{"id":8594,"date":"2026-06-25T10:02:00","date_gmt":"2026-06-25T10:02:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8594"},"modified":"2026-06-25T10:02:00","modified_gmt":"2026-06-25T10:02:00","slug":"rethinking-the-balance-between-ai-oversight-and-innovation","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8594","title":{"rendered":"Rethinking the balance between AI oversight and innovation"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The new CIO mandate is clear: facilitate AI adoption across the enterprise at speed.<\/p>\n

According to CIO.com\u2019s State of the CIO survey, CEOs\u2019 to<\/a>p priority for their IT executives is to capitalize on AI<\/a>. From researching to evaluating AI products, CIOs are now the central figures in their organizations\u2019 AI strategies.<\/p>\n

And company leaders are looking for real outcomes. Almost two-thirds of senior leaders report there is more pressure to prove ROI on their AI investments than a year ago, according to Kyndryl\u2019s 2025 Readiness Report<\/a>.<\/p>\n

Numerous sources \u2014 from the board, to the CEO, to business units and competitors \u2014 are behind this pressure, says Jonathan Tushman<\/a>, chief AI officer and CTO at Hi Marley, a customer conversational platform for the property and casualty insurance industry.<\/p>\n

Succeeding in the task ahead of them requires complex conversations, and getting through legal, compliance, and other checks \u201cat a reasonable clip,\u201d adds Tushman, who added CAIO to his remit more than 18 months ago but has felt added urgency in the past six months. In professional gatherings, board conversations, and almost everywhere across the business world, the conversation turns to AI \u2014 and then quickly the fear of failing behind.<\/p>\n

That includes employees as well. \u201cIt\u2019s the engineering team and there\u2019s everybody else \u2014 marketing, sales, finance. It\u2019s people who are not AI-native, but they\u2019re very eager to use these tools at an early level,\u201d he says.<\/p>\n

As CIOs find themselves facing pressure to scale and demonstrate real value, the challenge is keeping up with risk considerations \u2014 without creating unnecessary friction.<\/p>\n

\u201cCIOs cannot be risk averse on this,\u201d says Karthik Chakkarapani<\/a>, SVP, CIO, and head of enterprise AI at Zuora. \u201cWe need to do security and governance, but we don\u2019t want to be seen as slowing down the process. You have to build the highway with enough guardrails and fewer speed breakers.\u201d<\/p>\n

Moreover, he adds, \u201cthis is not about automating existing work. This is reimagining how work gets done.\u201d<\/p>\n

AI is a step-change in risk management<\/h2>\n

Most IT leaders are a long way from feeling comfortable with the new AI risk management balancing act. Just 31% of respondents feel completely ready across external business risks, Kyndryl\u2019s survey reports.<\/p>\n

Tushman believes two things are genuinely different about the risks AI introduces. The first is that AI is indeterminate, whereas most technology is deterministic. \u201cYou can\u2019t prove an AI system will or won\u2019t do X, so the traditional \u2018put controls around it and verify\u2019 model breaks down,\u201d he says. \u201cWe need a different way to govern something whose behavior you fundamentally can\u2019t pin down.\u201d<\/p>\n

The second is the gravitational pull on end-users. \u201cWith most tech, IT could take its time evaluating before rollout,\u201d he says. \u201cWith AI, if you don\u2019t put powerful tools in front of people fast, they\u2019ll route around you \u2014 and shadow use creates more risk than controlled access ever would. The timeline compresses at the same time the control model gets harder.\u201d<\/p>\n

Tony Vizza,<\/a> founder and managing partner of Novera, agrees that the instinct to move fast can lead to the exact failures everyone fears.<\/p>\n

\u201cThis might be staff putting sensitive information into public tools without a proper governance structure, or people copying and pasting straight out of AI and sending incorrect deliverables to customers,\u201d says Vizza.<\/p>\n

Organizations should avoid jumping into AI because of the fear of missing out<\/a> without first clarifying where and how it will be used. All risk decisions should flow from these questions, he says. \u201cWhat problems are you trying to solve \u2014 is it better customer service or deeper insight into your data? What are you actually trying to do?\u201d<\/p>\n

