Ninety-six percent of CISOs now own AI governance. Not as an add-on. As a core mandate, folded into the same role that already carries infrastructure protection, incident response, and compliance. The Splunk CISO Report 2026 — surveying 650 global security leaders — found that nearly four in five say their role has become significantly more complex in the past year. And 78% worry about personal liability for the decisions they're being asked to make.
The old CISO job had a clear shape: keep bad actors out, keep sensitive data in. Perimeter work. The new one is different. Seventy-one percent of organisations run AI tools with access to core business systems — Salesforce, SAP, internal databases — but only 16% govern that access effectively. The gap isn't a staffing problem or a budget problem. It's a design problem. Traditional identity management was built for humans who log in, work, and log out. AI agents don't log in. They persist. They chain. They call other agents. The entire permission model assumes a subject that goes home at night.
The Cloud Security Alliance found that 82% of enterprises have unknown AI agents operating in their environments. SANS reports that non-human identities — service accounts, API keys, automation bots — are now the fastest-growing identity category, with three in four organisations reporting growth. The CISO isn't being asked to secure a perimeter anymore. They're being asked to govern an ecosystem where the actors multiply autonomously and the permission boundaries were never drawn.
This is the shift: from gatekeeper to systems designer. The CISO who succeeds in 2026 isn't the one who blocks AI adoption fastest. It's the one who designs the permission architecture that makes adoption safe — who draws the boundaries before the agents cross them, not after the incident report lands. The role hasn't expanded. It's changed species. From someone who protects infrastructure to someone who designs how intelligence flows through it.
The organisations that figure this out won't just have better security. They'll move faster. Because "no" is slow, but "yes, within these boundaries" is a product advantage.
Sources: Splunk CISO Report 2026 (Cisco/Splunk, March 2026), 650 CISOs surveyed; Cybersecurity Insiders / Saviynt 2026 CISO AI Risk Report; Cloud Security Alliance (April 2026); SANS 2026 Machine Identity Survey.