Here is a pattern we see over and over again. A company is smart. The engineering team is strong. AI adoption is moving fast. And leadership is confident they have it under control.

Then someone looks under the hood.

That is what happened when we ran an AI Security and Risk Assessment for a fintech firm in a regulated market. The company had strong instincts — early AI adoption, skilled teams, and a growing set of use cases. What they lacked was a way to see, govern, or defend how AI was really being used.

They are not alone. After walking the show floor at RSA Conference 2026, one thing is clear: the industry knows this is a problem. ’s post-RSAC vendor report found that 37% of booths mentioned AI. Identity, governance, and security operations led the way. But here is the hard truth behind the buzz — most firms are still figuring out how to close the gap between AI power and AI control.

That gap is where the real risk lives.

What We Found

The assessment covered eight domains and included interviews across leadership, engineering, and business teams. The results told a clear story.

• Upwards of 100 risks identified across governance, security, data, and infrastructure

• The heaviest concentration was in governance and compliance — with over a dozen rated high or critical

• Security and trust risks followed close behind, with the majority rated high severity

• Data and AI platform risks rounded out the picture, including several high-priority findings

The risks were not scattered. They were concentrated in three areas: governance, security, and data. That pattern points to structural gaps, not one-off problems.

Three challenges stood out above the rest.

Governance without enforcement. Policies existed. Intent was there. But there was no defined ownership, no enforcement mechanism, and no audit trail. Governance was informal and hard to defend.

Identity and access gaps in AI systems. AI agents and services had no steady identity. Access was too broad. Nothing was centrally managed. This is the kind of risk that builds quietly — until it does not.

Uncontrolled AI use case growth. AI was being developed across business units, deployed without formal approval, and extended into customer-facing workflows. Governance simply could not keep pace with adoption.

Why This Matters Right Now

FINRA’s 2026 guidance makes the stakes clear. AI is no longer treated as a test. It is part of the firm’s control environment. That means oversight of AI-driven processes, data quality and tracing, logging of AI outputs, and close attention to the risks of agentic AI — autonomy, scope, and the ability to audit.

The shift is simple but significant. If AI touches decisions that affect customers, markets, or compliance, it must be governed like any other control.

Ellis’s RSA report backs this up from the vendor side. The categories with the most booths — identity, app security, and security operations — are the same areas where this assessment found the deepest gaps. The market is building answers. But most firms have not yet mapped the problems those answers are meant to solve.

What Changed

After the assessment, the organization had something it did not have before: clarity.

• A full view of AI-related risks and where they are concentrated

• A prioritized list of what matters most — and what can wait

• Leadership aligned around AI as a governance challenge, not just a growth play

• A structured path from experimentation to governed execution

Identient also delivered a digital twin of the assessment itself. Instead of leaving findings locked in a static report, a conversational agent makes risk insights easy to query, explore, and apply in real time. Leaders can ask questions, revisit findings, and act on insights as things change.

This is the shift we described in our earlier post on Verified Digital Twins. Risk management cannot be a point-in-time exercise. It has to become a continuous, intelligence-driven function.

The Bottom Line

This firm is not behind. They are at a turning point — and they had the sense to act before the gap became a crisis.

The firms that win with AI will not be the fastest to deploy. They will be the ones that can trust, control, and defend the choices AI makes on their behalf.

That requires three things: structured governance, verified data, and disciplined execution.

Ready to See What You’re Missing?

Experience how Identient reveals the signals behind your strategy — from real-time insight to board-level clarity. Move beyond assumptions, align execution to what matters, and lead with confidence.

Schedule a Discovery Call →

In this episode of The Strategy Layer Live, Steve sits down with Richard Bird—multi-time CISO, former Chief Customer Information Officer at Ping Identity, author, and current Chief Security Officer at Singulr—for a conversation that pushes beyond conventional cybersecurity narratives.

