惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
T
Threatpost
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
M
MIT News - Artificial intelligence
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
云风的 BLOG
云风的 BLOG
S
Security Affairs
P
Proofpoint News Feed
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
S
Security @ Cisco Blogs
H
Hacker News: Front Page
Security Archives - TechRepublic
Security Archives - TechRepublic
Vercel News
Vercel News
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
Y
Y Combinator Blog
美团技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
月光博客
月光博客
量子位
博客园_首页
The Last Watchdog
The Last Watchdog
D
DataBreaches.Net
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
The Register - Security
The Register - Security
Schneier on Security
Schneier on Security
H
Help Net Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
Cloudbric
Cloudbric
Microsoft Security Blog
Microsoft Security Blog

CSO Online

New malware turns Linux systems into P2P attack networks Poisoned truth: The quiet security threat inside enterprise AI Train like you fight: Why cyber operations teams need no-notice drills Die besten DAST- & SAST-Tools CISA mulls new three-day remediation deadline for critical flaws CISA pushes critical infrastructure operators to prepare to work in isolation CISOs step up to the security workforce challenge 10 Anzeichen für einen schlechten CSO Anthropic Mythos spurs White House to weigh pre-release reviews for high-risk AI models Security agencies draw red lines around agentic AI deployments The fake IT worker problem CISOs can’t ignore How CISOs should utilize data security posture management to inform risk Was ist ein Botnet? Human-centric failures: Why BEC continues to work despite MFA Just 34% of cyber pros plan to stick with their current employer Managing OT risk at scale: Why OT cyber decisions are leadership decisions 4 ways to prepare your SOC for agentic AI ‘Trivial’ exploit can give attackers root access to Linux kernel Bank regulator sounds warning over cybersecurity threat posed by AI models Dismantle implicit trust in OT networks, CISA tells critical infrastructure operators Max-severity RCE flaw found in Google Gemini CLI Stopping the quiet drift toward excessive agency with re-permissioning ODNI to CISOs on threat assessments: You’re on your own 10 wichtige Security-Eigenschaften: So setzen Sie die Kraft Ihres IT-Sicherheitstechnik-Teams frei Researchers unearth industrial sabotage malware that predated Stuxnet by 5 years AWS leans on prior ingenuity to face future AI and quantum threats What it takes to win that CSO role Third Party Risk Management: So vermeiden Sie Compliance-Unheil Critical Cursor bug could turn routine Git into RCE Securing RAG pipelines in enterprise SaaS What CISOs need to get right as identity enters the agentic era Stopping AiTM attacks: The defenses that actually work after authentication succeeds EDR-Software – ein Kaufratgeber Microsoft patched an ‘agent-only’ role that was not AI is reshaping DevSecOps to bring security closer to the code The 'manager of agents': How AI evolves the SOC analyst role 4 Wege aus der Security-Akronymhölle Autonome KI-Agenten: Strategien für die neue Bedrohungslage New US House privacy bills raise hard questions about enterprise data collection Scattered Spider co-conspirator pleads guilty Security-KPIs und -KRIs: So messen Sie Cybersicherheit Bitwarden CLI password manager trojanized in supply chain attack 3 practical ways AI threat detection improves enterprise cyber resilience The curious case of Sean Plankey’s derailed CISA nomination Google gets agent-ready for the Mythos age Google drafts AI agents secure systems against AI hackers CNAPP – ein Kaufratgeber Riddled with flaws, serial-to-Ethernet converters endanger critical infrastructure NFC tap-to-pay gets tapped by hackers Anthropic bets on EPSS for the coming bug surge SBOM erklärt: Was ist eine Software Bill of Materials? Thousands of Apache ActiveMQ instances still unpatched, weeks after an actively exploited hole discovered Prompt injection turned Google’s Antigravity file search into RCE Why identity is the driving force behind digital transformation Top techniques attackers use to infiltrate your systems today The thin gray line: Handala, CyberAv3ngers and Iran’s proxy ops Attackers abuse Microsoft Teams to impersonate the IT helpdesk in a new enterprise intrusion playbook CISOs reshape their roles as business risk strategists Copilot & Agentforce offen für Prompt-Injection-Tricks Claude Mythos – ist der Hype gerechtfertigt? Für Cyberattacken gewappnet – Krisenkommunikation nach Plan Critical sandbox bypass fixed in popular Thymeleaf Java template engine White House moves to give federal agencies access to Anthropic’s Claude Mythos Another Microsoft Defender privilege escalation bug emerges days after patch Palo Alto’s Helmut Reisinger sees a cyber sea change ahead as AI advances Positiv denken für Sicherheitsentscheider: 6 Mindsets, die Sie sofort ablegen sollten NIST cuts down CVE analysis amid vulnerability overload Was bei der Cloud-Konfiguration schiefläuft – und wie es besser geht The endless CISO reporting line debate — and what it says about cybersecurity leadership Behind the Mythos hype, Glasswing has just one confirmed CVE Insurance carriers quietly back away from covering AI outputs RCE by design: MCP architectural choice haunts AI agent ecosystem Critical nginx UI tool vulnerability opens web servers to full compromise Copilot and Agentforce fall to form-based prompt injection tricks The deepfake dilemma: From financial fraud to reputational crisis 7 biggest healthcare security threats The need for a board-level definition of cyber resilience Mallory Launches AI-Native Threat Intelligence Platform, Turning Global Threat Data Into Prioritized Action 13 Fragen gegen Drittanbieterrisiken April Patch Tuesday roundup: Zero day vulnerabilities and critical bugs 4 questions to ask before outsourcing MDR 5 trends defining the future of AI-powered cybersecurity EU regulators largely denied access to Anthropic Mythos China-linked cloud credential heist runs on typos and SMTP How AI is transforming threat detection The AI inflection point: What security leaders must do now Cyber-Inspekteur: Hybride Attacken nehmen weiter zu Anthropic’s Mythos signals a structural cybersecurity shift Seven IBM WebSphere Liberty flaws can be chained into full takeover Old Docker authorization bypass pops up despite previous patch Hacker Unknown now known, named on Europol’s most-wanted list The cyber winners and losers in Trump’s 2027 budget CMMC compliance in the age of AI Claude uncovers a 13‑year‑old ActiveMQ RCE bug within minutes Was CISOs von Moschusochsen lernen können Hackers have been exploiting an unpatched Adobe Reader vulnerability for months New ClickFix variant bypasses Apple safeguards with one‑click script execution Cloudflare ‘actively adjusting’ quantum priorities in wake of Google warning Patch windows collapse as time-to-exploit accelerates So geht Post-Incident Review
Rethinking the balance between AI oversight and innovation
Rosalyn Page · 2026-06-25 · via CSO Online

