Artificial intelligence in information security policy management research: a scoping review Open Access

Information security policies (ISPs) are essential components of organizations’ information security management systems (Dhillon, 2017). They are documents that state “how an organization plans to protect its information assets from external and internal threats, operationalizes the implementation of security and provides guidelines for employee and management conduct” (Goel and Chengalur-Smith, 2010). ISPs complement technical measures because they guide how technology is used and managed, as well as how information shall be handled manually. While technical controls like firewalls and encryption protect systems from attacks, policies ensure that people and processes support these controls through consistent behavior and accountability. They help prevent human error, promote compliance with legal and regulatory requirements and provide clear instructions for responding to incidents.

There are three different levels at which ISPs can be found: strategic, operational and technical (Baskerville and Siponen, 2002; Whitman and Mattord, 2008). At the highest level, a strategic ISP refers to an overarching policy that defines the key objectives and responsibilities of an organization in relation to information security. At the middle level, the operational ISP refers to the rules that guide employees in their efforts to protect the information assets of an organization (Siponen and Vance, 2010). At the lowest level, a technical ISP refers to system-specific rules, prescribing how an organization’s technologies must function to ensure information security (Whitman, 2008). To work with ISPs in a structured way, it is necessary to have an ISP management process. For example, Flowerday and Tuyikeze (2016) divide such a process into five phases: risk management, policy construction, policy implementation, policy compliance and policy monitoring.

The current state of information security is fluid and increasingly dominated by social and ethical issues (Brookshear and Brylow, 2015). This fluidity is partially due to the constantly changing nature of threat environment and technology. Regarding the latter, the continuous advancements in artificial intelligence (AI), including artificial narrow intelligence, artificial general intelligence and artificial super intelligence, are transforming in the role of information security, which bring both opportunities and challenges (Al-Khassawneh, 2023). AI integrates machine learning techniques, such as supervised, unsupervised and reinforced learning, into information security (Morales and Escalante, 2022). In addition to AI’s ability to improve threat detection, automate incident response and facilitate risk-based decision-making, AI can also be positioned as a potential enabler in ISP management.

As shown in Section 2.2, several literature and scoping reviews summarizing research in the field of ISP management have been published (e.g. Afshari-Mofrad et al., 2022; Cram et al., 2017; Paananen et al., 2020; Rostami et al., 2020; Tuyikeze and Flowerday, 2014). Together, they have greatly improved our knowledge and understanding of existing ISP management research. However, they address AI to a very limited extent. For instance, Afshari-Mofrad et al. (2022) acknowledged the potential of AI and real-time analytics in enhancing agility within cybersecurity policy development, but they did not explore concrete applications of AI technologies across ISP levels or phases. Similarly, Rostami et al. (2020) underscored the limited use of software systems in ISP management but made no mention of AI as a possible solution.

Consequently, the information security research community lacks an overview of to what extent existing ISP management research has addressed how AI can support or are supporting different ISP management phases, nor did they ascertain how they might be applied at different ISP levels. In other words, we have limited knowledge to what extent AI has been the subject of ISP management research. In addition, we have limited knowledge of the extent to which AI has been used to assist research actions when researching ISP management, i.e. how AI has been used to support researchers’ execution of research methods in this research area. The aim of this paper is to systematically map existing ISP management research to assess to what extent AI has been addressed or used. Additionally, the use of AI in ISP management raises ethical concerns (e.g. privacy risks, potential bias and accountability issues). It is important to examine the current research status regarding ethical issues in light of AI ethics and governance frameworks, such as EU AI ACT (Act, 2024), IEEE EAD principles (Chatila and Havens, 2019). To this end, we do a scoping review and pose the following key research questions (RQs):

Our scoping review follows the method proposed by Arksey and O’Malley (2005). This method includes five stages:

1. identifying the RQs;

2. identifying relevant studies;

3. study selection;

4. charting the data; and

5. collating, summarizing and reporting the results.

Although these stages are presented in a clear sequence, for simplicity, the actual research process was iterative, with moving back and forth between the stages as needed.

The remaining part of this paper is structured as follows: Section 2 presents related work. This section is divided into two parts. First, we provide an overview of the concept of AI. Second, we present existing literature and scoping reviews on ISP management. Section 3 describes the research method adopted to conduct the scoping review, including the stages outlined above. In Section 4, we present the results of our scoping review. We discuss our results in Section 5, resulting in a future research agenda for this research area. Finally, the paper ends with a short conclusion in Section 6.

