The CISO's Expanding AI Mandate: Leading Governance in 2026

CISOs find themselves at an inflection point in 2026. They are no longer simply gatekeepers of cybersecurity; CISOs are emerging as leaders of AI governance across their organizations. This evolution is redefining what it means to be a security executive in 2026.

DOWNLOAD NOW: AI Heading into 2026

From Blocker to Enabler

Early in 2025, security teams faced a simple question: block AI tools or allow them? Today, that simplistic approach has evolved into strategies that balance innovation with risk management.

According to our recent polling of security executives, more than 90% of organizations do not allow blanket access to AI applications. More than half (56%) said they block most AI tools while creating clearly defined allowlists. Another quarter said they take the opposite approach, allowing most tools but blocking specific high-risk applications, such as DeepSeek.

This shift reflects the reality that employees will find ways to use AI regardless of policy. The security team’s job isn't to prevent AI adoption—it’s to create safe channels for it.

READ MORE: How to Establish GRC Practices for AI

The Governance Framework Dilemma

While establishing AI usage policies has become standard practice, with more than 85% of CISOs either implementing dedicated AI policies or updating existing security frameworks, the question of formal governance structures remains challenging. The security community is split roughly in half between those advocating for governance frameworks and those who believe policy updates provide sufficient guardrails.

Existing frameworks such as the NIST AI Risk Management Framework  (NIST AI RMF) offer value in sophisticated enterprises with control over their AI models and infrastructure. However, many CISOs find these frameworks either too bulky or too vague, due to their assumptions around the extent of control of most enterprises.

Many elements of AI governance—addressing bias, managing regulatory implications, ensuring transparency—stretch beyond the traditional cybersecurity scope. This ambiguity around scope creates tension as CISOs navigate what falls under their purview versus other business functions.

DOWNLOAD NOW: Mitigate These Five AI Risks

Multi-Vendor Complexity

Nearly 80% of organizations are pursuing multi-vendor AI strategies, driven by the need to align tools with existing infrastructure. Organizations are discovering that the best AI solution often depends on which cloud platform a business unit already uses and what specific problem needs solving.

This multi-vendor approach creates a governance challenge. Each AI vendor offers different compliance features, security controls, and data handling practices. CISOs must now budget for third-party governance solutions to unify reporting, detection, and enforcement across multiple platforms.

Three notable exceptions stand out in the multi-vendor landscape. ChatGPT's ubiquity makes blocking it nearly impossible, driving organizations toward enterprise licensing. Microsoft Copilot has become the default low-hanging fruit for organizations already invested in the Microsoft ecosystem. DeepSeek faces widespread blocking due to privacy concerns; 90% said they completely block access to the DeepSeek website, with over 65% of organizations restricting access primarily because of ties to China.

The Data Control Imperative

AI governance asks a fundamental question: what data can go where? This isn’t just about choosing enterprise versus consumer-grade tools. It’s about understanding trust relationships with vendors and the willingness to expose sensitive information to those vendors.

Security teams are shifting from mandating specific user behaviors to implementing technical guardrails. Enterprise browsers, DNS filtering, and zero-trust network solutions now provide granular control over end-user access to AI tools. Many organizations are also implementing data analysis for prompts, offering data loss prevention (DLP) without completely restricting AI use.

Leading Through Collaboration

CISOs are being asked to serve as bridges between stakeholders. AI initiatives require coordination among legal, compliance, data management, and business units—where security leaders operate. This positioning creates an opportunity for CISOs to elevate their standing by helping organizations understand the total cost of ownership for AI initiatives, including governance, security, and management.

Half of organizations have established dedicated AI governance committees. In these cross-functional teams, CISOs bring a valuable perspective: they understand both the technical risks and the business objectives, making them ideal partners for executives trying to foster AI's potential.

AI Heading into 2026

As we move further into 2026, the CISO’s role continues to expand beyond traditional security boundaries. AI governance represents both a challenge and an opportunity—a chance to demonstrate security’s ability to enable business growth while managing emerging risks.

The CISOs succeeding in this environment are those who have built strong teams, created space to address risks beyond traditional infosec, and positioned themselves as trusted business partners. The AI mission belongs to the CISO because security leaders possess the unique combination of technical depth, risk management expertise, and cross-functional perspective required to guide organizations through this transformative period.

IANS latest report: AI Heading into 2026 provides access to objective, data-driven insights from IANS community polls and cross-industry CISOs to see how today’s security leaders are approaching AI in practice. This report reveals the evolving standards shaping AI policy and governance, and how CISOs are tightening access while building business-aligned oversight. Learn more about how security leaders are redefining AI vendor strategy, and the top AI-driven priorities commanding executive focus in 2026. Download AI Heading into 2026 and access objective, data-driven insights from IANS community polls and hard-won lessons from CISOs who are actively implementing AI in their organizations

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.