CIOs face mounting pressure to support AI adoption across at speed — but at what risk? IT leaders shed light on how they’re balancing oversight and innovation.

The new CIO mandate is clear: facilitate AI adoption across the enterprise at speed.

According to CIO.com’s State of the CIO survey, CEOs’ top priority for their IT executives is to capitalize on AI. From researching to evaluating AI products, CIOs are now the central figures in their organizations’ AI strategies.

And company leaders are looking for real outcomes. Almost two-thirds of senior leaders report there is more pressure to prove ROI on their AI investments than a year ago, according to Kyndryl’s 2025 Readiness Report.

Numerous sources — from the board, to the CEO, to business units and competitors — are behind this pressure, says Jonathan Tushman, chief AI officer and CTO at Hi Marley, a customer conversational platform for the property and casualty insurance industry.

Succeeding in the task ahead of them requires complex conversations, and getting through legal, compliance, and other checks “at a reasonable clip,” adds Tushman, who added CAIO to his remit more than 18 months ago but has felt added urgency in the past six months. In professional gatherings, board conversations, and almost everywhere across the business world, the conversation turns to AI — and then quickly the fear of failing behind.

That includes employees as well. “It’s the engineering team and there’s everybody else — marketing, sales, finance. It’s people who are not AI-native, but they’re very eager to use these tools at an early level,” he says.

As CIOs find themselves facing pressure to scale and demonstrate real value, the challenge is keeping up with risk considerations — without creating unnecessary friction.

“CIOs cannot be risk averse on this,” says Karthik Chakkarapani, SVP, CIO, and head of enterprise AI at Zuora. “We need to do security and governance, but we don’t want to be seen as slowing down the process. You have to build the highway with enough guardrails and fewer speed breakers.”

