As artificial intelligence (AI) continues to permeate into every corner of the enterprise and essential services, organizations face a startling reality: the threat landscape is changing much faster than many anticipated. AI’s integration into business operations has the potential to generate immense value, but it also widens the attack surface. It challenges long-held assumptions about security, and, without careful planning, risks exposing the very data these initiatives are built on. In a world where speed to market often overrules caution, security leaders must reconsider their own approach to cybersecurity if they want to protect their data and systems appropriately.
Zero trust isn’t new, but its role as an operating discipline is more critical than ever across today’s complex technology environments. Its practical implementation, rooted in discipline rather than hype, guides organizations to resilience, whether faced with AI, cloud, or other unforeseen threats.
The Data Threat Surface
It’s not an exaggeration to say that data is now everywhere: in transit between cloud services, resting on endpoints and servers, feeding analytics and automation, and, of course, training AI models. Each time data is moved or used, it creates value, but it also expands the range of potential exposures, whether to external adversaries or internal risks.
While some organizations are already very cautious about data use and access, the reality is that many organizations continue to struggle to balance agility with caution. Unsurprisingly, rapid technology adoption is often prioritized over careful risk management. Sensitive, proprietary, and regulated data can easily find itself outside the visibility or protection of established security measures if leaders do not maintain (and prioritize) clear oversight.
Zero Trust Isn’t a Slogan, It’s an Operating Principle
It’s been a long time since trust but verify was sufficient to protect data, if indeed it ever was. Zero trust principles demand continuous validation, denying default faith in users, applications, devices, or data sources, regardless of where they sit in the network. This philosophy is neither new nor linked solely to cybersecurity’s latest trends; indeed, it’s been the backbone for sustainable risk reduction for many years.
Before applying access controls or other defenses, organizations must map and classify data assets across all environments. It’s also important to regularly update inventories as new systems and cloud services come online. Security teams can tailor controls, such as labeling, encryption, and access restrictions, to the sensitivity, regulatory requirements, and business value of each classification.
Zero trust, as many practitioners emphasize, is a discipline rooted in visibility, control, and continuous verification. If you don’t know where data is, who is accessing it, and when, there’s no way to be certain that it’s truly secure.
Defense-in-Depth Is Part of the Equation
Modern threats, including those posed by emerging AI capabilities, exploit gaps that can emerge anywhere: in endpoints, cloud environments, and even through well-meaning staff members. Firewalls and single-point solutions are not adequate to protect organizations from these threats; they must be layered with policies, identity controls, encryption, and constant oversight to address an evolving attack surface.
Defense-in-depth comes from an old infantry tactic that allowed you to delay your adversary from coming in, putting objects in the way to slow their advance and allow you to launch a counterattack. In terms of cybersecurity, there are a lot of tools that can help you slow the advancement of a cyber adversary. Over a decade ago, attackers stole and leaked vast amounts of data from Sony. While Sony surely had tools to deter access, there was no lawful or effective way to launch a counterattack. Defense-in-depth in cybersecurity slows adversaries down, but, understandably, organizations only do the first half of the tactic. That’s why it really must be augmented by zero trust principles. In addition to defensive tools, organizations must establish persistent, repeatable practices, such as:
- Authenticating and enforcing least privilege access across all systems and data
- Scheduling regular audits of permissions
- Conducting robust data inventory and classification
- Encrypting all sensitive data at rest and in transit by default, including backups and databases
- Monitoring proactively, enabling anomaly detection, and logging every transaction
- Automating identity and access management (whenever possible) to quickly revoke unused or risky privileges
As threats evolve, in quality and quantity, the discipline of layered and verifiable controls is what holds the line.
Policy, Governance, and Shadow IT/AI
One of the most persistent organizational risks has always been the proliferation of unsanctioned technology — shadow IT. Increasingly, shadow AI is emerging as a new area of risk. It refers to AI tools, models, or projects deployed outside formal IT or security oversight. Those risks are serious, and include:
- Sensitive organizational data may be fed into unapproved, unmonitored external tools
- Models trained on such data often lack proper governance, introducing bias, compliance risks, and legal exposure
- Undocumented AI services significantly expand the organization’s unknown attack surface
Mitigating shadow AI requires more than technical fixes. It demands relentless education, policy clarity, and the extension of zero trust principles to experimental or unofficial projects. To effectively enforce these policies, organizations must implement practical mechanisms, such as mandatory employee training programs on responsible AI and technology usage, automated processes for onboarding and offboarding users, and technical monitoring solutions to detect unsanctioned applications or services. For example, deploying network discovery tools to reveal shadow technology and conducting regular reviews or refresher sessions on acceptable use and the consequences of non-compliance.
Simplicity and Zero Trust
Security is not a one-time initiative, but an ongoing discipline. Ultimately, sustainable, adaptable security hinges on simplicity and repeated, well-understood processes. Organizations that weave zero trust principles into their daily operations, from the tech stack to cultural mindset, are far better prepared to meet both present and future threats, including those driven by AI. Innovation in AI will continue (quickly, as the last few years demonstrate) and cyber adversaries will grow more sophisticated as they learn how to use new AI capabilities more effectively.
By embedding these fundamentals into daily operations across every stage of AI transformation, organizations can defend against today’s threats and position themselves to adapt, endure, and lead in the face of whatever tomorrow’s adversaries may bring.
