The Urgency of Securing AI Workloads for CISOs

Media attention on various forms of generative artificial intelligence (GenAI) underscores a key dynamic that CISOs, CIOs and security leaders face: The pace of technological change is fast — and the risks it brings to the enterprise are significant. 

From blockchain to cloud microservices to GenAI workloads, security leaders are not only responsible for keeping their organizations secure and resilient, but also for understanding and managing the risks that accompany emerging technologies and evolving business models.

While every innovation brings new concerns, some constants remain. Speed. Automation. Algorithms. These drivers define the future of enterprise AI and the security demands that come with it.

Speed isn’t optional.

Businesses today run at network and machine speed. Web services and APIs expect near-instant responses, and every colleague and system depends on quick performance.

The result? Point-in-time risk reviews are now obsolete. Modern security demands real-time context and insights.

To keep pace, CISOs should focus on three priorities:

• Build security operations around runtime telemetry and real-time data.
• Replace static assessments with continuous monitoring.
• Treat speed as both a goal and a vulnerability.

Automation is already here. Make it work for security.

Automation is not new. Every industry relies on it. From robots on assembly lines to kiosks in banks, automation shapes modern work.

Cybersecurity is no exception. New forms of automation arrive as GenAI tools enter business operations. We already see this with system, code and configuration reviews within infrastructure and operations.

Automation should be embraced within security programs and integrated into the target operating model.

Guiding principles for smarter automation:

• Automation can strengthen, not replace, human decision making.
• Integrate automation carefully into existing workflows.
• Use automation to improve speed, consistency and coverage.

Algorithms define the game

We live in an algorithmic economy. Data drives business decisions, and algorithms turn data into insight. In security, algorithms analyze emails, traffic and behavior to spot threats. They decide what is safe and what is not.

The challenge is transparency. Most algorithms are proprietary, their inner workings hidden. And that lack of visibility introduces risk. Faith in the result often replaces proof. Even trusted models can drift or fail silently.

The bottom line? Security teams must question results, test assumptions and demand validation.

5 ways to assess new technologies

Speed, automation and algorithms shape every new technology. CISOs must use these same lenses when evaluating AI tools.

A clear methodology helps avoid surprises as GenAI adoption grows. Each organization will adapt it differently, but core principles apply to all.

Let’s look at five critical considerations when assessing new technology.

1. Talk to key stakeholders

New technologies touch every department. CISOs should seek input early.

Involve stakeholders such as:

• IT and operations
• Lines of business
• HR
• Legal and privacy teams

Regular conversations help prevent blind spots. Talk to your peers early and often to stay aligned on how AI is being used and where it’s headed next.

2. Conduct a baseline threat model

Use frameworks like STRIDE and DREAD to surface risks quickly. STRIDE helps you identify potential threat types: spoofing, tampering, information disclosure, denial of service and elevation of privilege.

Ask questions such as:

• Can user activity be spoofed?
• Can data or transactions be tampered with?
• Where might information be disclosed?
• Could services be denied or privileges elevated?

Once threats are identified, DREAD helps you evaluate their impact by scoring:

• Potential damage if compromised
• Ease of reproducing the attack
• Skills or tools required

Think like an attacker. Short, inquisitive sessions can reveal major gaps.

3. Evaluate telemetry risks

Many GenAI systems lack traditional telemetry. That makes visibility a top priority.

Ask open questions:

• What are we not seeing that we should?
• What do we not know about this application, and why?

Explore runtime, workload and configuration data. This often exposes over-permissioned accounts or hidden dependencies before they escalate. Visibility is the difference between being surprised and being prepared.

4. Use a risk register

CISOs should document all risks tied to GenAI and keep the list active and visible.

Possible entries include:

• Inaccurate or unverified AI responses
• Data or intellectual property loss
• Deepfakes and advanced phishing
• Polymorphic malware that adapts to its target

A living risk register helps connect AI experimentation to ongoing accountability.

5. Focus on Training and Critical Thinking

AI is reshaping the economy as profoundly as the internet once did. The genie is out of the bottle.‍

Security teams must adapt fast:

• Embrace change, don’t resist it.
• Identify and address new risks early.
• Keep the business moving.

Critical thinking and ongoing training build resilience. The faster security leaders learn, test and adapt, the safer their organizations become.

Looking Ahead

AI’s reach will keep expanding. New business models and attack types will follow.

Adversaries are already using GenAI for social engineering, zero day exploits and tailored attacks. They move fast, and so must we.

Security leaders must operate at runtime speed. Keep learning. Keep testing. Keep improving.

Because the faster we adapt, the safer we stay.