Moreover, he adds, “this is not about automating existing work. This is reimagining how work gets done.”

AI is a step-change in risk management

Most IT leaders are a long way from feeling comfortable with the new AI risk management balancing act. Just 31% of respondents feel completely ready across external business risks, Kyndryl’s survey reports.

Tushman believes two things are genuinely different about the risks AI introduces. The first is that AI is indeterminate, whereas most technology is deterministic. “You can’t prove an AI system will or won’t do X, so the traditional ‘put controls around it and verify’ model breaks down,” he says. “We need a different way to govern something whose behavior you fundamentally can’t pin down.”

The second is the gravitational pull on end-users. “With most tech, IT could take its time evaluating before rollout,” he says. “With AI, if you don’t put powerful tools in front of people fast, they’ll route around you — and shadow use creates more risk than controlled access ever would. The timeline compresses at the same time the control model gets harder.”

Tony Vizza, founder and managing partner of Novera, agrees that the instinct to move fast can lead to the exact failures everyone fears.

“This might be staff putting sensitive information into public tools without a proper governance structure, or people copying and pasting straight out of AI and sending incorrect deliverables to customers,” says Vizza.

Organizations should avoid jumping into AI because of the fear of missing out without first clarifying where and how it will be used. All risk decisions should flow from these questions, he says. “What problems are you trying to solve — is it better customer service or deeper insight into your data? What are you actually trying to do?”

Vizza recommends guiding AI decisions with a risk assessment that considers expected outcomes, size of investment, and its importance to the organization’s objectives. “You define your risk appetite, build a risk register, and define what risk treatment should be for each risk,” he says. “For example, if you’re going to use a public AI model, you might treat that risk by not putting sensitive data in or buying the right license so that if you do, you’re covered, or getting guidance from the regulator before you proceed.”

Organizations must also consider AI services as a third-party risk, and not leave all accountability with AI providers, Vizza says. “You can’t outsource the responsibility,” he adds.

Due diligence is required to understand what is in the AI provider’s contract, who is responsible if they have a data breach, and how your organization can pursue them if something goes wrong.

“Some organizations build that into their risk management process. Others are quite flippant or don’t even know they should be asking those questions — and that’s what gets them stuck down the track,” he says.

The importance of organizational design

At Hi Marley, Tushman and team have made structural decisions to foster “healthy internal tensions” that are intended to surface and address AI risk considerations. This includes separation between the “AI adopters” in the product and technical teams and the “AI oversight” teams in compliance and legal. Compliance owns the audits, security concerns, and ongoing oversight, while legal owns the documentation that describes the boundaries. “The key is that it’s independent from the teams pushing AI forward,” he says.

“Companies need to invest seriously in these compliance functions. Hire smart, nuanced people. These roles can’t just be ‘no’ machines, but they can’t rubber-stamp everything either. The value is in the judgment,” he says.

Tushman’s role is the AI innovation steward, spearheading AI adoption that includes being challenged on risk, compliance, and legal considerations. “We have a senior leadership team and we have ‘conflict by design’ within that group,” he says. “I play the CAIO role and next to me, I have our head of legal and our head of compliance. So in that leadership team, if we have ‘conflict,’ we’re able to understand the trade-offs and make a decision as a group.”

Tushman believes this creates healthy tension: Innovation-minded leaders push boundaries while compliance and risk leaders counterbalance them. But if a decision can’t be reached, it goes to the CEO. “I do recommend a [split decision] goes to another officer in the organization,” he says.

Decisions about organizational structure could prove to be as consequential as the AI adoption decisions themselves, Tushman says. “The companies that get the organizational design right early will have a real advantage,” he explains.

Desire for AI advances the risk equation

One of the features of the AI wave is the thirst for access — from the board to employees — to use the tools, build applications, and start putting them to work. “Right now, everyone’s dying to try it,” says Tushman.

Hi Marley is in the “activation” phase — meeting the appetite for the tools with safety wrappers. “My main goal here is to have people learn the tools, start using them, and gain some competency with them,” he says. “We will get to the measurement phase, but I think spending too much time on measuring right now is not worth the effort.”

