This week, AWS introduced to its workers that there can be a brand new vp on the town: Chet Kapoor was becoming a member of the tech large’s cloud arm to supervise safety providers and observability in direct response to AWS’s concern that “AI is totally altering what is feasible and what’s wanted on this space.”
On the face of it, the appointment appears routine, particularly contemplating the dimensions of AWS’s operations and its reported base of roughly 143,000 workers. However, notably, the brand new function comes with an elevated diploma of seniority, reporting on to the CEO and dealing alongside CISO Amy Herzog, versus underneath her. Whereas many enterprises have been exploring a extra horizontal hierarchical construction in what’s been termed The Nice Flattening, this new job has prompted a brand new query: What does it appear like to be chargeable for AI safety? And who inside the group is finally accountable?
“AI expands the assault floor and the CISO/CIO mandate,” stated Diana Kelley, CISO at Noma Safety. “Proper now, the scope of AI safety is so specialised that anticipating CISOs to soak up it totally underneath current constructions is an enormous leap.”
Fixing a Downside vs. Getting Forward of Threats
The overall response from IT leaders to the AWS rent is optimistic, with a number of CISOs describing it as an indication that the corporate is taking AI threats critically and is dedicated to constructing operations that work inside established guardrails. Somewhat than being a transfer to repair a selected flaw in safety, executives stated it’s a part of an ongoing funding in wholesome cybersecurity apply — one which should now grapple with a completely new menace within the type of AI-supported assaults.
Dan Lohrmann, area CISO for public sector at Presidio, famous that AWS has taken “many optimistic steps” to safe its programs, knowledge, and networks, including that the explosion of AI use calls for new vigilance.
“As we transfer ahead into 2026, the breadth and depth of AI alternatives, merchandise, and threats globally current a paradigm shift in cyber protection,” Lohrmann stated. He added that he was inspired by AWS’s recognition of the necessity for extra focus and a spotlight (and staffing) on these cyberthreats.
Edward Liebig, CEO of Yoink Industries and founding father of OT SOC Choices, agreed. He described the transfer as not simply “good and overdue,” but additionally an inevitable evolution in cybersecurity administration now that AI has entered the sphere.
“AWS is not simply filling a place; they’re formalizing a brand new layer of accountability,” Liebig stated. “It is the clearest signal but that AI safety is not an experimental self-discipline however a core operational requirement.”
Overwheming Strain on CISOs
Certainly, the AWS rent displays a broader ripple out there: Enterprises throughout industries are acknowledging that AI — and notably agentic AI — is not solely getting used for optimistic ends. It is usually being wielded maliciously and relentlessly by menace actors.
“Agentic AI attackers can now function with a ‘reflection loop’ so they’re successfully self-learning from failed assaults and modifying their assault strategy mechanically,” stated Simon Ratcliffe, fractional CIO at Freeman Clarke. “This implies the assaults are quicker and there are extra of them … placing overwhelming stress on CISOs to reply.”
Lohrmann stated he believes present cybersecurity fashions merely aren’t satisfactory to satisfy this new species of menace, particularly now that they’re coming at unprecedented velocity. He beneficial a complete system replace, one that may proceed to pose challenges over the following few years. Kelley, however, stated she believes that whereas conventional measures stay “foundational,” in addition they should be supplemented with AI-specific approaches.
“Zero belief, least privilege, and protection in depth — they have been constructed for deterministic programs. AI breaks that paradigm,” she stated. Fashions make probabilistic selections; they be taught from knowledge which may be opaque, and their “assault floor” is not restricted to code or APIs, she defined.
“What we want now’s AI-aware safety governance: a fusion of conventional controls with discovery, stock, and steady monitoring of AI belongings,” Kelley stated.
It could solely be a number of years down the street earlier than IT leaders uncover the best strategy to fight AI assaults. What is evident is that whichever technique a corporation pursues, there’s a number of work to be performed. So who takes that duty on?
The Accountability Query
Previous to AI coming into the sphere at scale, CIOs and CISOs have been the established homeowners of enterprise know-how and safety. Executives in these roles are sometimes the primary to acknowledge that cybersecurity now requires totally new approaches — and doubtlessly new talent units.
Earlier than the AWS announcement, there have been already some high-profile new roles being created round AI administration, comparable to chief AI officer. However this particular vp function at AWS — and its place inside the broader construction — displays a shifting perspective on who needs to be proudly owning the AI ingredient of cybersecurity. Can — and will — the CIO or CISO be anticipated to take this on themselves?
Kelley stated she is assured the CISO has the essential function to play, so long as it’s reshaped with key understandings in thoughts.
“I feel the CISO’s function will evolve to satisfy the broader governance ecosystem, bringing collectively AI safety specialists, knowledge scientists, compliance officers, and ethics leads,” she stated, including cybersecurity’s mantra that AI safety is everybody’s enterprise.
“But it surely calls for devoted experience,” she stated. “Going ahead, I hope that organizations deal with AI governance and assurance as integral components of cybersecurity, not siloed add-ons.”
Lohrmann stated he sees a future that shares cybersecurity duty throughout each CISO and AI-specific roles. Some enterprises could divide the duties amongst a number of leaders, splitting the safety of services from the safety of their networks and workers.
In Liebig’s opinion, the way forward for cybersecurity management appears to be like much less hierarchical than it does now.
“As for who owns that threat, I consider the CISO stays accountable, however new roles are rising to operationalize AI integrity — mannequin threat officers, AI safety architects, and governance engineers,” he defined. “The CISO’s function ought to broaden horizontally, guaranteeing AI aligns to enterprise belief frameworks, not stand other than them.”
It is Ratcliffe who stays essentially the most satisfied of the CISO’s function and duty, inside the context of the AI menace. To him, creating new roles is the flawed observe to take altogether, he defined. As an alternative, it is about preventing AI with AI.
“Including an individual towards the machines which can be attacking isn’t actually going to make a lot distinction,” he stated. “It means the CISOs must undertake AI themselves to struggle again. The one factor that may cease AI is AI on the opposite facet.”
