.png)
As AI adoption accelerates at breakneck speed, CISOs are finding themselves at the center of one of the most significant shifts in technology since the move to the cloud. AI governance has emerged as a new responsibility shouldered by CISOs, but few agree on what that means.
Alex Cunningham, CISO at Advisor360°, believes that AI represents not just a new challenge but an opportunity for security leaders to elevate their role:
“AI truly is a gift to CISOs and security teams. It’s the next major milestone in the evolution of the security function.”
I sat down with him to discuss why he thinks AI Governance is a gift and how he views the role of security within enterprise AI adoption.
Why AI Governance Is Different
Every technology shift forces organizations to rethink security. Cloud, SaaS, and mobile all reshaped infrastructure, workflows, and risk models. But AI stands apart for one reason: speed.
“Two or three years ago, very few people were talking about AI. Then suddenly, bang - everyone’s using it,” Cunningham said. “That pace was the biggest shock for me.”
This acceleration puts CISOs in the position of catching up to technology already in production. Unless they lead from the front.
AI Governance as Risk Management
At its core, AI governance is about balancing risk and reward. “We see AI as a competitive differentiator. Being an early adopter can set us apart in the market, but it also raises the stakes,” Cunningham said.
His approach begins with establishing a baseline. Advisor360° follows NIST frameworks to ensure best practices and to demonstrate governance maturity to customers.
“Our customers trust us with their most sensitive information. AI adds a new layer of responsibility, and governance helps us show that their trust is well placed.”
Cross-Functional by Design
Cunningham is quick to emphasize that AI governance is not just a security project. “It’s a cross-enterprise initiative. Security must be built-in from the start, but success requires collaboration across legal, privacy, engineering, and HR. It’s similar to the early days of cloud; security plays a critical role, but it cannot do it alone.”
Educate Before You Restrict
While many organizations respond to AI risk by blocking tools, Cunningham takes a different approach:
“Our first move was to reinforce education. We employ smart people and want to empower them. We never want to be the department of no. Awareness comes first: what tools are being used, what data is being entered, and what behaviors we want to encourage. Blocking should be a last resort.”
This philosophy allows his team to baseline good user behavior, detect anomalies, and promote responsible adoption without stifling innovation.
Oversight and Investment
Governance also requires visibility into the business side of AI. “We don’t rely on free tools. We buy licenses for the ones we believe in, but we have to make sure that investment is delivering value. If licenses go unused or if new tools appear that we didn’t know about, we need to know.”
Secrets management is another priority. “Our data is our crown jewels. We strictly control who has access, enforce encryption, and keep privileges as limited as possible.”
The Future of AI in Security
Cunningham sees promise in AI-enhanced security tools but remains pragmatic. “Vendors tell us their products are faster and better thanks to AI, but I want to see it in action. Trust, but verify. We need to measure real value from these capabilities.”
Lead From the Front
If Cunningham could give one piece of advice to other CISOs, it would be this: lead boldly.
“The pace of AI adoption means that if you’re not ahead of it, you’re already behind. Trying to apply governance after the fact is extremely difficult. Especially if risky behavior is already happening. Work collaboratively with your partners, have a loud voice at the table, and be the tip of the spear.”
AI is reshaping how organizations work, innovate, and compete. For security leaders, it is both a challenge and an opportunity — one that rewards those who engage early, partner widely, and lead with clarity.
And finally, for something lighter. If someone’s visiting Boston, what’s one local spot they shouldn’t miss?
“Easy! Boston’s only Scottish restaurant, The Haven. Go speak to Jason and have a pint with him.”
.png)