AI has increasingly been positioned as a critical enabler in the field of information security, offering capabilities to enhance threat detection, automate incident response and support risk-based decision-making (Mohamed, 2025). The growing complexity and frequency of cyber threats have led to a surge in research exploring how AI can augment traditional security controls (Kaur et al., 2023; Onyango, 2021). While the application of AI in information security is expanding, the term “AI” itself is often used inconsistently across studies, ranging from rule-based automation to advanced learning systems capable of adaptive behavior (Hashmi et al., 2025).

To address this ambiguity, the European Commission’s High-Level Expert Group on AI (AI HLEG) offers a foundational definition: AI systems are “systems that exhibit intelligent behavior by analyzing their environment and with some degree of autonomy take actions to achieve specific goals.” This definition emphasizes autonomy and environmental awareness, key characteristics that distinguish AI from conventional software. Kaur et al. (2023) adopt the AI HLEG definition in their literature review and structure their analysis using a taxonomy that links core AI capabilities, learning, reasoning, planning, perception and communication to the five functions of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover. Their review highlights that AI is most frequently applied in detection and response activities, such as intrusion detection, anomaly recognition and threat prioritization, while relatively few studies address its use in early-stage risk identification or post-incident recovery.

In this study, we adopt the AI HLEG’s definition as a conceptual basis for identifying and analyzing AI applications in ISP management. This definition, which emphasizes intelligent behavior and a degree of autonomy in goal-directed actions provides a useful baseline particularly for distinguishing AI from traditional automation. However, we acknowledge that not all AI systems meet these criteria to the same extent. For example, large language models (LLMs) such as ChatGPT generate outputs based on prompts rather than autonomously initiating actions. As such, their role in decision-making or ISP enforcement typically depends on their integration within broader systems that supply intent and governance. By grounding our study in this definition, we aim to capture a broad but conceptually coherent range of AI applications relevant to ISP management.

ISPs are considered as the main formal control for guiding employee behavior and securing organization’s information assets, and research on ISP management has grown significantly over the past two decades (Cram et al., 2017). Early reviews helped establish ISP management as a relevant and independent area of research within the broader field of information security (e.g. Siponen and Oinas-Kukkonen, 2007; Zafar and Clark, 2009). These reviews primarily sought to define the scope and importance of ISP-related issues. Subsequent reviews have focused on specific phases within ISP management, such as employee compliance (e.g. D'Arcy and Herath, 2011; Gerdin et al., 2025; Guo, 2013; Sommestad et al., 2014), or on the complete ISP management lifecycle, including risk management, policy construction, implementation, compliance and monitoring (e.g. Afshari-Mofrad et al., 2022; Cram et al., 2017; Paananen et al., 2020; Rostami et al., 2020; Tuyikeze and Flowerday, 2014). This broader perspective highlights the complexity and interdependence of the various phases involved in effectively managing ISPs.

Tuyikeze and Flowerday (2014) identified five interconnected phases – risk assessment, ISP construction, implementation, compliance and monitoring – and developed a model based on this lifecycle. Although their review contributed a useful structure for understanding ISP management, it did not address how technological tools, including AI, could support or optimize activities across these phases. Cram et al. (2017) synthesized findings from 114 publications and proposed a research framework that captures relationships between ISP design, individual behaviors and organizational outcomes. Their work highlights the dominance of compliance-focused research, and the lack of studies grounded in theory when it comes to other ISP activities. While they discussed the need for management support tools and emphasized the iterative nature of ISP development, they did not assess the presence or role of AI across different phases of ISP management or ISP levels.

Paananen et al. (2020) conducted a literature review aimed at clarifying the definitions, development methods and contextual factors influencing ISP formulation. They synthesized a broad set of studies and highlighted the diversity of ISP development approaches, ISP levels (strategic, tactical, operational) and alignment with business strategy. Their analysis acknowledged that ISP development is influenced by both internal and external contextual factors, including organizational culture, power structures and stakeholder dynamics. Although their review offered valuable insights into the structural complexity of ISP development, it did not examine the role of AI, nor did it assess how AI might contribute to aligning ISP processes with organizational needs across phases or levels.

