CISOs Build AI Security Guardrails Without Blocking Innovation
The ITSecurityNews article reports that AI adoption has surged, citing McKinsey's "State of AI: Global Survey 2025" which found that 88% of organizations now use AI in at least one business function. The article also cites IBM's "Cost of a Data Breach Report 2025," which found that 13% of organizations experienced breaches of AI models or applications and that 97% of those breached lacked proper AI access controls. The piece recommends establishing governance first, appointing a single accountable role, creating an AI risk register, and adopting frameworks such as NIST's AI Risk Management Framework and ISO/IEC 42001:2023. It further highlights technical controls, access management, monitoring, and lifecycle controls as necessary complements to policy.
What happened
The ITSecurityNews article cites McKinsey's "State of AI: Global Survey 2025," reporting that 88% of organizations now use AI in at least one business function. The article also cites IBM's "Cost of a Data Breach Report 2025," reporting that 13% of organizations experienced breaches of AI models or applications and that 97% of those breached lacked proper AI access controls. The article frames the central challenge for security teams as balancing protective guardrails with the need to preserve innovation enabled by internal AI tools such as LLMs, copilots, assistants and autonomous agents.
Technical details
Per the article, organisations should "establish governance first" by appointing a single role accountable for AI oversight, building an AI risk register, and defining AI-specific policies covering acceptable use, data handling, and training requirements. The article references frameworks including NIST's AI Risk Management Framework and ISO/IEC 42001:2023, and describes NIST Special Publication 800-221A as organising controls around two core functions: Govern (roles, benchmarking, policy) and Manage (risk identification, prioritization, response, monitoring). The piece emphasises coupling governance with enterprise strategy and layering technical controls and continuous monitoring.
Industry context
Industry observers note that organisations adopting AI at scale typically face gaps between traditional security programs and model-specific risks. Companies implementing AI governance commonly combine a centralized oversight function, model access controls, data provenance tracking, and production monitoring to reduce operational and compliance risk. For practitioners, these patterns imply integrating model controls with existing DevSecOps and data-governance workflows to avoid creating friction for product teams.
What to watch
Monitor uptake of AI-specific access-control tooling, emergence of standardized telemetry for model observability, adoption rates for frameworks like NIST AI RMF and ISO/IEC 42001:2023, and vendor offerings that embed lifecycle security into MLOps pipelines. Observers should also track whether internal incident data (model breaches, misuses) drives tighter enterprise policy or new regulatory expectations.
Scoring Rationale
The article consolidates practical, widely applicable guidance for CISOs and security engineers on AI governance and controls. It is useful for practitioners but does not introduce new research or tooling, so its impact is moderate.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
