Program-Level Risk Orchestration in AI-Enabled Cyber Infrastructure: A Systems-of-Systems Management Approach

Machine Learning (ML) and Deep Learning (DL) driven AI capabilities are being increasingly leveraged for detection, anomaly discovery, and autonomous response within, across, and through cyber infrastructures. Scaling such cyber defense capabilities, they are deployed less as standalone solutions but as programs consisting of autonomous subsystems, common data assets, and joint operational processes. However, scaling also creates systemic risks (e.g., cascading, latent, and indirect) and poses control risks (e.g., distributed, dual-use) that are not sufficiently recognized and managed under prevalent cybersecurity risk management (RM) models, which are generally limited to controls at the component level, local rather than program-wide risk visibility and mitigation. This paper posits a program-level risk orchestration framework and some of its design principles, which are based on systems-of-systems (SoS) engineering and established risk RM standards. Building on early work on AI-based intrusion detection systems, SoS engineering and interoperability, cybersecurity and cyber risk threat modeling, as well as formal risk governance and capital standards, the paper develops the thesis of conceptualizing and managing AI-enabled cyber infrastructure as a risk RM program of a special kind, namely a system-of-systems, in need of coordinated oversight and control. The RM program-level framework it proposes as a starting point combines technical (i.e., from AI subsystems) cyber risk signals with risk governance, investment, and economic decision models to structure the consistent and repeatable identification, assessment, prioritization, treatment, monitoring, and reporting of cyber risks across the program. To better support accountability and return on investment, the program-level management perspective further aligns the operations of the cybersecurity function with a standard RM lifecycle, investment criteria, and cost and benefit capital standards. The paper also positions the proposed framework with respect to recent and extant works, by offering a complementary management lens to a mostly algorithm-focused stream of research.