Rostami et al. (2020) explicitly examined the role of software systems in ISP management by reviewing ISP research from 1990 to 2017. Their review revealed a significant imbalance: the overwhelming majority of studies relied on manual support, and only a few addressed or suggested any form of software systems. Although the authors stressed the need for software systems to manage the complexity of ISP management, they did not discuss the role of AI in supporting different ISP phases or levels of management.

Afshari-Mofrad et al. (2022) took a different perspective by introducing the concept of agility in cybersecurity policy development. Using the policy-cycle framework, they conducted a systematic review to conceptualize agility in relation to agenda-setting, policy formulation, decision-making, implementation and evaluation. Their findings highlighted the growing importance of adaptive policymaking and suggested that technologies such as AI and real-time analytics could support agile responses to cyber threats. Although they briefly acknowledged the potential of technologies such as AI and real-time analytics to support agile cybersecurity policymaking, they did not show how these technologies are currently used, nor did they explore their application across different ISP levels.

In summary, while previous literature reviews have significantly advanced our understanding of ISP management, they have not investigated the role of AI in supporting ISP activities across management phases and ISP levels, nor the research methods used in this area. Moreover, no review to date has mapped the empirical domains where ISP management has been studied, leaving open questions about sector-specific applications and needs. As we lack such an overview, it is also difficult for researchers to gain an overview of what research has been done and how it has been done. This also makes it difficult to navigate future research studies.

Given our intention to explore to what extent AI has been researched in ISP management studies, we chose to do a scoping review, as it gives a “preliminary assessment of potential size and scope of research literature” (Grant and Booth, 2009). Our research method is quite straightforward at the general level and follows five stages of the scoping review method put forth by Arksey and O’Malley (2005): identifying the RQ, identifying relevant studies, study selection, charting the data and collating, summarizing and reporting the results. These stages are presented below in sequence to give a simpler presentation, but our implementation of the research method has contained an iterative working pattern between these stages.

Arksey and O’Malley (2005) claim that scoping reviews should be guided by broad RQs. At the same time, Levac et al. (2010) recognized that broad RQs may result in insufficient guidance for the subsequent stages of the research process. Drawing on their recommendation, we have developed four RQs and a research aim to provide more guidance. Both these parts are presented in the Introduction section together with the rationale for why the scoping review is needed.

Arksey and O’Malley (2005) argue that scoping reviews should be based on a broad set of studies. Research on ISP management is published across both international journals and conference proceedings. To ensure a comprehensive selection of papers, we therefore used Scopus and Web of Science for our search. Scopus is recognized as a major abstract and citation database for peer-reviewed literature. It provides an extensive coverage of journals listed in the Association of Information Systems’ journal ranking, as well as specialized information security journals and conferences (Karlsson et al., 2015). Similarly, Web of Science offers access to high-impact journals and conference proceedings (Franke and Brynielsson, 2014). Together, these two databases provide good coverage of the ISP management literature.

Figure 1 shows an overview of our identification and selection process in a PRISMA diagram (Page et al., 2021). Starting with identification of papers, our search included papers published in Scopus and Web of Science between 2014 and 2024. We chose 2014 as the starting year based on our initial searches, which show that it is only in recent years that research on AI has taken off. It means that the chosen year also includes some margin to capture any early studies. Our search encompassed journal papers, conference papers and workshop papers from all geographic regions, ensuring a comprehensive perspective on the field. The search fields included paper title, abstract and keywords. We used the four search strings shown in Table 1, which also shows the number of papers per search. We deliberately avoided using keywords that restricted the search to “AI” to keep it as broad and inclusive as possible. This is because AI can be described in many different ways (Hashmi et al., 2025), which makes it easy to overlook relevant papers. As shown on the last row in Table 1, using multiple search queries generated a sizeable list of 1,278 research papers, including duplicates. Information about each paper was downloaded from the databases and compiled in an Excel spreadsheet.

As shown in Figure 1, we removed 341 duplicates before moving on to screening. We removed duplicates using an LLM. In Step 1, we promoted ChatGPT-4o: “1. Do the following with sheet named ‘Sorted’ in the Excel-file. 1. Turn the text in the column ‘Article Title’ to capital letters. 2. Remove any ‘’’ in the beginning and end of the text. 3. Check for duplicates in the column named ‘Article Title’ and remove these duplicates.” We realized that the returned spreadsheet included papers with no author names, and as a second step, we prompted ChatGPT: “Do the following with sheet named ‘Sorted’ in the Excel-file. 1. Check in the column ‘Authors’ for no text and remove these rows.” Figure 1 shows that after removing duplicates 937 papers entered the study selection step.