For the first time on the podcast, an AI digital twin takes an active speaking role, opening the episode with a blunt assessment of where cybersecurity thinking has already fallen behind. From there, the discussion moves into the strategic implications of AI across cybercrime, governance, leadership, and careers.

This episode explores how AI is reshaping the threat landscape faster than most organizations are prepared for, why governance failures are increasingly systemic rather than technical, and what leadership looks like when machines operate at scale and speed. The conversation also turns personal, with reflections on Richard’s book Famous With 12 People and the legacy he hopes to leave behind.

Prefer to listen?

Apple Podcasts

Spotify

Key Topics Discussed

AI Digital Twins in Leadership Conversations
What it means when AI systems don’t just assist—but actively participate in strategic dialogue.

AI and the Acceleration of Cybercrime
How attackers are using AI as force multiplication while many organizations reduce human defenders.

Shadow AI and Unfinished Security Work
Why decades of unfinished IT and security projects created the conditions for today’s AI risk.

Governance Failures Are Systemic, Not Technical
How leadership blind spots—not tooling—are driving AI governance gaps.

Identity, Access, and Ownership in an AI World
Why diffuse responsibility leads to no accountability when AI systems act at scale.

The Future of Consulting and Verified Intelligence
How AI is reshaping advisory work and exposing performative expertise.

Career Strategy and Influence
Insights from Famous With 12 People on building impact through depth, clarity, and relevance.

Legacy and Leadership
Richard’s reflections on service, contribution, and what comes next beyond titles and roles.

Insightful Takeaways

AI rewards preparedness, not optimism.
Attackers are using AI to move faster and more efficiently; organizations that fail to adapt governance and defenses will see the results in loss curves.

Shadow AI is a leadership problem before it’s a technology problem.
Uncontrolled AI use is the predictable outcome of years of tolerated sprawl and unfinished security work.

Cutting people while attackers scale with AI is a dangerous asymmetry.
AI augments those who use it strategically—and penalizes those who remove human judgment from critical systems.

Governance must evolve from policy to ownership.
When everyone owns identity, risk, or AI outcomes, accountability disappears.

Impact comes from depth, not scale.
Leadership, influence, and career growth are built by being meaningful to a few—not visible to everyone.

Legacy is defined by service, not status.
The most durable contribution comes from helping others move forward—especially in moments of uncertainty and change.

Quote of the show:

“Has it been proven to you that you don’t suck at security?” —Richard Bird

Links:

Richard Bird on LinkedIn: https://www.linkedin.com/in/rbird/

Digital twins aren’t a concept—they’re already being used.
Try Richard Bird’s digital twin or learn how to create one for the marketplace at Identient.com.

As the year comes to a close, many leaders are taking stock of what AI has changed inside their organizations. The gains are real. Work moves faster. Information is easier to digest. Communication feels smoother. For many teams, AI has become part of the daily rhythm of getting things done.

But beneath these visible improvements, something quieter and more consequential is happening. AI is beginning to shape how leaders see their organizations, how they interpret signals, and how they decide where to focus next. Those effects are harder to measure, but they will matter far more in the long run.

Earlier this year, MIT Sloan Review made the case that “philosophy is eating AI,” arguing that beneath the models and metrics, AI increasingly reflects how we define knowledge, reality, and purpose (MIT Sloan Review, 2025)1. That framing may sound abstract, but the implication for leaders is very practical. AI systems inevitably reflect how we think the system works. Over time, they reinforce that view, whether it remains accurate or not.

This is why AI’s greatest impact will not be on output volume. It will be on leadership impact.

AI Reflects How Leaders See the World

AI does not start with data alone. It starts with choices about what data matters, which signals are trusted, and what outcomes are worth optimizing. Those choices are often implicit. They live inside models, dashboards, prompts, and workflows that feel neutral because they are technical.

Yet these systems shape what feels clear and what feels urgent. They influence which risks rise to the surface and which fade into the background. In subtle ways, they guide attention, and attention drives action.

