing education product. Six on demand courses totaling about 16 hours. You complete them, earn a Credly badge, pick up CPE credits. No exam, no formal certification. It covers AI fundamentals in cybersecurity, managing AI related risks, and aligning with global AI regulations. It’s a reasonable way for existing CISSP holders and other ISC2 members to document that they’ve put in structured study time on AI topics. Think of it as professional development, not a new credential.
The second thing is bigger and more consequential. The April 2, 2026 Exam Guidance for Artificial Intelligence isn’t a course or a new certification. It’s a public document that maps how AI security concepts have already been woven into ISC2’s full exam portfolio through their standard Job Task Analysis refresh process. According to ISC2, AI concepts now appear across Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Security Assessment and Testing, Security Operations, and Software Development Security. That’s essentially every major domain in the CISSP Common Body of Knowledge, plus corresponding domains in CCSP, SSCP, CGRC, CSSLP, and the rest of their lineup.
The distinction matters because the Building AI Strategy Certificate is optional. You take it if you want to. The exam guidance describes content that’s already baked into the exams you’re required to pass. One is a nice to have. The other is table stakes.
How Does This Affect CISSP Candidates in 2026?
The honest answer is that it probably doesn’t blow up your study plan, but it does sharpen the focus in a few specific areas. The CISSP exam has always evolved to reflect what security professionals actually deal with on the job. AI governance, AI related threat modeling, securing machine learning pipelines, evaluating AI vendor risk, and understanding where automated decision systems introduce new attack surfaces are all things working security practitioners handle today. The exam is catching up to reality, which is exactly what you’d want it to do.
Where I’d pay particular attention is Domain 1 (Security and Risk Management) and Domain 3 (Security Architecture and Engineering). Those are where AI governance questions and AI specific architecture considerations are most likely to show up, and they’ve historically been among the weightier domains on the exam anyway. The guidance document specifically calls out AI related risk assessment, responsible AI principles, and securing AI deployment environments as concepts mapped to these domains.
If your study materials are more than a year old, they may not fully reflect where the exam content expectations currently sit around AI. That doesn’t mean your old materials are useless. It means you should supplement them with current resources on AI security governance and AI threat models. ISC2’s own guidance document is free and public, so start there.
What About CCSP, SSCP, and the Rest of the ISC2 Portfolio?
CISSP gets all the attention, but the AI integration applies across ISC2’s full set of nine certifications. The guidance document maps AI concepts into CCSP domains around cloud data governance, vendor risk for AI service providers, and the legal implications of automated data processing under frameworks like the GDPR and EU AI Act. If you work in cloud security, that CCSP intersection is worth understanding because AI workloads in the cloud introduce specific compliance and architecture questions that didn’t exist five years ago.
For SSCP candidates, the AI integration focuses more on the operational side. How AI tools enhance SOC operations, how automated systems fit into access control models, and how AI strengthens authentication processes. The ISSEP and ISSMP concentrations get their own AI mappings too, covering everything from AI in systems engineering to managing machine learning feedback loops in security programs.
The breadth here is what makes ISC2’s approach different from what other certification bodies are doing. CompTIA created a standalone AI security certification with SecAI+. ISACA is building dedicated AI credentials like AAISM and AAIR. ISC2 chose to embed AI into everything rather than creating a separate product. There are good arguments for both approaches, but ISC2’s method means you can’t really avoid AI content regardless of which ISC2 exam you’re sitting for.
The Building AI Strategy Certificate: Is It Worth Your Time?
Separate from the exam guidance, the Building AI Strategy Certificate that ISC2 launched in July 2025 fills a different role. It’s a continuing education product aimed at professionals who want a structured introduction to AI security concepts without committing to a full certification exam. The six courses cover AI fundamentals for cybersecurity, risk management for AI systems, regulatory alignment, and practical implementation considerations.