Our next step was to select which studies to include in our analysis. As shown in Figure 1, this was achieved by screening papers based on their titles and abstracts, before retrieving the full versions of those that passed the screening. Levac et al. (2010) advice that at least two reviewers should independently screen papers for inclusion. We implemented this advice using the following procedure. The gross list of 937 papers was divided into four parts, with each author initially carrying out the screening of one part. The screening was performed by reviewing the title and abstract of the paper and using the inclusion and exclusion criteria in Table 2. After that, the author was assigned a new part of the gross list to screen and performed another independent screening. This meant that each part of the gross list was screened independently by two of the authors. All papers that both reviewing authors considered relevant were included in the further analysis. Papers where the two reviewers disagreed on the screening decision were compiled into a list for discussion with all authors. A joint workshop was organized attended by all four authors to decide which of these papers should be included. As Figure 1 shows, 554 papers did not fulfil the inclusion and exclusion criteria, resulting in a list of 383 papers after screening. Out of these papers our more detailed analysis (see Section 3.4 for method details) showed that only five papers addressed or used AI.

The large reduction in relevant papers is a result of our broad search strategy. According to Arksey and O’Malley (2005), this outcome is expected when using an inclusive approach. Our search strategy led to the inclusion of papers in the initial data set that mentioned ISPs but did not treat them as the main focus of the study. For instance, Da Veiga (2016) investigated how the ISP affects information security culture and whether a stronger information security culture emerges over time as more employees become familiar with the policy. Although the ISP play an important role in this study, the main interest and the study object in this case is information security culture. In addition, we ran across several papers on national ISPs. For instance, Elamiryan and Bolgov (2018) compared the ISPs between Russia and Armenia, provided their shared historical background. Although these papers have ISPs as study objects, they obviously do not cover the type of ISP (use in organizations) we are interested in. However, we chose the above search strategy to ensure that we did not miss any papers by setting the search parameters too narrow.

The next step in the process was to retrieve the papers. Our primary method of obtaining articles was to download them from the respective publishers. When access to articles was not possible, we tried to contact the authors to obtain the paper. As shown in Figure 1, 57 papers were excluded because we did not have access to them. In total, this means that 326 papers were included in our analysis.

Charting the data means extracting relevant data from the papers for compilation and analysis (Arksey and O’Malley, 2005). Drawing on Levac et al. (2010), we jointly developed a data-charting form. This form was driven by our RQs and addressed the following areas:

• Aim of the study. We extracted the aim of the study, usually found by reading the Introduction section or similar. In the first instance, we used quotes, but where the aim was expressed in longer reasoning, condensed summaries have been made.

• Type of ISP researched. We extracted data about the type of ISP researched. Drawing on existing research of Baskerville and Siponen (2002) and Whitman and Mattord (2008), we classified the study as belonging to one or more of the following types of ISPs: strategic, operational and technical. A strategic ISP is an overarching policy that defines an organization’s key objectives and responsibilities in relation to information security. An operational ISP contains the rules and procedures that guide employees in protecting an organization’s information assets. Finally, a technical ISP refers to system-specific rules that prescribe how an organization’s technologies must function to ensure information security.

• ISP management phase. We extracted information about what part of ISP management that the study addressed. We classified the paper into one or more of the ISP management phases suggested by Flowerday and Tuyikeze (2016). As discussed in Section 2.2, this model divides ISP management into the following five distinct phases: risk management, policy construction, policy implementation, policy compliance and policy monitoring. The risk management phase focuses on an organization’s need to “identify and mitigate threats, vulnerabilities, and risks” (Flowerday and Tuyikeze, 2016). AI can estimate the likelihood and impact of threats using historical data. The policy construction phase encompasses the activities and considerations involved in developing an ISP, including drafting a comprehensive policy and engaging with stakeholders. LLMs can assist in drafting that aligns with regulations such as NIS2 and GDPR. The policy implementation phase focuses on putting the ISP into effect, with a particular emphasis on awareness, education and training. AI-powered chatbots can be deployed in this phase to provide personalized policy guidance, helping employees better understand and interpret different parts of the policy. The policy compliance phase deals with employee compliance/non-compliance with ISPs and the various ways in which this can be assessed. Machine learning models can be applied to detect employees’ deviating security behaviors. The final phase, policy monitoring, focuses on auditing and reviewing ISP-related aspects. AI can be applied to analyze incident data as part of continuous monitoring, allowing organizations to assess the effectiveness of the ISP.