When leaders say AI helps them “see the business more clearly,” that clarity is always relative to the assumptions encoded in the system. What gets measured is what gets discussed. What gets summarized is what gets remembered. What gets optimized is what gets rewarded.

None of this is malicious or careless. It is simply how systems work. Over time, AI becomes a reflection of how leaders understand the organization and what they believe is important.

Why Trust in AI Is Complicated, and Rightly So

Given this dynamic, it should not be surprising that many organizations struggle with trust when it comes to AI. A recent Fast Company article noted that mistrust in AI is often well placed, especially when systems feel disconnected from the realities leaders care about most (Fast Company, 2025)2. Trust does not come from transparency alone. It comes from alignment.

Leaders are right to be cautious when AI confidently produces answers without making clear which assumptions are driving those answers. When systems feel generic or detached from domain expertise, skepticism is a rational response.

Trust grows when AI is purpose-built, grounded in expertise, and designed to reflect the real tensions leaders face. In other words, when AI helps leaders reason better, not just faster.

When Assumptions Begin to Compound

The stakes rise as AI systems become more autonomous and self-reinforcing. Researchers and practitioners have begun to ask hard questions about what happens when AI increasingly trains itself, refining its behavior through feedback loops that may drift from original intent (The Guardian, 2025)3.

From a leadership perspective, this is less about losing control and more about losing intentionality. Systems that continuously reinforce existing patterns can quietly lock in outdated assumptions. Decisions feel easier. Outputs feel confident. Meanwhile, misalignment grows harder to detect.

This is how complexity compounds. Not through sudden failure, but through small, accumulated shifts that go unnoticed because everything still appears to be working.

In these moments, AI functions as a mirror. It reflects how leaders believe the organization operates. Over time, it may reveal gaps between that belief and lived reality.

Disagreement Is a Feature, Not a Bug

One of the more interesting developments in AI this year has been the rise of multi-agent systems. As observers have noted, AI agents are increasingly interacting with one another, and they do not always agree (Wondering About AI, 2025)4. That disagreement can feel uncomfortable, especially in environments that prize alignment and consistency.

But disagreement is often where insight emerges.

Research on multi-agent debate shows that structured disagreement, particularly when identity signals are reduced or anonymized, can improve outcomes and reduce bias (Zhang et al., 2025)5. In organizational terms, this mirrors what strong leadership teams already know. Healthy systems surface tension early. Weak systems suppress it until it becomes unavoidable.

AI that merely reinforces consensus may feel reassuring, but it rarely improves judgment. AI that surfaces competing perspectives, patterns, and tradeoffs helps leaders see the system more fully.

From Productivity to Leadership Impact

None of this diminishes the value of everyday AI use cases. Tools that summarize meetings, draft communications, and speed up analysis are genuinely useful. They reduce friction and free up time.

The difference is that productivity gains alone do not guarantee better leadership outcomes.

Leadership impact comes from making better decisions under complexity. It comes from seeing patterns before they become problems. It comes from distinguishing signal from noise and momentum from progress.

AI that improves leadership impact does not simply accelerate existing narratives. It helps leaders test them. It introduces productive tension. It highlights where confidence may be outrunning evidence.

This is where the strategic choice of which AI to deploy becomes critical. Generic tools optimize for convenience and volume. Purpose-built systems, grounded in verified intelligence, optimize for clarity and judgment. In short, Generic AI accelerates activity; verified intelligence amplifies leadership.

Rethinking AI Governance

These dynamics have important implications for AI governance. Much of today’s governance conversation focuses on guardrails, policies, and model risk. Those are necessary foundations. But they are not sufficient.

Effective AI governance must also protect leadership effectiveness over time. It must account for drift, compounding effects, and the way AI-informed decisions accumulate across the organization. Governance should help leaders understand not just what AI is allowed to do, but how it is shaping priorities, incentives, and attention.