Vizza recommends guiding AI decisions with a risk assessment that considers expected outcomes, size of investment, and its importance to the organization\u2019s objectives. \u201cYou define your risk appetite, build a risk register, and define what risk treatment should be for each risk,\u201d he says. \u201cFor example, if you\u2019re going to use a public AI model, you might treat that risk by not putting sensitive data in or buying the right license so that if you do, you\u2019re covered, or getting guidance from the regulator before you proceed.\u201d<\/p>\n

Organizations must also consider AI services as a third-party risk, and not leave all accountability with AI providers, Vizza says. \u201cYou can\u2019t outsource the responsibility,\u201d he adds.<\/p>\n

Due diligence is required to understand what is in the AI provider\u2019s contract, who is responsible if they have a data breach, and how your organization can pursue them if something goes wrong.<\/p>\n

\u201cSome organizations build that into their risk management process. Others are quite flippant or don\u2019t even know they should be asking those questions \u2014 and that\u2019s what gets them stuck down the track,\u201d he says.<\/p>\n

The importance of organizational design<\/h2>\n

At Hi Marley, Tushman and team have made structural decisions to foster \u201chealthy internal tensions\u201d that are intended to surface and address AI risk considerations. This includes separation between the \u201cAI adopters\u201d in the product and technical teams and the \u201cAI oversight\u201d teams in compliance and legal. Compliance owns the audits, security concerns, and ongoing oversight, while legal owns the documentation that describes the boundaries. \u201cThe key is that it\u2019s independent from the teams pushing AI forward,\u201d he says.<\/p>\n

\u201cCompanies need to invest seriously in these compliance functions. Hire smart, nuanced people. These roles can\u2019t just be \u2018no\u2019 machines,\u00a0but they can\u2019t rubber-stamp everything either. The value is in the judgment,\u201d he says.<\/p>\n

Tushman\u2019s role is the AI innovation steward, spearheading AI adoption that includes being challenged on risk, compliance, and legal considerations. \u201cWe have a senior leadership team and we have \u2018conflict by design\u2019 within that group,\u201d he says. \u201cI play the CAIO role and next to me, I have our head of legal and our head of compliance. So in that leadership team, if we have \u2018conflict,\u2019 we\u2019re able to understand the trade-offs and make a decision as a group.\u201d<\/p>\n

Tushman believes this creates healthy tension: Innovation-minded leaders push boundaries while compliance and risk leaders counterbalance them. But if a decision can\u2019t be reached, it goes to the CEO. \u201cI do recommend a [split decision] goes to another officer in the organization,\u201d he says.<\/p>\n

Decisions about organizational structure could prove to be as consequential as the AI adoption decisions themselves, Tushman says. \u201cThe companies that get the organizational design right early will have a real advantage,\u201d he explains.<\/p>\n

Desire for AI advances the risk equation<\/h2>\n

One of the features of the AI wave is the thirst for access \u2014 from the board to employees \u2014 to use the tools, build applications, and start putting them to work. \u201cRight now, everyone\u2019s dying to try it,\u201d says Tushman.<\/p>\n

Hi Marley is in the \u201cactivation\u201d phase \u2014 meeting the appetite for the tools with safety wrappers. \u201cMy main goal here is to have people learn the tools, start using them, and gain some competency with them,\u201d he says. \u201cWe will get to the measurement phase, but I think spending too much time on measuring right now is not worth the effort.\u201d<\/p>\n

Tushman, like many, is watching how quickly models improve. \u201cAI has huge implications for how you organize, how you hire, and what buy\u2011versus\u2011build decisions you make,\u201d he says.<\/p>\n

Zuora, which specializes in software for subscription and recurring revenue businesses, is three years into its AI journey. Chakkarapani is adamant that speed for speed\u2019s sake is not the goal.<\/p>\n

\u201cWe don\u2019t want to take an existing process and just make it faster. You\u2019re just making a process more chaotic. Can we make it fast, smarter, and reorganize it?\u201d<\/p>\n

Vizza believes a good percentage of CIOs will need external help to navigate the push for rapid AI adoption. \u201cOr they\u2019ll need to upskill themselves, because AI operates very differently to traditional IT,\u201d he says.<\/p>\n

His advice is threefold. First, \u201cmake your decisions on the right basis \u2014 either learn how AI really works or bring in someone who can advise you properly,\u201d he says. Second, bring it back to the business purpose. \u201cThere are opportunities with AI, but the core question is, \u2018What are we trying to achieve by bringing this in?\u2019\u201d And third, work out how you\u2019re going to manage the risk. \u201cRisk isn\u2019t necessarily a bad thing \u2014 Formula 1 cars are risky, but they have very good braking systems so they can go faster,\u201d he says. \u201cIt\u2019s the same with AI: You put the right risk management in place so the business can move quickly without suffering adverse consequences.\u201d<\/p>\n