• Research method. We extracted the research methods use in the paper. To create consistency in terminology, these methods have then been mapped against an existing catalog of research methods. There are several catalogues available (Dwivedi and Kuljis, 2008; Galliers, 1992; Mingers, 2003; Palvia et al., 2004), which means that such mapping can be done in slightly different ways. We have used an extended version of Mingers (2003) catalog because it is rather inclusive and provides the opportunity to make nuanced characterizations of the research methods used. Having said that, our data extraction show that it does not cover all the methods used, so we inductively added design science, conceptual modeling and Delphi method. We also added a category “others” to capture studies that did not specify a research method or where the method was difficult to determine.

• Description of type of AI . We extracted the description of the type of AI addressed or used in the paper. It means that we extracted the type of AI technology claimed by the authors to have either been addressed in the paper or used by the authors to as part of the research method; in addition, we extracted description of how the AI technology has been used.

• Empirical domain. We extracted the empirical domain addressed by the study, if that was explicitly stated by the authors. This meant that we stayed close to the authors’ description of the empirical domain.

• Ethical aspects. For the extraction of ethical aspects, we drew on Havrda and Rakova (2020) “normative core” of AI principles, which includes privacy, accountability, safety and security, transparency and explainability, fairness and non-discrimination, human control of technology, professional responsibility and the promotion of human values. We examined each paper to identify whether and how these aspects were addressed.

The final step in our scoping review is collating, summarizing and reporting the results (Arksey and O’Malley, 2005). We report this stage in the Results section. To answer RQ1, we created an overview of existing ISP management research, ISP levels and how much of this research addressed or used AI. As described above, an ISP can reside on three different levels, and a paper can therefore deal with one or more levels. In addition, ISP management consists of several phases, which means that existing research may address one or more of these phases. We therefore compiled which ISP levels and ISP management phases the papers addressed, using the extracted ISP level data, ISP management phase data together with data about the type of AI. The results are presented in Section 4.1, where Table 3 presents the compilation of to what extent different ISP levels have been addressed and Table 4 contains the compilation of ISP management phases.

To answer RQ2 to RQ4, we compiled data on the research methods used, empirical domains and ethical aspects for the ISP management research that addressed or used AI. The research methods used are discussed in Section 4.2, and an overview of these methods can be found in Table 6. This table compiles the extracted data using Mingers (2003) catalog of research methods. Given the limited number of papers that address or use AI in ISP management (see Section 4.1 for details), it was not possible to meaningfully develop themes of empirical domains or ethical aspects or categorize them deductively. We therefore chose descriptive summaries for these two RQs and linked the descriptions to the ISP management phases and ISP levels. The results are presented in sections 4.3 and 4.4.

This section presents the results of our scoping review and addresses the RQs introduced in the Introduction. Subsection 4.1 addresses RQ1 and RQ2 by analyzing how AI is addressed or used in ISP management research across different ISP levels and management phases. Subsection 4.2 addresses RQ3 where we demonstrate the research method that have been used in ISP management research in general and to study AI. Subsection 4.3 addresses RQ4 by mapping the empirical domains in ISP management research, where AI has been studied. Finally, Subsection 4.4 provides insights into the ethical issues surrounding AI been addressed in ISP management research.

To show to what extent AI was addressed or used in ISP management research, in different ISP levels and ISP management phases, we first provide an overall picture of the ISP management research field. As shown earlier in Figure 1, we included 326 ISP management papers in our analysis. How these papers are distributed across ISP levels and ISP phases is shown in Column 2 of Tables 3 and 4. The last two columns in each table shows that in total only five papers incorporated any form of AI in their research or research method related to ISP levels and ISP management phases.

As the second column in Table 3 shows, most of the papers on ISP management focus on the operational level (305) followed by strategic (19) and technical (15) ISPs. The third column indicates the number of ISP management papers that explicitly address AI within each level. Although the numbers decrease considerably, the same hierarchy of focus is similar, where the operational level dominates (three papers), followed by the strategic (two) and technical levels (one). Finally, the last column shows the number of ISP management studies that use AI within each level. Here, only one paper appears at the operational level, and no studies use AI at either the strategic or technical level.