When governance focuses only on deployment, it misses the harder question of impact. When it focuses only on control, it risks constraining learning.

Do you agree?

The most effective governance frameworks treat AI as part of the leadership system itself. They emphasize evidence, feedback loops, and the ability to course-correct as conditions change.

Verified Intelligence and Strategic Clarity

This is where verified intelligence becomes a meaningful differentiator. Systems designed to observe trends over time, grounded in domain expertise, help leaders cut through complexity rather than add to it.

At Identient, this perspective informs how we approach AI-enabled analysis across identity and cybersecurity. Tools like SPI 360 focus on trend analysis across strategy, governance, people, and technology, helping leaders distinguish isolated issues from systemic patterns and short-term noise from meaningful change.

The goal is not more dashboards or more activity. It is clearer insight that supports better prioritization and more confident leadership decisions.

Digital Models as Tools for Clarity

Digital models and digital twins amplify both the promise and the risk of AI. By formalizing how an organization understands itself, they make assumptions visible. That visibility is powerful.

But models are not oracles. They do not eliminate uncertainty. They shape how uncertainty is perceived.

Used well, digital models help leaders see complexity more clearly and ask better questions. Used poorly, they can create a false sense of certainty that obscures emerging risks.

The difference lies in how intentionally they are designed and governed, and whether they are treated as tools for inquiry rather than answers in themselves.

Choosing Leadership Impact Over Activity

As leaders look ahead to the next planning cycle, the temptation will be to measure AI success by scale. More deployments. More use cases. More output.

A better measure is impact.

AI will either sharpen leadership impact or multiply activity without direction. The difference lies in which intelligence leaders choose to deploy and which they choose not to.

The quiet choices made today about trust, assumptions, and governance will shape how leaders see their organizations tomorrow. In a world of increasing complexity, clarity is not a nice-to-have. It is the foundation of meaningful performance.

And that is where AI’s real value will be found.

Leave a comment

Footnotes

4

Wondering About AI. (2025). AI agents are talking to each other…and they don’t always agree.

Wondering About AI

AI agents are talking to each other...and they don't always agree

Disclosure: This post is based on the results of a topical analysis conducted in Future Scan, a trend discovery tool for AI/ML research. I wrote the initial draft, but used Claude Sonnet 4.5 to help me translate scientific jargon and (mostly) eradicate awkwardness…

Read more

6 months ago · 56 likes · 26 comments · Karen Spinner

He shares how running and coaching informed his approach to developing people, why modernization must be incremental and human-centered, and what it really looks like when a CIO steps fully into cybersecurity accountability alongside their CISO.

Bill’s insights offer a grounded, practical masterclass in leading with purpose, navigating complexity, and building public trust in the digital age.

Prefer to listen?

Apple Podcasts

Spotify

What We Cover in This Episode

• Bill’s early path into public service and what has kept him committed for decades

• The turning-point projects that shaped his leadership philosophy

• Lessons from running and coaching — discipline, strategy, and individual development

• The bold vision behind digital equity and the Resident Portal

• Modernization without fear: incremental change, customer experience, and agile delivery

• The Resident Portal Challenge and the future of procurement innovation

• Multi-vendor collaboration and why competition can create better outcomes

• The CIO–CISO partnership and shared responsibility for cybersecurity

• Leading through complexity with calm, clarity, and trust

• Bill’s reflections on legacy, public service, and the next generation of leaders

• How AI is reshaping responsibility, decision-making, and efficiency in government

Quote of the Show:

• “I’m the front lines for everything that happens — good or bad — and I consider myself accountable and responsible for everything that goes on in my agency and in technology in the state.” - Bill Kehoe

Links:

• https://watech.wa.gov/

• https://www.linkedin.com/in/william-kehoe-a37a0714b/

#CybersecurityLeadership #CIO #CISOPartnership #GovernmentTechnology #PublicSectorLeadership #DigitalGovernment #StrategyLayerLive

That distinction matters for one simple reason: the future will not be defined by “bigger models.” It will be defined by transparent, verifiable, provenance-rich intelligence that leaders can trust — and defend.

