AI: Lacking Guardrails, Talent, and Resources?

Artificial intelligence is already present in our workflows, communication tools, customer systems, and even decision-making processes. Yet, most organizations are still catching up to what this means for risk and responsibility.

AI’s rapid advancement echoes previous technology shifts - like Cloud Migration and Automation and SaaS adoption - where governance lagged behind innovation.

But AI isn’t just another tool in the stack; It doesn’t just execute commands – it interprets context, makes inferences, and increasingly acts with autonomy. That power to decide – not just do – demands a new kind of oversight that goes beyond controlling systems to understanding and shaping the decisions those systems make.

The AI Rush

AI adoption is accelerating faster than governance maturity can keep pace. Many companies are still integrating responsible AI practices rather than treating them as a standard operating discipline. Deloitte reported that nearly two-thirds of entities have adopted generative AI without establishing proper governance controls. That ultimately means a growing field of more blind spots: unmonitored or unsanctioned usage, insufficient oversight, and compliance risks that surface only after the fact.

And yes, a big part of this is fear of missing out. But it’s more than that – organizations are being punched in the face by the fact that almost every tool they use now has some AI built in.

From productivity suites to security tools, AI is no longer optional. That’s why adoption is happening by default, not by design.

New Tech, New Threats

While AI is a productivity enhancer, it’s also a new attack surface. We’re starting to see evidence of AI systems being targeted for data extraction, prompt injection, and model manipulation. Recent research from IBM shows 13% of organizations have experienced breaches of AI models or applications, and a staggering 97% lack AI-specific access controls.

AI collapses the traditional boundaries between governance, privacy and security. The security of the model determines the privacy of the data; the transparency of the model determines the integrity of governance.

As AI becomes part of the infrastructure for organizations, its protection will shift to guarding inputs and outputs and perhaps the process of reasoning itself.

Generative AI introduces a new kind of risk. These systems don’t merely process data – they create it, sometimes inferring sensitive information that was never explicitly shared. GenAI’s power to fill in the blanks means privacy isn’t just about the data you provide - it could be also about what the system can figure out. This blurs the boundaries between privacy and security requiring organizations to rethink how they protect both data and the inferences AI can make.

A Shortage of Skills and Structure

Governance, risk, and compliance teams are already overextended. Especially now being tasked with managing AI alongside privacy, cybersecurity, and regulatory change. There is a shortage of professionals who understand AI governance, and most organizations are still applying outdated frameworks to a new kind of technology.

Finding people who understand AI governance is the real challenge. Nearly a quarter of organizations cited this as a roadblock in a 2025 report from the International Association of Privacy Professionals.

There is a need for practitioners who can interpret model behavior, validate decisions, and proactively manage emerging risks. If you can’t make sense of an AI’s reasoning or validate its decisions, you’re not governing it – you’re simply observing the results of an unknown process.

Responsible Empowerment Starts Here

For CISOs, Chief Data Officers, and governance leaders, the question isn’t whether to use AI. It’s how to use it responsibly while trying to minimize risk, and that begins with understanding.

Inventory the AI that already exists in your environment - Before you set up your policy, know what you are dealing with. Many of the tools already in your environment likely include AI capabilities, such as document editors, CRM systems, security platforms, and even HR software. In addition, there’s probably shadow AI usage happening across your organization.

Conduct an AI asset inventory to identify which applications, vendors and services include AI components - Ask the basic questions:

• Where is AI built in?
• What data does it access or process?
• What is the vendor’s policy around privacy and data usage?
• Who is responsible for oversight of the application?

You will need to understand what you would be gaining from the AI capability and what risk you could be incurring using it.

Create a framework that encourages innovation - Employees will continue to explore new AI tools to complete their work more efficiently. Building on the AI asset inventory process, establish a review system that allows anyone to suggest new AI vendors or capabilities for assessment.

Define clear criteria for evaluation, such as data privacy standards, security measures, and alignment with organizational goals. Assign a cross-functional team to review submissions and provide feedback within a set timeframe. By establishing an organized process, you will encourage innovation while keeping visibility and control over how AI enters your environment.

Train people to think before they prompt - AI governance starts with human judgement. Establish simple rules of engagement for how employees interact with AI tools, especially when handling sensitive information. Offer short, practical guidance on what’s safe to share and what’s not. Be explicit: never enter sensitive, customer or internal data into any AI system that isn’t approved. Clear expectations, reinforced through awareness training, go further than long policy documents.

Add visibility where you can - Use the tools you already have, like DLP and CASB to understand where data is going and prevent sensitive information from being exposed to AI systems. You don’t need perfect coverage to start; you just need enough visibility to find your biggest blind spots. Even partial insight is better than nothing.

It’s important to remember that if you don’t enable AI for your people, they’ll use it anyway. Blocking it only drives usage underground.

Enabling AI responsibly is always one step better than discovering it’s being used without your knowledge. The organizations that win with AI will be the ones that understand its benefits and guide its use, not the ones that deny it.