Table 4 presents the distribution of the ISP management papers across the ISP management phases. The first column categorizes the papers based on the type of phase coverage, either focused on a single phase (e.g. compliance) or multiple phases (e.g. construction, implementation). The second column lists the total number of papers identified for each phase or phase combination. The third column reports how many of these papers addressed AI within each phase category, and the fourth column shows how many papers used AI.

As shown in the second column from the left, most papers (252 out of 326) focused on the compliance phase, highlighting a dominant emphasis on ensuring adherence to established ISPs. Construction (40 papers) and implementation (37 papers) followed, while monitoring (13 papers) and risk management (seven papers) were the least represented. A small subset of papers addressed combinations of phases, such as construction and implementation (six), implementation and compliance (six) and other multi-phase groupings. When it comes to the few ISP management papers that addressed AI, they are distrusted as shown the third column: two papers focused on construction, one on compliance and one on monitoring. Finally, regarding the papers that use AI, there is only one paper in compliance phase.

Table 5 presents an overview of the five ISP management studies that either addressed or used AI. The first column lists the studies, followed by the ISP phase they addressed and the level at which the ISP was applied. The addressing AI column describes how AI was addressed in each study, while the using AI column shows how AI was used in the study. The Empirical domain column specifies the context in which the ISP management research was conducted, while the Research method column shows the method applied, classified according to our extended version of Mingers’ (2003) catalog. Finally, the study aims column summarizes the main objectives of each paper.

When it comes to the studies that addressed AI, Kruger et al. (2020) focused on the monitoring phase at the operational level, using deep learning to classify employees’ emotional sentiment from facial expressions as a form of affective computing to gather unbiased feedback on ISPs. Jawhar et al. (2024) addressed the construction phase at both the strategic and operational levels by using GPT-4 via API to automate the generation of cybersecurity policy documents aligned with standards such as NIST and ISO, within a small real estate business. The term cybersecurity policies, as used in their study, closely aligns with what we refer to as ISPs. Kang et al. (2022) also focused on the construction phase at both strategic and operational levels, applying a range of machine learning techniques (e.g. vague soft set, dynamic time warping) to benchmark ISPs through AI-powered analysis of information security management systems log data based on input from 40 organizations in the IT and communications sector. Frank and Ranft (2021) used supervised machine learning to predict which employees are likely to engage in extra-role security behaviors such as reporting phishing emails. Drawing on data from over 13,000 employees in a pharmaceutical company, they identified contextual factors, like salary band, training commitment and helpdesk reliance that influence such behaviors. This research provides valuable insights into how employee actions can support ISP objectives in practice. While not explicitly framed within the ISP management lifecycle, the study’s focus on behavior prediction and policy-supportive actions aligns with the compliance phase.

Cappellozza et al. (2022) paper is the only one that uses AI, i.e. it is part of the research process. In their research, Cappellozza et al. (2022) explored the compliance phase at the operational level, using neural networks alongside structural equation modeling (SEM) to analyze how individual factors, such as moral disengagement, penalties and turnover affect employees’ intentions to violate ISPs, drawing data from mixed organizational settings in São Paulo, Brazil.

Table 6 lists the distribution of research methods used in the reviewed ISP management papers. The leftmost column provides a list of research methods. The second column shows the total number of ISP management papers that used each method. Finally, the third and fourth columns present the subset of those studies that explicitly addressed or used AI in their work. When examining at all studies in ISP management, the majority of all listed research methods are represented. At the same time, survey studies are by far the most common. Turning to the ISP management studies that addressed their research or used AI in their research method, most adopted an experimental approach. Based on Mingers’ (2003) framework, three of the five papers used experiments, and one relied on a survey. The fifth paper applied design science research, a method not included in Mingers’ (2003) framework.

Among the papers that addressed AI in their research, Kruger et al. (2020), Kang et al. (2022) and Frank and Ranft (2021) all used the experiment method (see Table 5). Kruger et al. (2020) conducted a controlled laboratory experiment using affective computing and sentiment analysis to assess participants’ emotional reactions to ISP-related texts, relying on biometric data and AI-based emotion classification. Kang et al. (2022) applied machine learning to log data from 40 organizations to benchmark ISP strictness, aiming at optimization through peer group comparison. Frank and Ranft (2021) implemented a large-scale phishing simulation with over 17,000 employees, using supervised machine learning to predict extra-role security behavior. Finally, Jawhar et al. (2024) developed a system that uses GPT-4 to automatically generate ISPs, and the system aligns the developed ISP with established standards such as NIST 800-171 and ISO 27001/27002. Their work involved the creation of an AI-based artefact and a demonstration of its use in a small business scenario, which can be categorized as design science research.