This shift isn’t theoretical. It’s happening right now.
And the smartest public and private sector organizations are already aligning with it.

Opaque Intelligence Is the Real Risk — Not AI Itself

I’ve spent years working across cybersecurity, IAM, and now AI and verified intelligence. And one pattern is becoming clear: as organizations begin laying the foundations of their AI strategy, the choices they make in 2026 will have long-term consequences. Many are exploring GenAI and LLM tools without fully understanding the short- and long-term risks these systems can introduce to their P&L, operational resilience, and decision quality.

This is the moment where leaders must decide whether to build on opaque, probabilistic tools—or on transparent, verifiable intelligence they can trust, audit, and defend. The organizations who pause to consider provenance, lineage, and accountability now will avoid painful redesign later and position themselves for durable, compounding productivity gains.

A human in the loop doesn’t fix this.
You can’t “review” what you can’t see.

If the system cannot show:

• Its reasoning path

• Its underlying sources

• Its version footprint

• Its inference chain

• Or whether it hallucinated

…then you own the outcome but you don’t own the evidence.

Opaque AI becomes a governance liability.
And regulators are beginning to say so out loud.

The Regulatory Wave Has Begun — Transparency Is Becoming Law

A growing set of U.S. states are taking decisive steps toward transparency, documentation, and proof of AI influence.

Washington’s HB 1170 — A Major Leap Forward in Transparency

As I wrote in AI Transparency 2.0: Why Washington Must Go Beyond Deepfakes to Decision Provenance, Washington State’s HB 1170 puts real stakes in the ground: citizens must be informed when AI influences decisions, and organizations must maintain records of how that intelligence was used.

This mirrors the same foundation seen in California’s early AI Transparency Act — and signals where nationwide policy is headed.

Colorado’s SB 24-205 — The Strongest AI Governance Law to Date

Colorado’s SB 24-205, enacted in 2024, establishes mandatory risk assessments, notices, governance controls, and documentation requirements for “high-risk” AI systems.2

This is the most comprehensive state-level AI law in the country, and it’s already influencing other states’ drafts.

Illinois HB 3773 — You Can’t Hide AI in Hiring Decisions

Illinois took a direct aim at algorithmic opacity by requiring disclosures and fairness documentation for any AI used in employment decisions starting in 2026.3

Illinois’ HB 3773 amends the state’s Human Rights Act to regulate the use of AI in employment decisions, prohibiting its use if it has a discriminatory effect based on protected classes and requiring employers to notify employees when AI is used in hiring, promotion, or other employment decisions. The law takes effect January 1, 2026, and also prohibits the use of zip codes as a proxy for protected classes in employment contexts.

The era of black-box algorithmic hiring is ending.

California’s AI Transparency Act — A Modern Benchmark for Disclosure

California’s new AI Transparency Act4 sets one of the clearest expectations in the country: organizations must disclose when AI is used in customer-facing or citizen-facing interactions, and they must maintain documentation that explains how automated decisions are generated. The Act goes beyond simple labeling—it requires organizations to preserve evidence of AI influence, enabling regulators and affected individuals to understand how and why an automated outcome occurred.

It signals a broader trend: transparency is no longer optional. It is fast becoming the baseline requirement for any organization deploying AI in high-impact contexts.

New York, Connecticut, and Massachusetts are following similar paths with draft frameworks focused on transparency and algorithmic accountability.

The direction is unified:

AI cannot be used for autonomous decision-making unless it operates with full transparency, provenance, and explainability.

This is no longer an abstract ethical debate.
It is becoming a regulatory and operational reality.

