Rosemary Chisom Dimakunne, Paul Clement Uwamotobon Akpabio, Oghenemena Erukayenure
Abstract
Purpose. Critical infrastructure operators must govern cyber risk under high operational consequence and increasing regulatory pressure, yet many programs still rely on qualitative scoring that does not anticipate exploitation risk. This paper proposes a predictive AI governance framework that quantifies near term cyber risk and ties model outputs to compliance and board level decision utility. [1] [2] [3]
Design or Methodology or Approach. We construct governance oriented datasets from public sources including the CISA Known Exploited Vulnerabilities catalog, MITRE ATT&CK for ICS STIX, and a community maintained CSV mirror of CISA ICS advisories. [1] [4] [5] We define risk as likelihood times impact, operationalized through predicted exploitation likelihood and sector relevant operational consequences, then integrate compliance constraints from NIST SP 800-82, GDPR Article 32, and HIPAA Security Rule risk analysis requirements. [2] [6] [7] Models include calibrated gradient boosting baselines, with explainability using feature attribution for governance traceability. [8]
Findings. Sectoral analyses show the ICS advisory dataset is concentrated in Critical Manufacturing and Energy, with high average CVSS levels, while KEV intersections indicate that exploited vulnerabilities disproportionately map to these CI sectors. [5] [4] Predictive outputs enable decision focused prioritization, including control recommendations aligned to ICS segmentation, access control, and vulnerability management, and compliance evidence artifacts suitable for audits. [2] [6] [7]
Practical implications. The framework supports risk appetite thresholds, budget allocation, and compliance readiness indicators, generating explainable justifications linking threats, controls, and mandates. [2] [6]
Originality or value. This study contributes a compliance by design predictive governance pipeline grounded in public datasets and produces governance utility metrics beyond standard predictive performance. [1] [2] [6]
11.1 Summary of contributions
This paper presented PRISM CI, a predictive AI governance framework for critical infrastructure cyber risk. It integrates public exploitation signals from KEV, OT attack knowledge from MITRE ATT&CK for ICS, and vulnerability context from ICS advisories, then maps outputs to compliance requirements and governance decisions. [1] [4] [5] [2] [6] [7]
11.2 Key findings
CI vulnerability exposure in the ICS advisory dataset is concentrated in Critical Manufacturing and Energy, with high severity distributions. [5] KEV intersections show exploited vulnerabilities are present across CI sectors and therefore provide a concrete prioritization signal for governance. [1] [5]
11.3 Recommendations for CI governance leaders
Adopt predictive risk ranking that combines exploitation evidence with OT context, enforce compliance by design mappings so mandates become machine checkable triggers, and require explainability artifacts for board and audit traceability. [1] [2] [6] [7] [8]
References
[1] Cybersecurity and Infrastructure Security Agency. (n.d.). Known Exploited Vulnerabilities Catalog. Retrieved February 21, 2026, from CISA website.
[2] Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015). Guide to Industrial Control Systems (ICS) Security (NIST SP 800-82 Rev. 2). National Institute of Standards and Technology.
[3] Cybersecurity and Infrastructure Security Agency. (2021). BOD 22-01. Reducing the Significant Risk of Known Exploited Vulnerabilities.
[4] MITRE. (n.d.). ATT&CK for ICS and STIX data. Retrieved February 21, 2026, from MITRE ATT&CK STIX repository.
[5] ICS Advisory Project. (n.d.). ICS Advisory Project. CISA ICS Advisory data in CSV format. Retrieved February 21, 2026.
[6] GDPR Info. (n.d.). Article 32 GDPR. Security of processing. Retrieved February 21, 2026.
[7] Electronic Code of Federal Regulations. (n.d.). 45 CFR 164.308. Administrative safeguards. Risk analysis and risk management. Retrieved February 21, 2026.
[8] General machine learning and governance evaluation principles for imbalanced risk ranking and explainability are widely established in the applied security analytics literature and are implemented here as standard practice without relying on a single proprietary source.
[9] Forum of Incident Response and Security Teams. (n.d.). Exploit Prediction Scoring System (EPSS). Retrieved February 21, 2026.
[10] Forum of Incident Response and Security Teams. (n.d.). EPSS User Guide. Retrieved February 21, 2026.
How to Cite This Paper
Rosemary Chisom Dimakunne, Paul Clement Uwamotobon Akpabio, Oghenemena Erukayenure (2026). Predictive AI Models for Cyber Risk Governance in Critical Infrastructure Sectors. International Journal of Computer Techniques, 13(2). ISSN: 2394-2231.
