As artificial intelligence (AI) continues to permeate into every corner of the enterprise and essential services, organizations face a startling reality: theย threatย landscape is changing much faster than manyย anticipated. AIโs integration into business operations has the potential to generate immense value, but it also widens the attack surface. It challenges long-held assumptions about security, and, without careful planning, risks exposing the very data these initiatives are built on. In a world where speed to market often overrules caution, security leaders must reconsider their own approach to cybersecurity if they want to protect their data and systems appropriately.ย ย
Zeroย trustย isnโtย new, but its role as an operating discipline is more critical than ever across todayโs complex technology environments. Its practical implementation, rooted in discipline rather than hype, guides organizations to resilience, whether faced with AI, cloud, or other unforeseen threats.ย
The Data Threat Surfaceย
Itโsย not an exaggeration to say that data is now everywhere: in transit between cloud services, resting on endpoints and servers, feeding analytics and automation, and, of course, training AI models. Each time data is moved or used, it creates value, but it also expands the range of potential exposures,ย whether toย external adversaries or internal risks.ย
While some organizations are alreadyย very cautiousย about data use and access, the reality is that many organizations continue to struggle to balance agility with caution. Unsurprisingly, rapid technology adoption is often prioritized over careful risk management. Sensitive, proprietary, and regulated data can easily find itself outside the visibility or protection of established security measures if leaders do notย maintainย (and prioritize) clear oversight.ย
Zero Trustย Isnโtย a Slogan,ย Itโsย an Operating Principleย
Itโsย been a long time sinceย trust but verifyย was sufficient to protect data, if indeed it ever was.ย Zero trustย principlesย demand continuous validation, denying default faith in users, applications, devices, or data sources, regardless of where they sit in the network. This philosophy is neither new nor linked solely to cybersecurityโs latest trends; indeed,ย itโsย been the backbone for sustainable risk reduction for many years.ย
Before applying access controls or other defenses, organizations must map and classify data assets across all environments.ย Itโsย also important to regularly update inventories as new systems and cloud services come online. Security teams can tailor controls, such as labeling, encryption, and access restrictions, to the sensitivity, regulatory requirements, and business value of each classification.ย
Zero trust, asย many practitioners emphasize,ย isย a discipline rooted in visibility, control, and continuous verification. If youย donโtย know where data is, who is accessing it, and when,ย thereโsย no way to be certain thatย itโsย truly secure.ย ย
Defense-in-Depth Is Part of the Equationย
Modern threats, including those posed by emerging AI capabilities, exploit gaps that canย emergeย anywhere: in endpoints, cloud environments, and even through well-meaning staff members. Firewalls and single-point solutions are not adequate to protect organizations from these threats; they must be layered with policies, identity controls, encryption, and constant oversight to address an evolving attack surface.ย ย
Defense-in-depth comes from an old infantry tactic thatย allowedย you to delay your adversary from coming in, putting objects in the way to slow their advance andย allowย you to launch a counterattack. In terms of cybersecurity, there are a lot of tools that can help youย slowย the advancement of a cyber adversary. Over a decade ago, attackers stole and leaked vast amounts of data fromย Sony.ย While Sony surely had tools to deter access, there was no lawful or effective way to launch a counterattack.ย Defense-in-depth in cybersecurity slows adversaries down, but, understandably, organizations only do the first half of the tactic.ย Thatโsย why it really must be augmented by zero trust principles. In addition to defensive tools, organizations mustย establishย persistent, repeatable practices, such as:ย
- Authenticating and enforcing least privilege access across all systems and dataย
- Scheduling regular audits of permissionsย
- Conducting robust data inventory and classificationย
- Encrypting all sensitive data at rest and in transit by default, including backups and databasesย
- Monitoring proactively, enabling anomaly detection, and logging every transactionย
- Automating identity and access management (whenever possible) to quickly revoke unused or risky privilegesย
As threats evolve,ย in quality and quantity, the discipline of layered and verifiable controls is what holds the line.ย
Policy, Governance, and Shadow IT/AIย
One of the most persistent organizational risks has always been the proliferation of unsanctioned technology โ shadow IT. Increasingly, shadow AI isย emergingย as a new area of risk. It refers to AI tools, models, or projects deployed outside formal IT or security oversight. Those risks are serious, and include:ย
- Sensitive organizational data may be fed into unapproved, unmonitored external toolsย
- Models trained on such data often lack proper governance, introducing bias, compliance risks, and legal exposureย
- Undocumented AI services significantly expand the organization’s unknown attack surface
Mitigating shadow AI requires more than technical fixes. It demands relentless education, policy clarity, and the extension of zero trust principles to experimental or unofficial projects. To effectively enforce these policies, organizations must implement practical mechanisms, such as mandatory employee training programs on responsible AI and technology usage, automated processes for onboarding and offboarding users, and technical monitoring solutions to detect unsanctioned applications or services. For example, deploying network discovery tools to reveal shadow technology and conducting regular reviews or refresher sessions on acceptable use and the consequences of non-compliance.ย
Simplicity and Zero Trustย
Security is not a one-time initiative, but an ongoing discipline.ย Ultimately, sustainable, adaptable security hinges on simplicity and repeated, well-understood processes. Organizations that weave zero trust principles into their daily operations, from the tech stack to cultural mindset, are far better prepared to meet both present and future threats, including those driven by AI. Innovation in AI will continue (quickly, as the last few yearsย demonstrate) and cyber adversaries will grow more sophisticated as they learn how toย use new AI capabilitiesย more effectively.ย
By embedding these fundamentals into daily operations across every stage of AI transformation, organizations can defend against todayโs threats and position themselves to adapt, endure, and lead in the face of whatever tomorrowโs adversaries may bring.ย
