Agentic AI, artificial intelligence and machine learning, governance and risk management
Governance maturity, ethical clarity and innovation must match machine speed
Uma Ramani •
March 20, 2026
Consider a scenario that plays out within a fast-growing digital payments bank. CEO Anuj is preparing to launch the company’s first AI prototype with the aim of reducing onboarding time by more than 30%. After months of development, CTO focuses on scale, architecture, and performance. CISOs are monitoring this effort from a risk perspective. The opportunity was clear, but we also knew we needed to be careful.
See also: SASE and Zero Trust: The backbone of unified security (eBook)
One AI project, three different leaders, three different perspectives – this is the reality of AI leadership in 2026.
AI is no longer experimental. It is sitting squarely at the executive table. No executive team today can afford to ignore AI, as it has become one of the defining factors shaping the cybersecurity landscape. AI-assisted social engineering, deepfake-based fraud, and automated vulnerability discovery tools have entered the mainstream conversation over the past year.
The question is no longer whether AI will transform cybersecurity; it is already transforming it. The real question is whether leadership maturity is evolving at the same pace.
AI: A double-edged sword in cybersecurity
AI is being actively explored to speed up daily tasks and automate repetitive and increasingly complex workflows. At the same time, threat actors are increasingly experimenting with AI to increase scale and deception and accelerate reconnaissance.
Security researchers are increasingly investigating adaptive malware, which is code that can change its behavior based on its environment. The trajectory is clear. Attackers are integrating AI into their toolkits. Unlike corporations, they operate without the constraints of governance.
Defenders turn to AI
AI and machine learning are embedded in our security operations center to sift through millions of alerts, reduce noise, and identify critical anomalies. Some “autonomous SOC” models claim the ability to analyze all alerts rather than a filtered subset, significantly reducing response times.
But AI-driven defense will not replace analysts. It’s about reinforcement. Machines handle pattern recognition at scale. Humans apply situational, judgment, and escalation decisions. This partnership has become essential as the volume and complexity of attacks grow beyond manual capabilities.
New threats: speed, deception, and adaptability
One of the more alarming developments is the growing sophistication of AI-powered identity theft.
Impersonation using deepfakes is already being used to impersonate executives and trusted partners, leading to fraudulent financial transactions and data breaches. In 2025, a multinational company in Hong Kong reportedly lost more than $25 million after its CEO was impersonated in an AI-generated video conference. This is a clear example of how deepfake fraud goes beyond theory.
Researchers are investigating the evolution of malware that incorporates adaptive logic – systems that can change behavior during an attack to evade defenses. As these capabilities mature further, incident response times can be significantly reduced.
AI also improves vulnerability discovery. Offensive tools can continuously scan the codebase and network surface to identify weaknesses without fatigue. Similar systems are used responsibly within the research and bug bounty ecosystem, but the same functionality could be directed towards enterprises.
Insider risk: innovation without guardrails
Internally, generative AI tools are integrated into daily workflows. Employees use them to draft communications, generate code, and analyze data, often without structured oversight.
The risk is not one of malicious intent, but one of convenience. Sensitive information may be entered into external platforms. Code generated by AI can be deployed without proper validation. The output may be trusted without sufficient scrutiny.
The rise of “vibe coding,” AI-powered rapid application development, further expands this dynamic. Innovation accelerates, but so does vulnerability. This is fundamentally a governance challenge.
Leaders must clearly define:
- Approved AI tools.
- Data sharing practices.
- Verification criteria.
- Ownership and Responsibility.
To address the risks inherent in AI, security awareness must evolve beyond typical phishing simulations. The aim is not to impose blanket restrictions, but to implement them responsibly.
Will AI replace humans?
Automation is growing. Analysis tasks are streamlined. Some entry-level roles are being quietly replaced by AI-assisted tools. But what about the talent pipeline?
Talent maturity is built through years of exposure and guidance. Loss of fundamental roles can impair long-term capabilities.
Young professionals often adapt to AI-native workflows more intuitively than traditional teams. Rather than replacing talent, leaders must leverage that knowledge to redesign secure processes.