There Is No AI Bubble — The LLM Bubble Is What’s Bursting

The market is now recognizing what many of us working on verified intelligence have known for years:

• The bigger the model, the bigger the opacity

• The bigger the opacity, the bigger the liability

• And the bigger the liability, the smaller the strategic value

Look across industries: leaders are no longer asking “How do we get more AI?”
They’re asking:
“How do we trust what we’re using?”

Large language models aren’t dying — but their unverifiable use cases are.

As the Hugging Face CEO noted, the bubble is around LLMs specifically — not the broader field of AI innovation where transparency, interpretability, and provenance are core requirements.

That’s where the future is heading.
Quickly.

Verified Intelligence: What Comes After the LLM Bubble

I believe the next decade of AI will be defined by a new standard:

AI systems must be able to answer four questions with absolute clarity:

1. Where did this intelligence come from?

2. Whose expertise, data, and boundaries informed it?

3. What reasoning steps produced the answer?

4. Can we recreate the decision and prove its integrity?

Generic LLMs can answer none of these.
Verified intelligence systems can answer all of them.

This is why we built Identient’s marketplace around provenance, data lineage, identity-attached digital twins, and full auditability.
Because trust doesn’t come from bigger models — it comes from verifiable ones.

And it turns out that when you remove ambiguity, a second benefit emerges:

The Strategic Advantage:

10X Faster Alignment With 1/10th the Effort

Once you eliminate the ambiguity created by black-box systems, something remarkable happens:

• Alignment accelerates

• Decision cycles shrink

• Rework disappears

• Shadow expertise consolidates

• Dependency on expensive consultants is minimized

• And the organization begins operating with shared clarity

Verified intelligence doesn’t just reduce risk — it creates leverage.
It allows leaders to move faster because they can prove the integrity of their decisions.

This is what separates the companies that are merely adopting AI from those that will define the next decade.

Next Steps

If you’re interested in provenance, lineage, and transparency — Let’s Talk

At Identient, we love partnering with organizations who understand where the world is heading.
Companies building AI with:

• Traceability

• Transparency

• Verifiable expertise

• Auditability

• And human-owned intelligence

Those are the leaders who will outperform the rest of the market — not because they “used more AI,” but because they used trusted AI.

If that’s you, let’s chat.
We’d love to build the future with you.

But as I argued recently in AI is Cheap. Trust is Expensive., transparency for content is only half of the equation. What residents need is trust in the systems that inform decisions about them. And today’s Washington Digital Government Summit made that clearer than ever.

AI in government is no longer primarily about generating images or text. It is augmenting decisions, routing cases, prioritizing inspections, assisting in contracting, and shaping how residents interact with the state. Deepfakes aren’t the only risk. Opaque intelligence is, too.

Washington now needs AI Transparency 2.0: a model that provides provenance not just for synthetic media, but for AI-assisted decisions.

What HB 1170 Gets Right

HB 1170 focuses on media transparency:

• Clear labeling of AI-generated or AI-altered content

• Latent and manifest disclosures

• Publicly accessible detection tools with APIs

• Limits on retention of user-submitted content

• Alignment with C2PA-style provenance principles and NIST AI RMF concepts of traceability

This is the right foundation. Synthetic media harms are real. Election security, misinformation prevention, and public trust all benefit from strong provenance requirements.

But the bill only addresses outputs that look like media. It does not address AI systems used for decision support, which is where the public sector is already moving.

Today’s Summit demonstrated that gap clearly.

What Washington’s Leaders Said Today

At the Washington Digital Government Summit, three themes emerged across the closing panel on “AI Governance and Digital Equity in Washington Government.”

Bill Kehoe, State CIO

“AI innovation must be risk-averse and transparent.”
Kehoe emphasized strong data foundations, privacy, security, and clear disclosures. He highlighted the modern wa.gov resident portal as an example of how structured data and personalization can enhance services, while noting that transparency and opt-outs are mandatory for public trust.