For CISSP holders who need CPE credits anyway, it’s a practical option. You’re going to spend time on continuing education regardless, so you might as well direct some of those hours toward AI security fluency. The Credly badge gives you something tangible to show on LinkedIn, and the content maps reasonably well to the AI topics you’ll encounter in your next CISSP renewal cycle. It’s not going to replace a dedicated AI certification for someone who needs deep specialization, but that’s not really what it’s for.
How ISC2’s Approach Compares to CompTIA and ISACA
The three major certification bodies are all responding to AI, but they’re taking meaningfully different approaches. Understanding those differences matters if you’re trying to figure out where to invest your study time and certification dollars in 2026.
None of these approaches is objectively better. ISC2’s method ensures broad baseline AI literacy across all their certified professionals. CompTIA’s gives you a specific credential that says “this person focused on AI security.” ISACA’s lets experienced professionals add targeted AI specializations to credentials they already hold. Your choice depends on where you are in your career and what signal you need to send to employers.
What You Should Actually Do About This
The practical advice here depends on where you sit. If you hold ISC2 certifications and haven’t looked at the AI guidance document yet, read it. It’s free, it’s public, and it takes maybe 30 minutes to understand which AI topics map to your specific credential. That’s a small time investment for a clear picture of where the exams are heading.
If you’re currently studying for any ISC2 exam, verify that your prep materials address AI security concepts. This is especially important for CISSP candidates working through Domain 1 and Domain 3. Study guides published before mid 2025 probably don’t cover AI governance or AI threat modeling with the depth the current exam expects. You don’t need to become an AI engineer. You need to understand how AI systems create new risk surfaces and how security principles apply to those surfaces.
If you’re trying to decide between CISSP and CISM or weighing ISC2 credentials against ISACA or CompTIA options, the AI integration story is one more data point. ISC2 bakes it in. The others make you choose it deliberately. Neither approach is wrong, but they have different implications for your resume and your actual knowledge base.
On the CPE angle: If you already hold a CISSP or CCSP and need continuing education hours, the Building AI Strategy Certificate knocks out about 16 CPE credits while giving you structured AI security knowledge. That’s efficient. You’re going to spend the hours on CPE regardless, so you might as well point them at the topic ISC2 has identified as central to their exam evolution going forward.
Frequently Asked Questions
Does ISC2 have a dedicated AI certification?
Not as of April 2026. ISC2 offers the Building AI Strategy Certificate, which is a continuing education product with six courses and a Credly badge, but it doesn’t involve a certification exam. Instead of creating a separate AI credential, ISC2 has embedded AI security concepts across all nine of their existing certification exams.
Will the CISSP exam have AI questions on it?
Yes. According to ISC2’s April 2026 Exam Guidance for Artificial Intelligence, AI security concepts have been integrated across CISSP exam domains including Security and Risk Management, Security Architecture and Engineering, Security Assessment and Testing, and Security Operations. This is the result of ISC2’s standard three year Job Task Analysis refresh cycle, not a sudden overhaul.
Do I need to start over with my CISSP study materials?
No. Your existing study materials still cover the core security concepts that make up the vast majority of the exam. However, materials published before mid 2025 may not address AI security governance, AI threat modeling, or AI specific risk assessment with sufficient depth. Supplement older materials with ISC2’s free guidance document and current resources on AI security topics, particularly for Domain 1 and Domain 3.
How is ISC2’s AI approach different from CompTIA SecAI+?
CompTIA created SecAI+ as a standalone certification with its own exam, meaning you actively choose to pursue AI security as a separate credential. ISC2 embedded AI concepts into their existing exams, meaning you encounter AI content whether you specifically sought it out or not. CompTIA’s approach gives you a distinct AI security credential on your resume. ISC2’s ensures all their certified professionals have baseline AI security knowledge.
What is the ISC2 Building AI Strategy Certificate?
It’s a continuing education product ISC2 launched in July 2025 consisting of six on demand courses totaling approximately 16 hours. Completion earns you a Credly digital badge and CPE credits applicable to ISC2 certification maintenance. It covers AI fundamentals for cybersecurity, AI risk management, and regulatory alignment. It’s not a certification exam. It’s professional development designed to build and document AI security knowledge.