Why CISOs need to rethink governance in the AI era

COMMENTARY: The pressure is on for enterprise leaders to adopt artificial intelligence. AI is no longer viewed as optional — it’s a competitive necessity. Yet while adoption is reaching record levels, governance isn’t yet meeting the moment. New research by A-LIGN revealed that nearly one-third of enterprise leaders still lack a defined AI compliance strategy.

At a time when cyberattacks are growing in frequency and sophistication, this gap is deeply concerning. Organizations are often taking a fragmented or reactive approach to AI governance, while cybercriminals are leveraging the technology to their advantage. The consequences extend far beyond regulatory risk. Poor AI governance doesn’t just threaten the integrity of data and enterprise reputation, it may also be the differentiating factor that results in lost business deals. 

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

AI rewrites risk evaluation

AI has fundamentally changed how risk must be evaluated. Organizations are grappling with new and evolving threats, most notably AI-assisted cyberattacks and third-party risk introduced by vendors. As adversaries adopt AI to automate, scale, and personalize attacks, traditional compliance approaches are no longer sufficient. Even more concerning,  72% of executives acknowledge that compliance strategies must adapt for the AI era, and they are increasingly looking to CISOs for answers.

Related reading:

However, there isn’t always a straightforward answer. There are a handful of key trends that are impacting or delaying CISOs ability to take swift action: 

The intricacies of this predicament aren’t always understood by leadership. When customers are pressuring the business to show their compliance steps, CISOs are expected to have the answers. More than ever, they are expected to protect not just systems and data, but brand reputation and customer trust in an environment that is only becoming more complex by the day.  

Customers were burned in 2025

In addition to the growing sophistication of cyberattacks, customers are also more aware of the reality of data risk than ever before. Data leaks surged, with breach volumes reportedly doubling and compromised records increasing by 23%. A significant portion of this growth was driven by AI-related risks, including misuse, inadequate oversight, and third-party vulnerabilities.

As a result, customer sentiment has shifted. While enthusiasm for AI remains, it is now tempered with concern. Customers are asking tougher questions about how their data is being used, protected, and governed. Today, four out of five companies using AI reported that they regularly field customer questions about AI-related risk. 

Ultimately, the message is clear: customers are raising the bar for who they trust with their data. Organizations that don’t demonstrate strong AI governance are finding themselves at a competitive disadvantage, and the CISOs that don’t have a plan are facing the brunt of it. 

A revolving door of regulations 

Emerging regulations are also making matters more complicated for CISOs. European Union’s AI Act and California’s Transparency in Frontier AI Act, as well as emerging U.S. guidance are great examples of this. While these regulations move slowly through courts and agencies, the expectations from customers and boards are immediate. Organizations can no longer rely on reactive, one-off compliance measures; they must take a proactive, structured approach to AI governance to safeguard both trust and financial stability.

With cyber threats evolving daily, regulatory expectations tightening, and external pressure building like never before, today’s CISOs face the challenge of balancing operational efficiency, security maturity, and compliance at scale.

Challenges to overcome

The job of the CISO was complex even before the factors mentioned above. Shrinking budgets and staff aren’t necessarily new and make managing these challenges all that more difficult. It’s not enough to just keep up in the world of compliance; CISOs and their teams need to look ahead when it comes to protecting sensitive data, obtaining new certifications, and handling third-party risk management.

There are a few immediate steps CISOs can and should take to move in the right direction: 

However, one of the most significant obstacles is the lack of audit harmonization. CISOs are frequently required to complete multiple audits each year, a burden that grows even more significant for large enterprises with diverse use cases and global operations. Compounding the issue, many security and compliance teams are understaffed, limiting the time and resources available to focus on strategic governance plans.

In response, many organizations are turning to trusted partners to simplify audit processes, reduce redundancy, and provide expert guidance in navigating AI-driven risk.

While this may seem simple on paper, the reality is that assessing risk is often challenging for today’s CISOs; these professionals grapple with understaffed departments which inhibit them from being able to spend as much time as they need on compliance strategies. To remedy this, compliance teams are starting to look for trusted partners who can simplify the audit process and provide expert guidance.

Quality reigns supreme

Not all audits are created equal — and customers know it. As scrutiny increases, audit quality has become a differentiator. More than half of respondents in a recent A-LIGN report indicated that a vendor or prospect had rejected an audit report due to insufficient quality.

Quality, however, means different things to different stakeholders. A high-quality audit is not defined solely by the final report, but by the expertise, rigor, and methodology behind it. As CISOs look ahead to 2026, there are several critical criteria to evaluate when selecting audit partners:

Final reports should demonstrate depth and specificity across controls, be tailored to the organization’s unique risk environment, and clearly show how risks are mitigated — not just identified.

The risk of a low-quality audit

While low-cost or “budget” audits may work for very small organizations, they rarely scale — and the risk is substantial. A single oversight can erode customer trust, trigger regulatory scrutiny, and damage an organization’s reputation.

CISOs should be alert to common red flags that signal a low-quality audit, including:

Choosing the wrong audit partner can ultimately cost more than it saves — resulting in lost deals, duplicated work, and diminished trust with customers and stakeholders.

The bottom line 

CISOs don’t have to navigate AI governance alone, but they do carry the responsibility of ensuring that the audits and compliance strategies they adopt uphold customer trust. In an increasingly complex threat landscape, what worked in the past is no longer enough to keep pace with evolving technology, regulations, and expectations.

In 2026, CISOs can expect leadership to ask hard questions about how governance strategies are adapting to AI-driven change. By prioritizing quality audits and thoughtful compliance approaches, CISOs can move confidently into the AI era — protecting their organizations while strengthening trust with customers and stakeholders alike.