Jake Hammock, CISO, City of Seattle

“Seattle is adopting human-centered AI with humans in the loop — not displacement, but augmentation.”
Seattle is hiring a City AI Officer and implementing its Responsible AI plan across public safety, permitting, and customer-service operations. Hammock stressed equity, accessibility, language translation, and correct labeling of AI outputs.

Stephen Hurd, Acting CIO, King County

“Generative AI for decision-making remains tricky — human oversight is essential.”
Hurd emphasized productivity and capacity gains, but made it clear: any decision that affects residents must retain human review. King County’s upcoming AI policy is grounded in oversight, transparency, and digital equity.

Across all three leaders, one message was consistent:
Government needs innovation, but it must remain cautious, transparent, and accountable.

That requires more than content labeling.
It requires decision provenance.

The Gap in HB 1170: Transparency for Media but Not Decisions

HB 1170 does not apply to:

• Case prioritization

• Eligibility determination

• Contract routing

• Public safety triage

• Fraud detection

• Resource allocation

• Workforce augmentation

• Constituent-service recommendations

None of these produce synthetic media.
All of them influence residents’ lives.

As the National Conference of State Legislatures puts it, governments nationwide are expanding their use of AI to “improve efficiency, decision-making, and the delivery of government services.”1 Today’s Summit speakers described the same reality in Washington.

We need transparency for more than images and content.
We need transparency for how AI contributes to decisions.

A Three-Layer Provenance Model for Washington

Drawing from both HB 1170 and the guidance of Washington’s technology leaders, Washington can adopt a forward-looking model of AI provenance:

1. Content Provenance

This is the domain of HB 1170:
Labeling, watermarking, and detection of AI-generated or altered media.

2. System Provenance

Which model generated the output?
What version?
What training, tuning, and guardrails?
What data quality and risks were known?

This aligns with Kehoe’s emphasis on data foundations, Hammock’s focus on governance, and Hurd’s insistence on transparency.

3. Decision Provenance

When AI informs or influences a decision, residents deserve to know:

• Who or what made the recommendation

• What signals, data, or models informed it

• How the reasoning chain was constructed

• Which human reviewed or approved it

• What alternatives were considered

This is where policy needs to evolve.
If content provenance protects residents from deception, decision provenance protects them from misgovernance, AI hallucinations, or worse.

How Washington Can Lead Nationally

To build on HB 1170 and match the future of public-sector AI use, Washington policymakers can consider the following:

1. Clarify provenance in legislative intent

Acknowledge content, system, and decision provenance even if only the first is mandated today.

2. Align with government-grade standards

NIST AI RMF
NIST Data Lifecycle guidance
C2PA for content provenance
OCIO Policy 188 updates
Seattle’s Responsible AI Framework

3. Require disclosures for AI-assisted decisions

Not bans. Not burdens.
Just clear notification, human review, and documented reasoning.

4. Support innovation funding

Kehoe’s call for agile modernization funds is critical for safe experimentation.

5. Encourage public-private collaboration

Seattle and King County are building their own frameworks.
The state can accelerate their progress by providing structure without over-prescription.

Washington can become a national leader by expanding transparency from media to the decisions that shape public outcomes.

Toward Trusted Intelligence in Government

The conversations at the Summit revealed something important:
Public-sector leaders aren’t asking for more automation. They’re asking for clarity, consistency, and confidence in the intelligence they rely on.

They want to know who — or what — they’re listening to.
They want to understand why a recommendation was made.
They want a traceable line from advice to authentic expertise.

They want AI that behaves less like a black box and more like a trusted colleague.

This is where the next generation of AI will evolve: toward systems that don’t just generate content, but embody verifiable expertise, maintain consistent reasoning, and operate with provenance by design. Systems where the source of insight is clear, the chain-of-custody is intact, and decision-makers can see why a certain answer was produced.

Because ultimately, as I wrote in AI is Cheap. Trust is Expensive., the future of AI isn’t about scaling intelligence — it’s about scaling trustworthy intelligence. And trust doesn’t come from speed or capacity. It comes from knowing what — and who — is behind the answers.