Cappellozza et al. (2022) used AI in their research method. They used a survey-based approach, consistent with the survey research, to investigate factors influencing employees’ intention to violate ISPs. The collected data were analyzed using a combination of SEM and artificial neural networks (ANNs) to compare explanatory and predictive power. This hybrid analytical approach integrating traditional statistical techniques with AI-based prediction.

The intention behind providing an overview of the empirical domains in existing ISP management research that addressed or used AI was to clarify the contexts of existing studies. This could help identify limitations in terms of generalizability or transferability in these studies. As the results above contain few relevant studies, it is difficult to identify any clear patterns. Furthermore, across the five reviewed studies that addressed or used AI, the empirical context is often vague or insufficiently detailed. In some cases, such as Kruger et al. (2020) and Cappellozza et al. (2022), the studies mention general organizational settings or geographic locations (e.g. São Paulo) but do not specify the sector, size or nature of the organizations involved. Jawhar et al. (2024) is an exception, as it clearly states that the AI-generated policies were tested within a small real estate business. Kang et al. (2022) reference a sample of 40 organizations in the IT and communications sector, but the organizational specifics remain limited. By contrast, Frank and Ranft (2021) provide the most detailed domain description, basing their analysis on a phishing simulation conducted within a large international pharmaceutical company. Overall, the lack of clear and consistent reporting on empirical domains limits the possibilities to generalize and transfer the results from existing ISP management research on AI.

As discussed in Section 3, we coded ethical aspects in ISP management papers addressing or using AI. To this end, we used Havrda and Rakova (2020) normative core of AI principles (privacy, accountability, safety and security, transparency and explainability, fairness and non-discrimination, human control of technology, professional responsibility and promotion of human values). Our analysis indicates that such considerations are largely absent in current ISP management work on AI. Within this lens, only Jawhar et al. (2024) referenced an external governance framework (the NIST AI Risk Management Framework), but they did not map their approach to specific normative-core aspects or explain how concrete ethical risks were identified or mitigated. Other studies, such as Kruger et al. (2020) and Cappellozza et al. (2022), rely on sensitive data or opaque AI techniques without reflecting on related ethical concerns. Overall, the role of ethics in guiding AI for ISP management, particularly how organizations should responsibly deploy AI for policy construction, compliance and monitoring remains underexplored.

This section is divided into two parts. In the first subsection, we discuss the main insights and contributions that emerge from the scoping review, highlighting how existing ISP management research has addressed AI or used AI, and what gaps remain. In the second subsection, we outline a research agenda and suggest future directions. We use ISP construction as a case example to illustrate how research can progress from exploratory work to practical implementation and long-term evaluation.

This study makes an important contribution to the ISP management research by conducting a scoping review to determine the extent to which AI has been addressed as a research topic or used in research actions. The results indicated that while ISP management have been extensively studied between 2014 and 2024, AI within this research domain has received very limited attention. Thus, we contribute to previous literature studies in this domain. These studies have, for example, focused on specific stages of ISP management, such as ISP construction (e.g. Paananen et al., 2020) and ISP compliance (e.g. Gerdin et al., 2025). However, none of the existing literature reviews has explicitly focused on the extent to which AI has been addressed as a research topic in these ISP phases or used in research actions.

Our findings show that out of 326 ISP management papers reviewed, only four papers addressed AI, and one paper used it to support their statistical analysis of ISP compliance. This finding indicates that the addressing AI as a technology in ISP management research has only received limited attention in the existing literature. It highlights a clear research gap and emphasizes the need for more investigation into AI in ISP management research. At the same time, our results also show that AI has not been used by researchers when executing research actions, i.e. to support execution of their research methods. Therefore, there is an opportunity for researchers to advance ISP management research by incorporating AI into future studies in both ways.

We also found that the existing ISP management studies that addressed AI as a study object is unevenly distributed across both ISP phases and ISP levels. For instance, no study has examined AI in the risk management phase of ISP management. Moreover, the existing AI-related studies have mostly addressed AI in managing ISPs at operational level. Thus, the strategic and technical levels have received less attention. In addition, while the majority of existing studies in ISP management have focused on the compliance phase, only one study has addressed AI to support ISP compliance. It suggests that researchers insufficiently address AI in strengthening the compliance phase of ISP management research. It means, there are very few studies that address each of the ISP management phases, and in some cases, no studies at all.

