When the chat came out for the first time, I asked a panel in Sisos what it means for their cyber security programs. He recognized adjacent changes, but was reflected on previous disruptive technologies, such as iPods, Wi-Fi access points and mother-in-law application entering into enterprise. The consensus was that security AI would be uniform disruptive, so they agreed that 80% (or more) of AI security requirements was already applicable. Security will serve as basic things such as strong asset list, data security, identity governance, vulnerability management, and so, AI Cyber Security Foundation.
For 2025, fast forward, and my siso friends were right-type. It is true that a strong and comprehensive enterprise safety program serves as AI Safety Anchor, but the other 20% is more challenging than the first imagination. The AI apps are rapidly expanding the surface of the attack, while the attack surface is deeply increased within the software supply chain along with the third party partners. This means limited visibility and blind spots. AI is often contained in open sources and API connectivity, so shadow AI activity is likely everywhere. Finally, AI innovation is moving rapidly, making it difficult to maintain security teams.
In addition to the technical aspects of AI, it is also noticeable Many AI projects end in failureAccording to research by S&P Global Market Intelligence, 42% of businesses discontinued most of their AI initiatives in 2025 (compared to 17% in 2024). In addition, the firms are about half (46%) AI proof-of-concepts (POC) Before they reach production.
Why do you do So many AI projects failIndustry indicates research costs, poor data quality, government lack, talent intervals and scaling issues among others.
With the failure of the projects and a potter of security challenges, organizations have a long and growing two-do list when it comes to ensuring a strong AI strategy for innovation and security. When I meet my CISO Amigos these days, they often emphasize the following five priorities:
1. Start everything with a strong governance model
To be clear, I am not talking about technology or security alone. In fact, the AI governance model should begin with alignment between business and technology teams how and where AI can be used to support organizational missions.
To complete this, CISO should work with CIO counterparts to educate business leaders, as well as business functions like legal teams, finance, etc. Install an AI structure It supports business requirements and technical capabilities. Framework should follow a life cycle from conception to production, and it includes moral ideas, acceptable use policies, transparency, regulatory compliance, and (((((Most important) Success Matrix.
In this attempt, CISOS should review the existing outlines like Nist ai risk management structure, ISO/IEC 42001: 2023, UNESCO recommendations On the morality of artificial intelligence, and Enlargement (research, implementation, continuity, evaluation) and care (making, adoption, running, develop) framework From rocksiber. Enterprises may need to create a “best” structure that meets their specific requirements.
2. Develop a broad and continuous view of AI risks
Getting a handle on organizational AI risks begins with the basic points, such as AI asset inventory, software bills, vulnerability and exposure management best practices, and AI Risk Register. Beyond basic hygiene, CISOS and security professionals should understand the fine points of AI-specific hazards such as model poisoning, data injection, early injection, etc. Danger analysts will need to place with emerging strategies, techniques and procedures (TTPs) used for AI attacks. Miter Atlas is a good resource here.
Since the AI apps extend to the third party, CISOS will require third-party data, AI security control, supply chain security, and similar audit. Security leaders should also focus on emerging and often changing AI rules. EU AI Act Emphasizing safety, transparency, non-discrimination and environmental friendship, is the most widespread to date. Others, such as Colorado Artificial Intelligence Act (CAAI), consumer reaction, enterprise experience and legal matters can change rapidly as law developing. The CISO should estimate other states, federal, regional and industry rules.
3. Note a developed definition of data integrity
You think this will be clear, because privacy, integrity and availability makes cyber security CIA Triad. But in the Infosec world, data integrity has focused on issues such as unauthorized data modifications and data stability. Those safety is still required, but CISOS should expand its scope to incorporate the data integrity and truth of the AI model.
To clarify this point, here are some infamous examples of data model issues. Amazon created an AI recruitment equipment To help better and select the most qualified candidates through resumes. Unfortunately, the model was mostly trained with male-oriented data, so it discriminated against female applicants. Similarly, when the UK created a passport photo checking application, its model was trained using white skin, so it discriminated against dark -skinned individuals.
The AI model truth is not anything that you will cover as part of the CISSP certification, but CISOS should be at the top of this as part of its AI regime responsibilities.
4. Try for AI literacy at all levels
Each employee, partner and customer will work with AI at some level, so AI literacy is a high priority. CISOS should start in its own department with AI fundamental training for the entire security team.
Safe software development life cycle installed to cover things like AI Threat modeling, data handling, API security, etc. must be revised in the life cycle Owasp Top 10 for LLMS, Google’s safe AI Framework (SAIF)And Cloud Security Alliance (CSA) Guidance,
Final user training should include acceptable use, data handling, misinformation and deepfec training. Solutions from human risk management (HRM) vendors such as mimicast AI may be required to maintain with hazards and to adapt training for various individuals and roles.
5. Be carefully optimistic about AI technology for cyber security
I classify today’s AI safety technology as a “driver assist” like cruise control compared to autonomous driving. Nevertheless, things are moving quickly.
CISOS should ask their employees to identify untrue tasks, such as alert triaries, danger hunting, risk scoring, and reports where they can use some help, and then start researching on emerging security innovations in these areas.
In addition, security leaders should determine roadmap meetings with major security technology partners. Instead of sitting through a pie-in-the-skai powerpoint presentations, come to these meetings ready to discuss specific requirements. CISOS should ask vendors directly to use how AI will be used for existing technology tuning and adaptation. There are a lot of innovation going on, so I believe it is worth casting a wide net in existing partners, competitors and startups.
Although a word of caution, many AI “products” are actually product featuresAnd the resources to develop and operate the AI application are intensive and expensive. Some startups will be acquired but many can burn quickly. Cavewear Empter!
Ahead opportunities
I will end this article with a prediction. About 70% CISOS reports to Cio today. I believe that as AI proliferate, Sisos reporting structures will change rapidly, with more reporting to the CEO. Those who play the role of leadership in AI business and technology rule will probably be promoted first.
