Twenty-five years ago, Jay Bavisi founded EC-Council in the aftermath of 9/11 with a straightforward premise: if attackers understand systems deeply, defenders need to understand them just as well. That idea led to Certified Ethical Hacker (CEH), which went on to become one of the most widely recognized credentials in cybersecurity.
Bavisi thinks we’re at a similar inflection point again—this time with AI.
The technology is moving fast. The workforce isn’t. And just like the early days of software development, most of the attention is on what AI can do, not on how to deploy it safely, responsibly, or at scale.
“We’re back in that era where building something feels cool,” Bavisi told me. “In the early days of web development, security and governance were afterthoughts. We’re doing the same thing again with AI—functionality first, use cases first, and only later asking what the risks are.”
That’s the gap EC-Council is trying to address with the largest expansion of its portfolio in 25 years: four new AI certifications and a revamped Certified CISO program.
The Skills Gap Isn’t Hypothetical
The data behind this push isn’t subtle. IDC estimates unmanaged AI risk could reach $5.5 trillion globally. Bain projects a 700,000-person AI and cybersecurity reskilling gap in the U.S. alone. The IMF and World Economic Forum have both landed on the same conclusion: access to technology isn’t the constraint—people are.
I’ve spent the last couple of years talking with executives about AI, and the tone has shifted. Early on, nearly everyone insisted AI wasn’t going to replace jobs. It became almost ritualistic. Understandable, sure—but not entirely honest.
Lately, the messaging has changed. Some roles will disappear. That’s not controversial anymore. The more accurate framing has always been: AI probably won’t take your job, but someone who knows how to use AI better than you might. That’s the real risk—and the real opportunity.
What EC-Council Is Actually Launching
The new certifications are built around a framework EC-Council calls ADG: Adopt, Defend, Govern. It’s meant to give organizations a way to think about AI deliberately, rather than defaulting to “just buy a subscription and see what happens.”
“It’s not just about picking Claude or Gemini or GPT,” Bavisi said. “Your data, your customer information, your business processes all get pulled in. You need guardrails.”
The four certifications are role-specific:
- AI Essentials (AIE) is baseline AI fluency—practical, not theoretical.
- Certified AI Program Manager (C|AIPM) focuses on implementing AI programs with accountability and risk management.
- Certified Responsible AI Governance & Ethics Professional (C|RAGE) targets governance gaps, aligning with frameworks like NIST AI RMF and ISO/IEC 42001.
- Certified Offensive AI Security Professional (COASP) teaches practitioners how to attack LLM systems so they understand how to defend them.
That last one feels especially on-brand. It’s essentially the CEH mindset applied to AI: you can’t protect what you don’t understand.
Why This Isn’t Academic
Bavisi shared a recent example that puts the urgency into perspective. EC-Council took part in a controlled test with a top-ten global insurance company. They compared traditional human-led pen testing against the AI approach.
Across three rounds, humans found 5 total vulnerabilities. The AI found 37.
That’s not an indictment of human skill. It’s a reminder that AI doesn’t get tired, doesn’t forget, and doesn’t operate within the same constraints. The job doesn’t disappear—but the expectations around how it’s done change dramatically.
The CISO Role Is Changing Too
Alongside the AI certifications, EC-Council updated its Certified CISO program to version 4. Security leaders are now accountable for systems that learn, adapt, and make decisions autonomously, but that’s not what most CISOs trained for a decade ago.
The updated curriculum reflects that reality—less checklist security, more governance, risk ownership, and accountability in AI-driven environments.
Why This Matters
Certifications don’t magically make someone an expert. I’ve collected enough of them over the years to know that. But they do matter. They open doors. They signal baseline competency. And right now, that signal carries more weight than usual.
“There are cloud engineers and GRC professionals everywhere asking the same question,” Bavisi said. “How do you do governance and risk with AI? Until now, there haven’t been real frameworks or real training programs.”
AI isn’t slowing down. The workforce has to catch up. EC-Council is betting that structured, role-based education—grounded in practical reality rather than hype—can help close that gap. Given what they did with CEH, it’s a bet worth paying attention to.
I have a passion for technology and gadgets and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 5 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.