{"id":7788,"date":"2026-04-13T09:01:00","date_gmt":"2026-04-13T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7788"},"modified":"2026-04-13T09:01:00","modified_gmt":"2026-04-13T09:01:00","slug":"cisos-tackle-the-ai-visibility-gap","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7788","title":{"rendered":"CISOs tackle the AI visibility gap"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Dale Hoak found himself asking a question that has become familiar to CISOs through the decades: What am I missing?<\/p>\n

More specifically, Hoak<\/a>, CISO at software firm RegScale, was wondering what he might be missing around his company\u2019s AI deployments.<\/p>\n

\u201cThe business was moving so fast in using AI, so initially we had some visibility gaps,\u201d he says.<\/p>\n

Hoak believed his monitoring capabilities weren\u2019t strong enough to identify all the risks and threats associated with the company\u2019s newest AI uses. So he repositioned existing tools and invested in new ones, including products that use intelligence to monitor enterprise AI use, to gain the visibility he needed \u2014 a process that took about six months.<\/p>\n

\u201cOver time I figured out what to look for using logging and SIEM and AI tools, and I feel like we now have the gaps covered,\u201d he notes.<\/p>\n

Still, he remains apprehensive.<\/p>\n

\u201cI\u2019m always a little wary,\u201d he admits, about what his security operations might not see.<\/p>\n

CISOs are right to be concerned. AI is expanding the organization\u2019s attack surface<\/a> while introducing new types of risk such as those stemming from prompt injection and data poisoning attacks<\/a>. Security leaders know that. But, as Hoak points out, CISOs are also contending with AI-related security blind spots as their organizations race to implement and scale the technology<\/a>.<\/p>\n

According to the AI Security Exposure Survey 2026 Report<\/a> from security software maker Pentera, 67% of CISOs report limited visibility into where and how AI is operating across their environments.<\/p>\n

Additionally, 48% of CISOs cited limited visibility into AI usage as a top challenge in securing AI systems, making it their second biggest challenge in this space. (Lack of internal expertise, cited by 50%, came in No. 1.)<\/p>\n

Myriad blind spots<\/h2>\n

Nitin Raina<\/a>, global CISO of consultancy Thoughtworks, highlights multiple scenarios that create such visibility gaps. One is shadow AI<\/a>.<\/p>\n

\u201cInitially about 12 to 18 months back, we saw people using [unsanctioned versions of] ChatGPT or Gemini or buying their own niche AI tool. That has slowed down, but it\u2019s still one of the risks,\u201d Raina says.<\/p>\n

Another is the introduction of AI capabilities by software makers whose products are already in use at the company. \u201cThe vendors we use are adding AI capabilities and sometimes we don\u2019t have entire visibility into that,\u201d he says, despite his security team\u2019s work to learn how those vendors are handling data and AI-related vulnerabilities.<\/p>\n

The models supplied by providers also create blind spots, Raina adds, as CISOs typically can do some level of review<\/a> but cannot perform deep dives into the models to determine whether there are issues that could skew outcomes to unacceptable levels or send data to places where it shouldn\u2019t go.<\/p>\n

Yet another, Raina says, is agentic AI<\/a>, whose risks include hallucinations or prompt injections as well as failures that due to their speed<\/a> and autonomous actions can be difficult to detect<\/a> with conventional security tools.<\/p>\n

Many compare the security situation around AI to the early days of cloud, when CISOs similarly experienced shadow deployments, unknown risks, and visibility challenges.<\/p>\n

The challenges today are more significant, says Nick Kakolowski<\/a>, senior research director at IANS Research. Executives are scared of falling behind in the race to use AI for competitive advantage, so they\u2019re willing to take more risks, he says. That has led to rapid-fire AI implementations and deployments outside of normal procurement channels. As a result, \u201cblind spots are kind of everywhere.\u201d<\/p>\n

CISOs also often lack full visibility into fourth-party AI systems<\/a> and the risks that use entails.<\/p>\n

Ditto for the accuracy of the outcomes that employees are getting with some AI engines. \u201cNo one understands fully how to assess the outcomes of AI and the quality of the content being created by AI,\u201d Kakolowski says. \u201cWe\u2019re not going to be able to evaluate the quality and trustworthiness of the outputs of AI, and we don\u2019t know how to equip our people to do so effectively.\u201d<\/p>\n

Likewise for AI-generated code<\/a>, which is increasingly being created outside of development teams thanks to the ease of using AI for such purposes. \u201cThey\u2019re using vibe coding, and CISOs may not know where that AI-generated code is being integrated,\u201d Kakolowski says.<\/p>\n

CISOs also may not know if AI agents grant access privileges<\/a> to other agents as they execute workflows, creating yet another blind spot.<\/p>\n

