Notifications
Clear all
Topic starter
27/06/2026 1:10 pm
TL;DR: Four CISOs argue that generative AI is already changing security strategy, with immediate action needed to protect security infrastructure and separate real risk from hype, according to Abnormal AI’s Vision 2024 webinar. The governance question is no longer whether AI matters, but which identity, access, and control assumptions need to be rewritten now.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI use inside cybersecurity operations?
A: Security teams should treat AI use in cybersecurity operations as part of identity governance, not as a separate innovation workstream.
Q: Why do generative ai initiatives create IAM and IGA risk?
A: Generative AI creates IAM and IGA risk because it can change how decisions are made, who is considered accountable, and how quickly actions happen.
Practitioner guidance
- Define AI-in-security identity ownership Assign a named business and technical owner to every AI-enabled security workflow, including the systems that generate recommendations, trigger actions, or tune policy.
- Add AI-mediated steps to access reviews Extend access certification and recertification scope to include workflows where AI influences decisions about access, escalation, or containment.
- Separate advisory from delegated authority Document where AI is advisory only and where it is allowed to initiate action, then apply different logging and escalation rules to each case.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Panel discussion of how four CISOs are balancing AI adoption against security governance risk.
- Career-oriented guidance on how security leaders should think about AI-native protection infrastructure.
- Practical advice on what teams can do now to protect security infrastructure from emerging AI threats.
- On-demand webinar access and ISC2 CPE eligibility details for practitioners who want to view the session.
👉 Watch Abnormal AI's on-demand webinar on generative AI and cybersecurity strategy →
Generative ai in cybersecurity strategy: what CISOs are saying?
Explore further
27/06/2026 2:24 pm
Generative AI is now an identity governance problem, not only a security tooling topic. Once AI shapes access decisions, escalations, or analyst workflows, the control question moves from model quality to who is accountable for machine-mediated action. That makes IAM, IGA, and PAM teams part of the AI discussion whether or not the organisation has a formal AI programme. Practitioners should treat AI-in-security as a governance domain that crosses team boundaries.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface.
- Only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree governance is critical to enterprise security, according to the same research.
A question worth separating out:
Q: Who is accountable when ai-enabled security tooling causes a bad decision?
A: Accountability should sit with the business owner of the workflow and the security owner of the control, not with the AI system itself. The team must be able to show who approved the AI’s role, what authority it had, and how the decision was reviewed after the fact. Without that, the organisation cannot defend the control in audit or incident response.
👉 Read our full editorial: Cisos say generative ai is reshaping cybersecurity strategy