Tushman, like many, is watching how quickly models improve. “AI has huge implications for how you organize, how you hire, and what buy‑versus‑build decisions you make,” he says.

Zuora, which specializes in software for subscription and recurring revenue businesses, is three years into its AI journey. Chakkarapani is adamant that speed for speed’s sake is not the goal.

“We don’t want to take an existing process and just make it faster. You’re just making a process more chaotic. Can we make it fast, smarter, and reorganize it?”

Vizza believes a good percentage of CIOs will need external help to navigate the push for rapid AI adoption. “Or they’ll need to upskill themselves, because AI operates very differently to traditional IT,” he says.

His advice is threefold. First, “make your decisions on the right basis — either learn how AI really works or bring in someone who can advise you properly,” he says. Second, bring it back to the business purpose. “There are opportunities with AI, but the core question is, ‘What are we trying to achieve by bringing this in?’” And third, work out how you’re going to manage the risk. “Risk isn’t necessarily a bad thing — Formula 1 cars are risky, but they have very good braking systems so they can go faster,” he says. “It’s the same with AI: You put the right risk management in place so the business can move quickly without suffering adverse consequences.”

In its almost three-year AI journey, Zuora started with experimentation before moving 12 enterprise-wide pilots into production, Chakkarapani says, adding that there are three pillars to assess potential AI projects against: effort, value, and confidence. “Effort includes the security risk,” he says. “Is it low, medium, or high?”

Chakkarapani’s team started with simple executions, although the first experiments didn’t go as hoped — providing valuable lessons for the following ones. “We learned AI is only good when you have the right data — the right content, context, and governance,” he says.

They moved on to IT service management and that’s when the practical learnings really started, gaining feedback from internal teams and users, answering the security and governance questions, and iterating as they went.

Early applications include marketing, sales, product, and technology, achieving 10x to 25x throughput improvements. Success is measured in business outcomes such as growth, cost saving, customer engagement.

Through this process, the team has been doing the “behind the scenes” work to speed AI adoption across the company. “We realized that to go at speed and scale, we need to have the right trust, security, and governance underlying it,” he says.

An enterprise-wide platform connects Zuora’s approved AI services, including ChatGPT and domain-specific tools, to its structured and unstructured data. On top of this is the context layer and services so that people can build their own applications. It uses each employee’s existing login and organizational profile, and it respects the same role-based security.

“We slowly developed the framework that became our blueprint with the 10 to 12 things that need to be considered when creating an AI-driven application. When someone is interested, they’re taken to the self-directed process with these do’s and don’ts that is automatically downloaded as a markdown file to that person’s computer,” he says.

The ultimate aim is delivering up to 100x business value through an enterprise-wide governed platform — covering IT, HR, finance, legal, procurement, sales, and product. IT plays the role of orchestrator, providing the platform to access the tools and agents and collaborating with the business team to reorganize that workflow.

The AI maturity model

Chakkarapani believes the more secure the environment, the more it paves the way for experimentation, adoption, and, in time, business results. At Zuora, Chakkarapani has evolved this process through three levels of organizational AI maturity to date:

Level 1: IT provides a platform and services. Employees have controlled access to data based on their role and security privileges. They can create their own agent for themselves. If something doesn’t pass the minimal security and compliance and requirements, it cannot move ahead.

Level 2: An employee-built agent goes through an IT governance check for duplication or overlap, model improvements, security scans, and manual reviews. If approved, it’s shared with the wider enterprise. “We’re doing well on that, but it’s still a lot of manual work because there are no tools in the market that can automate this,” he says.

Level 3: At this stage of maturity, an organization has established a secure foundation across its applications so AI can scale safely. At Zuora, over six to eight months the team tightened endpoint and application security, enforced mobile device management, introduced AI usage monitoring (including what staff upload into prompts), and disabled Google authentication to block personal or bulk email accounts from accessing unapproved apps.

Earlier this year, the team embarked on working toward Level 4 maturity, where anyone can create a functioning application with minimal human involvement. Realistically, they expect to be 80% to 85% zero-touch because the final mile will still require human involvement.

“My goal is to provide a zero-touch service for anybody in the organization to create applications. If we do, they can go from a concept to an idea, prototype, design, and production — and they do it in less than two weeks,” he says.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.