When Justin Greis joined Patrick Spencer – Senior Vice President, Americas Marketing & Industry Research – on Kitecast the two explored a question that every business leader is wrestling with right now: How can organizations move fast with AI without breaking trust?

Their conversation spanned what Justin is seeing across the industry – from companies sprinting ahead without guardrails to CISOs evolving from technologists to strategic business leaders. They discussed the difference between compliance and real security, the culture behind responsible AI, and why “human in the loop” isn’t a buzzword – it’s a survival tactic.

This article distills that discussion into the core ideas, lessons, and takeaways for leaders navigating the rapidly changing landscape of AI and cybersecurity.

Security is the new growth lever

Cybersecurity isn’t a cost of doing business anymore – it’s a competitive advantage. When companies make their rigor visible through certifications, resilience testing, and transparent controls, they win customers’ confidence.

Trust has become a product feature. Buyers will choose a company that demonstrates security over one that simply claims it. That’s why leading organizations are treating cybersecurity as a differentiator that fuels growth, not friction.

The CISO’s new role: from technologist to business enabler

The modern CISO is evolving. Once confined to back-office operations, today’s security leaders sit at the intersection of technology, risk, and strategy.

The convergence of infrastructure, platforms, and AI has created a new kind of executive – part CIO, part CTO, part CISO – who translates security investments into business outcomes. But technical acumen alone isn’t enough. The biggest gap in boardrooms today is storytelling.

Boards don’t want vulnerability counts or phishing metrics – they want to understand why risk changed, what it means for the business, and how leadership is responding. The best CISOs tell that story clearly and credibly.

Compliance isn’t security

Frameworks like SOC 2, ISO, and NIST serve a purpose – they set a baseline of discipline and rigor. But compliance is the floor, not the finish line.

A company can be compliant and still be insecure. True security starts by aligning with business strategy: launching new products, expanding into new markets, and protecting data wherever it goes. Compliance should be the byproduct of a secure, well-run organization – not its goal.

Responsible AI: keep humans in the loop

As AI becomes more autonomous, the biggest emerging risk is removing humans from critical decisions. Agentic systems that act independently can improve speed – but they can also amplify errors and bias at scale.

The solution is intentional design. Organizations must define where humans stay in the loop, where they’re temporarily out, and how exceptions are governed. This means building oversight, ethics, and secure engineering into every AI initiative from the start.

AI should amplify human judgment, not replace it.

Culture over checklists

Too many organizations overestimate their readiness because they measure against checklists, not reality. The ones that perform best foster psychological safety – where people can raise risks early, admit unknowns, and collaborate on fixes without fear.

That’s how true resilience is built: through candor, learning, and leadership. It’s also the foundation of the work I’ve done with the National Association of Corporate Directors (NACD) to help boards and CISOs elevate their conversations beyond compliance and toward trust and impact.

The playbook for what’s next

AI and cybersecurity are converging into a single discipline: the discipline of trust at speed. Every company now needs a playbook that operationalizes trust as a core capability. Here’s how to get there:

1. Make trust visible

Trust used to live deep inside your systems – visible only to auditors. That’s no longer enough. Customers and regulators expect evidence.

Publish your assurance posture, showcase your testing rigor, and make transparency part of your brand. When clients can see your controls working, they gain confidence in your leadership, not just your technology. Security becomes a proof point of reliability, not a cost of doing business.

2. Design oversight into AI

AI decisions now touch everything – from finance and insurance to healthcare and critical infrastructure. Without deliberate oversight, they can easily cross ethical or operational lines.

Organizations must codify where humans belong in the loop:

Which decisions always require human judgment?

Which can run autonomously but under supervision?

When must escalation or review be triggered?

These principles can’t live in a binder; they must be embedded into workflows and governance. Proper oversight ensures that automation enhances – not replaces – accountability.

3. Embed discipline in the product

Security and responsible AI aren’t projects; they’re design principles.

Every product team should be building with secure SDLC, MLOps, and continuous testing by default. Security and privacy should live inside your product operating model, not as afterthoughts handled by a separate department.

Empower engineers with guardrails, patterns, and tools. The strongest organizations combine centralized standards with decentralized execution – security as enablement, not enforcement.

4. Tell better and clearer stories to boards and executives

Risk metrics don’t inspire action; context does.

Boards want to understand how risk evolves, what trade-offs exist, and which paths lead to resilience or exposure. CISOs who can translate technical risk into business impact earn influence – and investment.

A compelling story follows a clear arc:

• Context: What changed?
• Risk Shift: Why it matters.
• Decision: What are the options?
• Outcome: What happens next.

This approach turns cybersecurity from a cost conversation into a strategic discussion about value and trust.

5. Build a culture of candor

The best defense isn’t technology – it’s honesty.

When teams can speak up about weaknesses without fear, you discover risks early and fix them faster. Leaders must create psychological safety by modeling curiosity, not blame. Reward transparency and learning, not perfection.

This shift – from secrecy to candor – transforms cybersecurity from compliance to culture. The organizations that get this right don’t just avoid breaches; they outlearn and outpace everyone else.

6. Move safest at speed

The future belongs to those who can move fast and stay trustworthy. That means building the infrastructure of confidence beneath every product, partnership, and AI system.

Cybersecurity and AI aren’t competing priorities – they’re mutually reinforcing accelerators. The organizations that treat them that way will set the pace for the next decade of innovation.

Listen to the full episode: Kitecast with Patrick Spencer (kiteworks.com/kitecast) and check out the post on LinkedIn.