I was taught by a mentor that when asked for approval, the answer is always “yes, but how do we get there?” Most CISOs I talk to right now feel like they are flying around swatting at flies. Every day there’s a new tool someone needs approving, a new agent spun up in a corner of the business, a vendor that quietly switched AI on without telling anyone. Like in business, you take the punches and you try to roll with them. I know the feeling, because I live it too.
What makes this hard is the direction in which the requests move. CISOs are used to users asking for things (or doing things in the shadows), and having to explain to the workforce why they can’t have every tool they want. But this time around it’s the board that wants AI to be adopted across the organization, and they want it to happen now. 72% of CEOs say they are the main decision makers on AI in their organization, twice as many as a year ago (BCG). These are not grassroot requests: the mandate is clear… and it all eventually lands on my desk as the CISO.
And so we turn to our budget pots and we spend. Netskope’s own recent research found that 90% of cybersecurity professionals have increased their AI security budgets this year, and yet 29% of us feel less secure than we did twelve months ago (Netskope/Cybersecurity Insiders). Spending is up. Confidence is down. We are buying more and sleeping worse.
I found a compelling reason for that gap in the same research. AI is now deployed in 73% of organizations, but only 7% have governance that enforces security policy in real time (Netskope/Cybersecurity Insiders again). That’s the hole most of us are standing over. We know we cannot say no to AI, and yet we do not have confidence in our “yes” or a plan to get to “yes”. So what’s an architect of yes? In my mind it is a CISO who closes that gap: building the controls that let the business adopt AI safely, so that the “yes” is not reluctantly forced, but a starting position in the discussion, and confidently given.
The industry keeps selling us fear
When confidence drops, the security market does what it always does. It sells fear. More column inches filled with experts admiring the problem. More breathless analysis of the latest model’s latest flaw. More demos engineered to make you feel behind.
I get it. Fear is easy to sell to people who are already anxious. But speaking frankly, it is useless to a CISO who has a CEO in one ear and an engineering team in the other, and neither are *really* asking a question… unless you count “when?”.
Dwelling on the danger does not answer that question. It just tells you what you already know, which is that AI is risky and moving fast. We don’t need another reminder. We need a way to say yes without it blowing up in our faces.
To say yes, you have to architect for it
There’s an old caricature of our role: the Department of No. The person who shows up to kill the project. But for most of us CISOs it’s actually infuriatingly dated: Most of us made the shift to the Department of Know on our way to the Department of Yes (with conditions) years ago. We moved from blanket bans to granular controls, from blocking tools to coaching the people using them.
But AI is testing that mindset harder than anything before it. The pace is relentless and the blast radius of a mistake can be severe. The temptation, when something moves this fast, is to retreat to the old posture and just say no.
I think that’s the wrong move, and not only because the business will route around you. Saying no isn’t security. It’s the absence of an enabling architecture. When a CISO blocks something outright, it usually means we haven’t built the structure that would let us approve it safely. The no is a confession, not a control.
We are the people who the business is looking to to build the frameworks that let things happen. We are the ones that are able to take the business’s ambition and constraints (the budget, the risk appetite, the culture), and turn them into something that stands up. That is architecture. It always has been, and AI is just the latest brief.
What a defensible “yes” looks like
To say yes with confidence, I need a few things in place:
- Discovery, so I know what AI is actually running;
- Controls at the data layer, not just the app layer, because every AI service is hungry for more data;
- Identity that extends to agents, not just people;
- Governance for AI, agents, and MCP; and monitoring that adapts as fast as the tools do.
Simply put governance, guardrails, and data protection. Put those in place and practice using them until they feel routine, and saying yes becomes a process.
The world’s gatekeepers can be enablers
Rather than more naval gazing at the problem, I want to hear about where CISOs are winning. Plenty of CISOs are getting comfortable, finding momentum, maturing their programs. That’s the conversation I am interested in; not what’s dangerous, but what’s possible, and how to get there.
The world doesn’t need more gatekeepers. It needs more builders. More CISOs who can walk into the room and say (with the architecture to prove it) “Yes, we’re ready, and here’s how we do it.”
That’s what “architect of yes” means to me. I think it’s the best version of our job, and I think it’s the one this moment is asking us to step into.