As shown in the Results section, three out of the five papers that addressed or used AI employed an experimental method focusing on algorithmic performance, prediction or benchmarking in controlled environments. While these studies offer important technical insights, they do not engage directly with users or examine how AI-supported ISP tools are experienced in real organizational settings. Since ISPs are ultimately designed to guide and influence human actions, future research should complement experimental approaches with field-based or interpretive methods. For example, case studies, interviews or ethnographic investigations could provide a richer understanding of how individuals perceive, adopt or resist AI-generated ISPs in practice. Our results, which are supported by Rostami et al. (2020), also show that these research methods have previously been used in ISP management research. Thus, the use of additional research methods would help investigate any gaps between technical performance and real-world relevance, offering a more holistic view of the impact and usability of AI in ISP management.

Finally, our findings show that ethical aspects of AI have been largely overlooked in the existing AI-related ISP management research. The key ethical aspects, such as fairness, transparency, accountability and data sensitivity remain unexplored. In particular, little attention has been given to how these ethical principles may be challenged or upheld when AI tools are used for ISP enforcement and monitoring, where automated decision-making may directly affect employees. This research gap presents a promising avenue for future research. For instance, researchers can investigate how AI-driven monitoring, compliance assessment or behavioral analytics may introduce risks related to employee privacy, biased decision-making or reduced transparency in security enforcement processes. At the same time, future studies may explore under what conditions AI can enhance accountability and consistency in ISP enforcement rather than undermine them. The existing AI ethics and governance frameworks, such as EU AI Act (Act, 2024), IEEE EAD principles (Chatila and Havens, 2019), can be used as a lens to examine ethical issues with the use of AI in ISP management research by critically assessing how ethical requirements are operationalized in organizational security practices.

As researchers have so far devoted little attention to AI in ISP management, establishing a structured research agenda is crucial for advancing this field. Given that existing research is in its infancy, it is not possible to provide a detailed agenda that addresses all phases of ISP management (Flowerday and Tuyikeze, 2016). Instead, we have chosen an illustrative strategy where ISP construction is used as a case example. The proposed agenda is presented in Table 7. The left-hand column (timeline) outlines the different timeframes within which various research activities can be undertaken. The middle column describes the corresponding research approaches for each timeline, while the right-hand column provides concrete examples of studies that can be conducted at different ISP levels within the timeline.

The suggested staged future research agenda can guide researchers in systematically advancing knowledge on how AI can support ISP management while ISP construction serves as a concrete example of how such a strategy could unfold. To implement this research agenda, it is also necessary to use a wider range of research methods than what we have found in the studies published to date.

In this study, we have reported on the extent to which researchers have addressed AI in ISP management research or used AI when researching ISP management. First, the results rely on our search strategy and on our selection of papers. We have described how we identified and selected papers, based on searches in the Scopus and Web of Science databases. Naturally, alternative search strategies could have been used, such as that used by Cram et al. (2017). Therefore, we do not claim to have identified every study on ISP management; instead, we have compiled a reasonably large and representative sample from sources index in two major research databases. Second, out of the 383 relevant papers identified, we were unable to access 57, which might have limited the comprehensiveness of our review. Third, we used an analytical framework to chart the data, which involved a certain amount of subjective judgment – an inevitable aspect of any scoping review. It was not always an instrumental task to classify papers into different ISP management phases and ISP levels. However, our triangulation of the classifications, based on the authors’ individual analyses, strengthens our findings.

The aim of this paper was to systematically map existing ISP management research to assess to what extent AI has been addressed or used. To this end, we used a conceptualization of ISP into three levels together with the ISP management process framework proposed by Flowerday and Tuyikeze (2016). We conclude that out of the 326 analyzed research papers on ISP management, only five papers either addressed, i.e. investigated, AI as a topic in ISP management or used AI in the research method. Of these five studies, three studies focusing operational ISPs, i.e. policies that are guiding employees in their daily work. From a research methodology perspective, we note that three of these five studies had an experimental approach. Given these results, there are significant opportunities to explore AI in ISP management, as well as the use of AI in studying ISP management.