Chief Information Security Officers are experiencing a fundamental shift in their roles as artificial intelligence becomes central to enterprise operations. According to Foundry's latest Security Priorities Survey, 95% of top security leaders now engage with boards of directors multiple times monthly, up from 85% in 2023. Additionally, 31% of CISOs now report directly to boards rather than through Chief Information Officers, reflecting cybersecurity's evolution into a distinct strategic function separate from traditional IT infrastructure.

Security leaders are responding to AI's dual nature as both a business accelerator and a threat vector. Barry Hensley, Chief Security Officer at Brown & Brown insurance brokerage, reports that publishing an AI security framework is his top 2026 priority to enable safe, rapid business movement. His team partners with AI engineering groups to perform risk assessments through an AI Governance Working Group. Similarly, Jeff Trudeau, CSO at Chime, describes the role shifting from a control function to a strategic partner embedded early in how AI systems are built and deployed, not reviewing them after implementation.

The technical challenges are substantial. Hensley notes that AI has matured in its ability to impersonate individuals through voice and video while generating convincing fraudulent documents for phishing campaigns. Recent demonstrations show AI can rapidly discover previously unknown vulnerabilities and automate their exploitation, potentially forcing organizations to adopt near-real-time patching through automated IT platform providers. Shaun Khalfan, CISO at PayPal, applies machine learning models that evaluate over a billion transactions monthly, requiring tight integration of new AI products into existing compliance and risk frameworks.

Identity management has become increasingly complex as humans, machines, APIs, and autonomous agents all interact with critical systems. Khalfan identifies identity, data security, and context as his most important challenges, emphasizing that security decisions without business context create unnecessary friction while business decisions without security context create unnecessary risk. Traditional security models with periodic reviews and static controls cannot keep pace with AI's acceleration of software development and attack execution, requiring continuous, embedded security practices.

Security leaders recommend several key practices for managing AI risks effectively. CISOs should engage early in product and AI development to influence outcomes without slowing teams, translate technical risks into business terms that executives understand, and position security as an enabler that helps organizations move faster with confidence rather than creating obstacles. Governance frameworks should require security reviews before any AI capability deploys, evaluating use cases against security requirements, data sensitivity, operational risk, and business impact. Organizations must build trust through strong data governance, dynamic policy tuning, continuous validation of controls, and designing security into workflows rather than adding it afterward.

Source: https://www.csoonline.com/article/4168684/cisos-step-into-the-ai-spotlight.html