Artificial intelligence has taken root in businesses at a pace without precedent. Conversational assistants, document automation, predictive analytics, and business copilots are becoming commonplace across all sectors, often outpacing the capacity of organizations to supervise them.
In this context, the question is no longer whether AI will be used, but how it will be governed, secured, and integrated into internal processes. The CISO therefore sits at the center of expectations and responsibilities.
Yet, the rise of AI goes far beyond the realm of cybersecurity alone. By transforming usages, decision-making modes, and the flow of data, it makes it increasingly unrealistic to think that CISOs can shoulder all AI-related risks by themselves.
A Transformation of Risks Redefining the CISO’s Role
Historically, the role of the Information Security Officer (CISO) consisted of protecting infrastructures, access points, and sensitive data. Its scope was clearly defined around preventing cyberattacks and managing technical risks.
But with the rise of generative AI, the issue takes on a new dimension. Artificial intelligence does not merely introduce a new cyber risk. It alters use patterns, accelerates data flows, and sometimes even changes the decision-making mechanisms within companies.
This evolution also upends a key pillar of modern cybersecurity: digital identity. Today, identity has become the primary attack surface for organizations. User accounts, cloud access, APIs, automated assistants, and AI agents multiply the potential entry points. In many companies, security teams already struggle to keep up with the pace of privilege creation and management.
The phenomenon is further amplified by the mass emergence of non-human identities. AI agents, bots, and automated systems gain access to sensitive resources at a rate that security teams cannot always monitor effectively. This multiplication of technical identities creates a new imbalance between the speed of adopting new uses and the actual capacity of organizations to govern them.
The CISO thus becomes much more than a technical expert. They are now expected to act as a coordinator of digital trust, capable of assessing AI-related risks, preventing data leaks, supervising internal practices, and contributing to regulatory compliance, notably in light of the new European requirements.
AI Governance Must Become Collective
The main paradox is that enterprises continue to treat AI as a purely technical or cyber issue, whereas it is above all a global organizational transformation.
AI governance concerns both business lines and the legal, compliance, HR, governance, and IT functions, as well as the top management bodies. The stakes touch on data privacy, intellectual property, the accountability of automated decisions, but also ethics and the reputation of the company.
In this context, the CISO can no longer be regarded as the sole bulwark against AI-related risks. No security leader can single-handedly define acceptable uses, arbitrate the organizational impacts of automation, or shoulder all the regulatory obligations that are emerging today.
This lack of clear governance already fosters a phenomenon analogous to shadow IT, now often referred to as “shadow AI.” Employees use AI tools without internal validation and sometimes with sensitive data, driven by the pursuit of immediate productivity gains. These practices are rarely malicious, but they reveal a growing mismatch between the speed of technology adoption and the maturity of organizations to govern them.
Trying to ban AI tools would be illusory. Companies that opt for a purely restrictive approach risk driving usage outside any official framework. The objective is no longer to block but to organize. This implies establishing clear policies, raising awareness among employees, classifying usable data, and, above all, sharing governance responsibilities across all corporate functions.
The arrival of artificial intelligence is deeply transforming the security function. The CISO should no longer merely protect the information system but contribute to digital trust and to the dialogue between business units, legal teams, HR, and strategic leadership.
This evolution calls for collective AI governance, because its risks extend far beyond the cyber perimeter. More than a technology to secure, AI is reshaping how companies produce, collaborate, and make decisions.
*Bruno Durand is Vice-President for Southern Europe at Sophos