In its almost three-year AI journey, Zuora started with experimentation before moving 12 enterprise-wide pilots into production, Chakkarapani says, adding that there are three pillars to assess potential AI projects against: effort, value, and confidence. \u201cEffort includes the security risk,\u201d he says. \u201cIs it low, medium, or high?\u201d<\/p>\n

Chakkarapani\u2019s team started with simple executions, although the first experiments didn\u2019t go as hoped \u2014 providing valuable lessons for the following ones. \u201cWe learned AI is only good when you have the right data \u2014 the right content, context, and governance,\u201d he says.<\/p>\n

They moved on to IT service management and that\u2019s when the practical learnings really started, gaining feedback from internal teams and users, answering the security and governance questions, and iterating as they went.<\/p>\n

Early applications include marketing, sales, product, and technology, achieving 10x to 25x throughput improvements. Success is measured in business outcomes such as growth, cost saving, customer engagement.<\/p>\n

Through this process, the team has been doing the \u201cbehind the scenes\u201d work to speed AI adoption across the company. \u201cWe realized that to go at speed and scale, we need to have the right trust, security, and governance underlying it,\u201d he says.<\/p>\n

An enterprise-wide platform connects Zuora\u2019s approved AI services, including ChatGPT and domain-specific tools, to its structured and unstructured data. On top of this is the context layer and services so that people can build their own applications. It uses each employee\u2019s existing login and organizational profile, and it respects the same role-based security.<\/p>\n

\u201cWe slowly developed the framework that became our blueprint with the 10 to 12 things that need to be considered when creating an AI-driven application. When someone is interested, they\u2019re taken to the self-directed process with these do\u2019s and don\u2019ts that is automatically downloaded as a markdown file to that person\u2019s computer,\u201d he says.<\/p>\n

The ultimate aim is delivering up to 100x business value through an enterprise-wide governed platform \u2014 covering IT, HR, finance, legal, procurement, sales, and product. IT plays the role of orchestrator, providing the platform to access the tools and agents and collaborating with the business team to reorganize that workflow.<\/p>\n

The AI maturity model<\/h2>\n

Chakkarapani believes the more secure the environment, the more it paves the way for experimentation, adoption, and, in time, business results. At Zuora, Chakkarapani has evolved this process through three levels of organizational AI maturity to date:<\/p>\n

Level 1:<\/strong> IT provides a platform and services. Employees have controlled access to data based on their role and security privileges. They can create their own agent for themselves. If something doesn\u2019t pass the minimal security and compliance and requirements, it cannot move ahead.<\/p>\n

Level 2:<\/strong> An employee-built agent goes through an IT governance check for duplication or overlap, model improvements, security scans, and manual reviews. If approved, it\u2019s shared with the wider enterprise. \u201cWe\u2019re doing well on that, but it\u2019s still a lot of manual work because there are no tools in the market that can automate this,\u201d he says.<\/p>\n

Level 3:<\/strong> At this stage of maturity, an organization has established a secure foundation across its applications so AI can scale safely. At Zuora, over six to eight months the team tightened endpoint and application security, enforced mobile device management, introduced AI usage monitoring (including what staff upload into prompts), and disabled Google authentication to block personal or bulk email accounts from accessing unapproved apps.<\/p>\n

Earlier this year, the team embarked on working toward Level 4 maturity, where anyone can create a functioning application with minimal human involvement. Realistically, they expect to be 80% to 85% zero-touch because the final mile will still require human involvement.<\/p>\n

\u201cMy goal is to provide a zero-touch service for anybody in the organization to create applications. If we do, they can go from a concept to an idea, prototype, design, and production \u2014 and they do it in less than two weeks,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The new CIO mandate is clear: facilitate AI adoption across the enterprise at speed. According to CIO.com\u2019s State of the CIO survey, CEOs\u2019 top priority for their IT executives is to capitalize on AI. From researching to evaluating AI products, CIOs are now the central figures in their organizations\u2019 AI strategies. And company leaders are […]<\/p>\n","protected":false},"author":0,"featured_media":8595,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8594","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8594"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8594"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8594\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8595"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}