The Empty Chair: Thoughts on the CISO's Role in the Age of AI
The Empty Chair: Thoughts on the CISO's Role in the Age of AI
-(3).png)
Summery
As organizations accelerate AI adoption, many strategic discussions are happening without the CISO at the table. Unlike traditional technologies, AI evolves rapidly and often spreads across the business before governance can catch up. This makes cybersecurity involvement essential from the very beginning, not just at the approval stage. Modern CISOs should move beyond the role of saying "no" and instead enable secure innovation. Their responsibility is to define guardrails that allow the business to adopt AI quickly while managing risk. They help translate risk tolerance into practical operating principles. Without CISO leadership, organizations may lose visibility into how AI is being used and where risks are emerging. In the AI era, an empty chair at the table can become a costly business risk.
A few thoughts after too many advisory sessions where this conversation didn’t happen soon enough.
I’ve sat through a lot of AI advisory meetings lately.
Boards, ExCos, and transformation leads all talking about speed, productivity, and competitive advantage.
Genuinely exciting conversations.
And in most of them, there was an empty chair where the CISO should have been.
What bothered me wasn’t the absence. It was how unremarkable the absence was. Nobody flagged it. Nobody asked where they were. The meeting just… continued.
Here’s the thing about AI that makes it different from every other technology initiative your organisation has run: it doesn’t wait for governance to catch up.
Employees adopt tools independently. Use cases mutate. What starts as a productivity experiment quietly becomes part of a customer journey, a decision workflow, a data access layer. By the time anyone thinks to ask, "who owns this?" the answer is already complicated.
Traditional software implementations have boundaries. AI doesn’t respect them.
This is precisely where the CISO belongs. Not at the end of the process with a sign-off checklist, but at the table where the direction is being set.
I want to push back on something. The security function has spent years trying to shed the reputation of being the department of “no.” In AI adoption, that reputation becomes genuinely dangerous, because it gives organizations an excuse to leave cybersecurity out of the conversation entirely. We’ll loop them in later.
Later, in AI terms, is already too late.
The CISOs I see navigating this well aren’t playing defense. They’re defining what responsible speed looks like. They’re helping the business answer: how fast can we move, and what does moving that fast actually require of us?
They’re translating risk tolerance into operating principles that give innovation guardrails, not brakes.
That’s a different job than most people expect from security leadership. It’s also a more important one.
If your organization is deep into an AI transformation and your CISO isn’t in the room, I’d ask a simple question: Who is currently responsible for knowing what your AI is doing, where it’s doing it, and what happens when something goes wrong?
If that question takes more than five seconds to answer, the empty chair is already costing you something.