Cyber safety: AI is redefining cyber risk and responsibility

Artificial intelligence is rapidly reshaping how organizations operate, from smart buildings and predictive maintenance to compliance automation and real-time decision-making. It is reshaping how threats are detected and how decisions are made.

But more fundamentally, it is redefining what it means to be secure. In an AI-driven world, cybersecurity is no longer just about defense—it is about trust.

Two parallel shifts are driving this transformation. First, AI is becoming foundational to how work gets done. Second, the environments in which AI operates—facilities, systems, and workforce models—are becoming more complex, interconnected, and difficult to secure.

AI amplifies both risk and resilience

AI introduces a paradox.

On one hand, AI empowers security teams with advanced capabilities, such as faster detection, predictive analytics, and automation that can identify anomalies at scale.

• Security teams using AI and automation extensively shortened their breach times by 80 days.
• They also lowered the average cost of a breach by $1.9 million, compared to organizations that don’t use AI solutions.
• 32% of organizations report using security AI and automation across workflows.

On the other hand, AI equips threat actors with tools to deceive, automate attacks, and exploit human vulnerabilities more effectively than ever before.

• Generative AI reduced the time needed to craft a convincing phishing email from 16 hours down to only five minutes.
• 63% of organizations that had a security breach either don’t have an AI governance policy or are still developing one.
• Shadow AI added $670,000 to the average breach cost compared to those that had low levels of shadow AI or none.

AI’s dual-use nature is fundamentally reshaping cyber risk, not just through more sophisticated attacks, but by accelerating the speed and scale at which they occur. As AI enables highly convincing phishing and deepfake-driven deception, security teams are behind in realizing its full potential to stop cyber threats.

In this environment, cybersecurity is no longer defined by a fixed perimeter. Instead, it is shaped by how effectively organizations manage the interaction between people and intelligent systems. Employees are not just users of AI tools. They are decision-makers working alongside them. Ensuring they understand when to trust AI outputs, when to question them, and how to verify results is becoming a core element of cyber safety.

From compliance to continuous governance

AI driving a shift in how organizations approach cybersecurity governance. Compliance frameworks such as NIST and ISO remain important, but they are no longer sufficient on their own. They establish a baseline, but not maturity.

Robust AI governance provides the rules, checks, and accountability needed to safeguard data and operations. Stacy Hughes, ABM SVP & CISO, says this includes:

• AI policies: Clear guidelines on acceptable use and organizational expectations help establish consistency and accountability.
• Inventory of use cases: Tracking how and where AI is being applied, whether developed internally or sourced from third parties, ensures visibility across the enterprise.
• Data classification: Understanding what types of data are used in AI models is critical. Sensitive information requires compliance with privacy regulations and additional safeguards.
• System integration: AI does not exist in isolation. Effective governance means ensuring AI integrates seamlessly with existing security tooling and monitoring systems.
• Testing protocols: Rigorous validation processes confirm that AI models perform as expected and help avoid inaccuracies before deployment.

Organizations must maintain a clear inventory of where and how AI is being used, enforce human oversight, and build transparency into automated decisions. Without this, AI can quickly become a blind spot, introducing risk faster than it can be managed.

Trust as a strategic imperative

One of the most important insights emerging from this shift is that trust is becoming the defining metric of cybersecurity success.

In a world of constant change and inevitable breaches, the question is no longer “Can you stop every attack?” Instead, it is “Can you operate with confidence despite the risk?”

Moving from compliance to trust requires immediate action across several dimensions:

• Align to the highest standard. Simplify complexity by benchmarking against the most rigorous regulatory and security requirements across your operating footprint.
• Track cultural maturity. Treat employee engagement and willingness to question and validate as measurable indicators of security maturity.
• Formalize AI governance. Establish cross-functional oversight groups that regularly evaluate AI use cases, third-party dependencies, and emerging risks.
• Maintain visibility into AI adoption. Keep a current, centralized inventory of AI systems and assume transparency requirements will continue to expand.
• Define human oversight boundaries. Establish clear guidelines for when human intervention is required before deploying autonomous or AI-driven workflows.
• Design for transparency. Build explainability into AI systems and clearly communicate how they influence decisions and outcomes.
• Broaden your risk lens. Extend security and compliance frameworks to cover connected technologies such as IoT, robotics, EV infrastructure, and unattended environments.

Organizations that embed these elements into their operations create a stronger foundation—not just for security, but for growth.

The path forward

Cybersecurity in the age of AI is not a destination; it is an operating posture.

Organizations must continuously adapt, aligning people, processes, and technology to an environment that is constantly evolving.

Those that succeed will be the ones that govern those tools effectively, empower their people, and build trust at every layer of the organization.

AI does not just change how we defend systems. It changes what we are defending for: is the ability to operate with confidence, credibility, and trust in a digital-first world.