Saved To My Saved Content

Artificial intelligence is increasing both the clockspeed of organizations and the cyber risks they face. Anthropic’s unreleased model, Claude Mythos, which uses advanced reasoning to find vulnerabilities that have escaped detection for decades, should be a wake-up call. How can companies take advantage of AI’s promise without falling victim to its risks?

Earlier, we argued that, by working together in a synchronized approach to digital risk, business, IT, and security teams can more effectively anticipate and manage cyber risks. But organizations are still having trouble keeping up. With bad actors introducing AI agents into their arsenal, the stakes are even higher than before.

To understand where current cybersecurity operating models break down, what high-performing organizations do differently, and what leaders need to change, we benchmarked several leading companies. The answers come down to the rather boring but difficult nontechnical side of the job: decision rights and accountabilities, defined workflows, and tight coordination across business, technology, and security. When these basics are in place, critical information is shared among the right individuals, decisions are made quickly, and business leaders understand what risks they are taking on. Patches are applied and practitioners feel they are managing risks in real time.

In other words, minimizing cyber risks takes a village of cooperating and accountable humans from many different backgrounds and parts of the organization working together.

The Hard Truth

AI is accelerating product development, customer journeys, code generation, and automation across core operations. Companies are embedding it into products, internal tools, and frontline workflows. But, as the Claude Mythos model makes clear, AI is also making the world a much riskier place. Attackers are using AI agents to find weaknesses inside organizations and mount a variety of attacks like phishing and ransomware.

Companies that accelerate AI adoption without redesigning their security operating model are putting themselves at risk. They are stepping on the gas when their brakes need replacement. The likely outcome: more hidden risk, more last-minute escalations, more exceptions, more breaches, and too much dependence on heroes. Speed without structure and accountability is dangerous.

Monthly Newsletter Subscription

Tech + Us: Harness the power of technology and AI

Why Current Security Models Struggle

The old ways of combating cyber threats do not work against today’s problems. Security teams are frequently brought in late to product and AI initiatives. It’s unclear who owns what and how they can be held accountable. Critical workflows, such as those involved in fixing vulnerabilities, managing access to systems, and bringing on third parties, depend on manual coordination and vaguely defined responsibilities. An urgent item for one team loses priority when it passes to a new team. This frequently results in delayed product launches, as well as cyber breaches or near misses.

In the past, companies could absorb some of that friction. At the speed of AI, they can’t. Irritating inefficiencies have become a source of delay and hidden risk.

The problem is not technical. The best tools can’t fix unclear ownership or clumsy handoffs. The real issue is organizational. Companies need clear responsibilities and accountabilities that define who does what and when. If companies want to operate securely at AI speed, they need to redesign how cyber decisions are made and executed.

What High Performers Do Differently

Our benchmarking confirmed our hypothesis that there is a better way. Top-performing organizations follow three practices that help keep them safe.

Centralize authority, decentralize execution, enforce accountabilities. Cybersecurity strategy, policy, standards, and risk appetite should be the responsibility of the chief information security officer. This executive sets the rules for security, design, and tools and specifies when security can step in. He or she owns security-specific tools that cover, for example, security operations and vulnerability management. The security team then handles specific tasks, like security architecture design, threat monitoring, security operations, and incident response.

The security team does not have to own every task. In a sustainable security program, all of the company’s teams enable one another to evaluate risk, agree on mitigation efforts, and act decisively. Technology teams are responsible and accountable for implementing many of the policies and standards established by the CISO. They frequently handle patching, configuration management, identity and access management, and end-point security implementation. Product and business teams operate within clear guardrails, defined by the security team. Levels of acceptable residual risk and escalation paths are clearly defined.

These broad outlines of authority, execution, and accountabilities will vary across organizations. But the model works because the CISO sets the overall cybersecurity framework and is able to hold others accountable for its execution. With clear and specific decision rights and accountability in place, the overall speed of the organization increases.

Security by design is built into the process. High performers do not treat security by design as a slogan or compliance exercise. They build security into products from the start. These companies involve the security professionals continuously throughout ideation, design, build, launch, and operations.

Teams address risk tradeoffs, feasibility, and business value early on. This head start reduces late revisions that can delay launches and affect operations. The best companies do not rely on personal relationships and communications to make this happen. They support teams with templates, architecture standards, clear review forums, and automation.

Critical workflows are engineered before they are automated. Clear accountabilities and secure-by-design practices only work effectively if an organization’s workflow codifies how security activities are executed.

One of the clearest insights from our benchmarking is that things often fall apart when a task is handed off from one team to the next. This is an operational rather than a strategic or technical weakness. At top-performing companies, workflows have clear owners, defined service levels, and escalation rules. Security is baked into processes rather than added on.

Critically, AI cannot fix broken processes. Garbage in, garbage out is an old rule that applies to AI process automation. Once these processes are redesigned for this clarified operating model, AI can help accelerate workflows further. For example, AI can identify critical threats and vulnerabilities in a flood of alerts and block unsafe code the moment a developer writes it. By connecting scattered clues, AI can detect an attack and start the response without a human handoff. This will ultimately allow the enterprise to defend itself against attacks at machine speed.

What Leaders Should Do

Strong cybersecurity requires more than strong technology. Executives need to address the often messy and difficult human side of cybersecurity by insisting on rigor, accountability, and cooperation. The work is not glamorous but it is necessary. And it starts with the basics:

Organizations that synchronize business, technology, and security teams and operationalize that synchronization through clear decision rights and automation can scale AI securely. Those that do not will scale fragility and risk instead.