Why CISOs Must Reinvent Data Security for the Age of AI: A Ten-Point Plan to Get There

Insider risk is rising, AI is accelerating, and traditional DLP can’t keep up. Here’s what CISOs tell me about how they’re rethinking strategy before sensitive data walks out the door.

I spent a few days talking with CISOs from finance, tech, biotech, and other key industries. My goal was simple: understand what’s actually keeping them up at night when it comes to data security.

What I heard was both alarming and energizing. One CISO put it this way: thirty years ago companies rushed to connect to the internet without realizing how exposed those networks really were. It took decades of deploying firewalls, intrusion detection, and endpoint protection to regain a sense of control. Now, we’re repeating that history with data and AI.

Given the fundamental changes in the data security landscape, I wanted to share some insights from our customers and network of CISOs to help you understand what’s happening and chart a path forward.

The Challenges CISOs Face Today

Insider risks are rising

Many organizations now require a “leaver report” before anyone exits the company: essentially a forensic snapshot of whether data was staged for exfiltration. In many cases, the results are shocking. One report revealed executives quietly transferring intellectual property to personal devices under the guise of “exceptions.” Others show the full range of malicious behavior, from dragging and dropping sensitive data into personal email, to sophisticated obfuscation sequences.

This isn’t paranoia. Insider risk is rising because other attack vectors, such as phishing or ransomware, are better defended today. When breaking in gets harder, insiders become the most straightforward path out.

AI amplifies risks and rewards

CISOs consistently say AI is becoming every employee’s silent partner. That creates opportunity, but also risk. Shadow AI – unapproved apps adopted by employees – is everywhere, and few organizations have policies to govern it. Agent-based AI introduces another layer of complexity: automated systems communicating with each other, moving data in ways invisible to legacy controls.

At the same time, AI offers hope. Some leaders pointed to lineage analysis: tracing how data moves and transforms across systems as a breakthrough security model. Cyberhaven, for example, applies models to lineage in the same way large language models interpret text, but focuses on data flow. It’s one of the most promising advances in data security.

Fragmented data makes it harder to see the full picture

Another CISO put it bluntly: “It’s not about protecting files anymore; it’s about tracing fragments.”

The traditional data paradigm has collapsed. Once, we could assume sensitive data lived in databases or managed repositories. Now, workflows fragment that same data into countless slivers: copied into Slack, mashed up in Google Docs, piped into an AI chatbot. Without lineage – visibility across where every piece of data originates, flows, and lands – security teams are getting only a tiny piece of the whole puzzle.

Identity without context falls short

Many organizations have invested heavily in identity & access management (IAM) and identity governance and administration (IGA). But identities are fractured across Active Directory, Okta, Google, and SaaS-specific systems. A privileged user in one domain may not look privileged in another. CISOs have noted that correlating entitlement data with observed data movement is one of the most powerful steps forward. It exposes not just who can access information, but how they’re actually using it.

Shifting the culture

CISOs also highlight the need to change how employees experience security. One described deploying inline education instead of hard blocks: for example, explaining in the moment why uploading customer data to personal cloud storage might violate a policy instead of simply blocking the upload. Another used insider risk insights not just for enforcement, but as a retention tool. In his case, executives were alerted when high-performers were staging data for departure, enabling interventions that saved both talent and revenue.

This is where the CISO role is shifting from gatekeeper to strategist. The job now requires balancing trust, education, and business outcomes.

A 10-Point Plan for Securing Data in the AI Era

1. Adopt data lineage as a first-class control. Track data across systems and fragments, not just at rest or in transit.
2. Modernize DLP. Move beyond regex and pattern matching; incorporate context-aware models that understand usage, not just content.
3. Tackle insider risk head-on. Build proactive leaver reports and person-centric monitoring.
4. Govern shadow AI. Inventory usage, establish risk scores for AI-enabled apps, and enforce clear policies.
5. Prepare for agent-based AI. Monitor not just human workflows but machine-to-machine data exchanges.
6. Integrate identity with activity. Correlate entitlements from IAM/IGA systems with observed data movement to detect privilege misuse.
7. Design frictionless controls. Favor education and nudges over blunt-force blocking whenever possible.
8. Make security a business enabler. Frame insider risk in terms of revenue retention, customer trust, and compliance.
9. Leverage AI for defense. Use models trained on lineage and behavior to automate detection and reduce analyst burden.
10. Foster collaboration and knowledge sharing. Establish blueprints and best practices across peers to avoid reinventing the wheel.

The Future of CISO Leadership

The velocity of AI adoption demands faster answers, deeper visibility, and more proactive controls. Data lineage will be the backbone that makes this possible.

The companies that succeed will be those where the CISO isn’t just blocking threats, but architecting trust. Security becomes a competitive advantage in the age of AI.