Human supervision is very important. AI hallucinations occur. Contextual nuances are limited. Ethical decisions cannot be delegated to algorithms. Wise methods include:
- Conducting risk assessments.
- Start by automating low-risk internal processes.
- Avoid immediate AI deployment into critical customer-facing systems.
- Scale gradually.
Leadership discipline will determine whether AI stabilizes or destabilizes companies.
Leadership imperatives for an AI-enhanced future
AI brings about structural change. The response must be strategic.
1. Employ AI for defense – responsibly
AI-driven security tools can greatly enhance your defenses, but their deployment must be deliberate.
Evaluate model accuracy, bias, and explainability. A “human-involved” model is essential, especially in the early stages of implementation. Recommendations for automated alerting, prioritization, and response should be considered until reliability is consistently demonstrated.
When implemented carefully, AI can reduce dwell time, investigate alerts at scale, and reduce analyst workload. But it must remain an extension layer, not a blind replacement for judgment.
2. Enhance continuous monitoring and resiliency
In an environment where attacks can adapt and scale quickly, early detection becomes non-negotiable.
Reduce your attack surface, strengthen identity and access controls, and enhance anomaly detection. Regular security reviews are not enough against AI-guided intrusions that can unfold in minutes.
Invest in capabilities such as enhanced detection and response, zero trust architecture, and real-time monitoring of critical assets. Conduct scenario training, such as deepfakes for deception and AI-powered reconnaissance, to ensure response teams don’t learn during a crisis.
Leaders must remain engaged in threat intelligence focused on AI-powered attack techniques. AI governance and data protection regulations will continue to evolve to ensure alignment between technology developments and compliance obligations.
3. Identify and manage your AI usage
Leaders need to understand how AI is used formally and informally.
Take inventory of sanctioned and unsanctioned AI systems in use, from chatbots to machine learning models. Evaluate each for its security, privacy, and compliance impact.
For AI-enabled processes, enforce the following:
- Minimum necessary data access.
- Auditability.
- Clear accountability.
Just because AI efforts are new doesn’t mean they should bypass established governance. Pre-deployment security reviews, structured risk assessments, application security testing, and vulnerability assessments remain essential. When traditional applications are evaluated against frameworks such as OWASP Top 10, the same discipline must be applied here.
Red team exercises must evolve to include simulated exploitation of adversarial AI, from rapid operations to automated workflow abuse.
Incident response playbooks should include AI-related events. How does an organization respond if sensitive data is exposed through an external AI platform or if AI-assisted malware is suspected?
Shadow AI is already a reality. Accepting its existence allows you to build guardrails centrally, rather than leaving the implementation of guardrails entirely in the hands of users. Structured enterprise enablement is safer than uncontrolled experimentation.
4. Update policies and training
Strategy must be reflected in policy. Security frameworks and internal policies must explicitly address the use of AI, including guidelines for public AI services, AI coding assistants, and third-party AI procurement.
Training programs should cover deepfake verification, AI-powered phishing, and safe data handling practices when using generation tools.
Strengthening culture is equally important. Just as employees are trained not to leave confidential documents unattended, they should understand that entering sensitive information into public AI platforms carries similar risks.
In some jurisdictions, regulators are beginning to mandate stronger controls around deepfakes, data integrity, and least data access principles.
Turn threats into advantages
AI is often seen as either an existential risk or a transformative panacea. Actually, it’s neither. It’s an amplifier. With thoughtful leadership, AI can strengthen resilience, enhance detection, and improve operational efficiency. Without governance, risks can increase.
Successful organizations are not those that move fastest, but those that balance innovation and discipline.
From 2026 onwards, cybersecurity will increasingly resemble an AI vs. AI battle. Winning that contest requires more than technology. This requires governance maturity, ethical clarity, and human creativity.
AI is transformative. However, at this stage of evolution, human surveillance is fundamental. Technology can help with that. Judgment must lead. For now, and for the foreseeable future, human judgment is irreplaceable.
