CISOs: The New Champions of AI

Artificial Intelligence is no longer a niche capability. It is the default. From collaboration platforms to cloud workloads, CRMs to SIEMs, AI is embedded everywhere. And cybersecurity is no exception.

Historically, security leaders have served as risk managers. That role provided a necessary check against unchecked innovation. But in the AI era, we must pivot from gatekeepers to enablers.

Tools like CMMC GRC platform, CyberComply, use a custom-built large language model (LLM) to provide tailored guidance to defense contractors working toward CMMC compliance. I have frequent conversations with our CTO about how we integrate AI into the platform, not just for efficiency, but to ensure that security, explainability, and trust remain central to the user experience.

CISOs have a unique vantage point:

• We understand threat modeling, data governance, and compliance
• We know how to evaluate vendors, define acceptable use, and build control frameworks
• And we are already familiar with managing shadow IT. Shadow AI is simply the next frontier.

Embracing AI does not mean approving every new tool. It means taking ownership of how AI is used, where it operates, what data it touches, and how it is protected.

If we do not lead, someone else will, and they may not have security in mind.

Where is the national policy on this?

Under the Trump administration, there is currently no comprehensive federal policy governing enterprise AI use, especially in cybersecurity. The regulatory stance favors innovation over oversight, leaving most governance decisions to the private sector.

This environment provides flexibility. But it also means the burden falls squarely on CISOs and CIOs to build internal controls, set policies, and assess risk.

We cannot wait for regulation to define what “secure AI” looks like. We must define it ourselves.

The AI arms race is accelerating across the enterprise, and many security leaders are still approaching AI with caution rather than embracing leadership. That hesitation may prove to be a strategic mistake.

If AI is now core to how the business operates, then security cannot afford to sit on the sidelines. In this new era, CISOs must become champions of AI, guiding its secure, ethical, and effective use before someone else does it without us.

Addressing the Governance Gap

Within most organizations, AI adoption is exploding, while governance is lagging badly. There is no consistent way to evaluate AI risk, and no one is coming to save us. Now is the time to act.

One standout initiative in this space is Project Cerebellum by the Holistic Information Security Practitioner Institute (HISPI). Project Cerebellum is a think tank designed to promote safe, secure, responsible, and trustworthy AI by crowdsourcing an open-source Trusted AI Model that harmonizes best practices, standards, and frameworks across the AI ecosystem.

I am proud to say that I am one of many security leaders from around the world contributing to this effort. We need more technology leaders to follow and support this initiative as we work toward building common frameworks that enable responsible AI use.

CISOs are the de facto CAIO

We have crossed a threshold where AI is shaping how business is done faster than security teams can react.

CISOs who embrace this shift, build governance, and drive secure adoption will be the ones who elevate their influence across the organization. Those who do not risk being left behind in the most transformative technology wave since the internet itself.

AI is not coming. It is already here. Let’s take the lead. Who's with me?

I welcome your perspective and invite you to join this ongoing conversation.

Thanks for reading. If this sparked an idea, challenged your thinking, or taught you something new, hit that 'subscribe' button and bring a colleague along for the ride. - William