And security execs may be in the dark about the ethical implications of their organization\u2019s AI capabilities. \u201cCISOs often get pulled into things that are on the ethical side of risk, and this issue of ethical AI is starting to emerge as one of them,\u201d Kakolowski adds.<\/p>\n

Another area where CISOs may not have a clear view: where their organizations draw the line on blind spots introduced by their AI strategies. \u201cGuessing at the organization\u2019s risk tolerance is a high-level blind spot,\u201d Kakolowski says, noting that CISOs wanting to close visibility gaps need to start by defining \u201cwhat the organization considers reasonable versus unreasonable. That helps CISOs figure out the next step.\u201d<\/p>\n

Gaining visibility<\/h2>\n

CISOs say they\u2019re aware of the consequences of having blind spots, with data leaks<\/a> and problematic AI outputs being common ones.<\/p>\n

They\u2019re now working to gain the needed visibility to prevent such issues, says Aaron Momin<\/a>, CISO and chief risk officer for Synechron, a digital consulting and technology services firm.<\/p>\n

\u201cThe business has a mandate to adopt AI, but the trouble with this is that the business has been moving at lightspeed and CISOs are just catching up,\u201d Momin adds.<\/p>\n

Like other security chiefs, Momin is leaning on a well-formed security strategy, security and AI frameworks, and a clear understanding of the company\u2019s risk appetite and risk tolerance to do that work. He\u2019s also leaning on people, process, and technology to secure his organization\u2019s AI deployments and improve visibility.<\/p>\n

Still, he acknowledges blind spots could remain, explaining that traditional security tools, such as URL filtering and data loss prevention (DLP) solutions, provide a layer of control but don\u2019t deliver the comprehensive view of AI use that CISOs need.<\/p>\n

\u201cThey\u2019re not necessarily sufficient. They could get to maybe 80% or 90% of what you need, but to get higher visibility, you have to add additional tools,\u201d Momin says.<\/p>\n

That, though, presents another challenge for CISOs.<\/p>\n

\u201cThose tools have to be matured, have to be extended, have to be broader to get full visibility,\u201d Momin says. \u201cNow some vendors are upgrading the capabilities [offered in their security tools,] and new tools are coming on the market. And they\u2019re starting to give you full visibility.\u201d<\/p>\n

Thoughtworks\u2019 Raina has a similar take to improving visibility, endorsing a multiprong approach to ensure his security team has a full picture of the organization\u2019s AI deployments, their vulnerabilities, and their risks. That approach combines administrative, governance, and technology controls \u2014 a combination that has a long history of success in security.<\/p>\n

But experts say that tried-and-true combination is not enough to gain full visibility when it comes to AI.<\/p>\n

According to Pentera\u2019s survey, no CISOs reported full visibility and no shadow AI. One-third said they had good visibility with shadow AI likely, while 66% said they had limited visibility with shadow AI a known issue, and 1% said they had no visibility.<\/p>\n

Full visibility may not be possible \u2014 at least not at present, says Jared Oluoch<\/a>, professor and director of Eastern Michigan University\u2019s School of Information Security and Applied Computing. Today\u2019s tools and security strategies limit blind spots but do not eliminate them completely. \u201cThey can minimize the negative effects,\u201d he adds.<\/p>\n

That\u2019s the goal, says Tal Hornstein<\/a>, CISO of Cast & Crew, a provider of production software, payroll, and services for the entertainment industry.<\/p>\n

Like others, Hornstein relies on longstanding security principles, citing the confidentiality, integrity, and availability (CIA)<\/a> triad as the foundation for his approach to ensure that AI works within established guardrails and that he can observe its behavior.<\/p>\n

Hornstein is also looking to emerging technologies to deliver better observability and enforcement. But he acknowledges that security tech doesn\u2019t enable full visibility at this time. \u201cThey are not fully mature yet,\u201d he says.<\/p>\n

That has to be enough for now, he adds, saying CISOs can\u2019t let visibility challenges slow down AI adoption.<\/p>\n

\u201cAI is the most amazing technology, and whoever doesn\u2019t use it will be left behind,\u201d Hornstein says. \u201cSo, it\u2019s important for me as a CISO and as a business leader to not put up barriers and block AI but to build up guardrails that allow the organization to move at the velocity it wants and the amount it wants while providing risk mitigation.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Dale Hoak found himself asking a question that has become familiar to CISOs through the decades: What am I missing? More specifically, Hoak, CISO at software firm RegScale, was wondering what he might be missing around his company\u2019s AI deployments. \u201cThe business was moving so fast in using AI, so initially we had some visibility […]<\/p>\n","protected":false},"author":0,"featured_media":7789,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7788","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7788"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7788"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7788\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7789"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}