Conclusion

HB 1170 is the right starting point.
Transparency for synthetic media is essential.

But today’s Washington Digital Government Summit made clear that the real frontier is AI-informed decisions, not just AI-generated images.

Washington has an opportunity to lead the nation by expanding transparency to content, systems, and decisions — building a governance model that supports innovation while protecting residents.

AI transparency must move past detecting deepfakes.
It must ensure accountability for the intelligence we rely on.

This piece explores why provenance, verified expertise, and digital twins will define the next decade of AI—and why organizations that ignore trust will pay for it twice.

The Illusion of Cheap AI

Anyone can buy ChatGPT Plus for $20. But you can’t buy trust.

That’s the quiet truth behind today’s AI gold rush. Models get cheaper, faster, and more accessible by the month. Yet the leaders who can actually trust the intelligence they’re building their strategies on—that’s still a rare privilege.

We’ve entered an era where the price of information is plummeting, but the cost of certainty is rising.

The question is no longer Can AI think? It’s Can we trust what it thinks for us?

Because while AI may help us go faster, it often sends us racing confidently in the wrong direction.

“You can’t automate trust—but you can model it.”

The Problem with Cheap AI

Why “good enough” AI isn’t good enough for enterprise strategy.

Generative AI, for all its brilliance, is a master of mimicry. It’s a regurgitation engine—reshaping the web’s collective past into a polished, probabilistic reflection of the present. Ask it for a strategy, and it will give you the average of a thousand other strategies. Ask it for insight, and it will offer what sounds smart, not what is smart.

That’s fine for brainstorming. But it’s a liability for leadership.

When you rely on GenAI to solve strategic problems, you often become a context engineer—constantly rewriting prompts, rewording queries, and correcting hallucinations to chase precision that never quite arrives.

Meanwhile, hours disappear. Teams feel productive because words appear. But the signal-to-noise ratio drops. Leaders spend 2–10x more time iterating on outputs that lead to dead ends—or worse, elegant nonsense.

And then there’s the hidden cost: AI laundering.

Like money laundering, it’s the process of taking someone else’s intellectual capital, washing it through a model, and reissuing it as your own. Except this time, the currency being diluted isn’t cash—it’s credibility.

Authenticity becomes a liability on your balance sheet. Original thinking erodes. And in a world now governed by emerging AI transparency laws—like California’s AI Transparency Act 2.01, which mandates provenance and labeling—what was once clever repurposing is becoming a compliance and reputation risk.

The bottom line: cheap AI produces expensive confusion.

“Generative AI creates content. Verified expertise creates conviction.”

The Trust Crisis in Enterprise AI

When everyone’s AI looks the same, trust becomes your competitive advantage.

Trust has always been the currency of business. But in an AI-saturated world, it’s becoming the exchange rate for strategy itself.

Yes, you can buy a $20 chatbot. But it won’t buy you executive alignment, investor confidence, or measurable impact on your P&L.

At the enterprise level, the real question isn’t “How do we use AI?” but “How do we trust what it tells us enough to act on it?”

Because enterprise-scale trust—the kind that drives seven- and eight-figure impact—requires more than model performance metrics. It requires verified expertise. A lineage of knowledge that can be traced, cited, and believed.

When AI outputs come from nowhere, trust goes nowhere.

That creates a new class of corporate risk: strategic opacity.

Decisions built on synthetic knowledge—unverified, unattributed, context-free—create cracks in the foundation of leadership. You don’t just risk making bad calls; you risk eroding the confidence that fuels innovation.

When you can’t trace the origin of your insights, you’ve already lost control of the narrative.

“The real moat in AI isn’t data. It’s provenance.”

Leadership Without Trust Is Just Noise

Why the C-suite alignment problem is human, not technical.

Getting the C-suite on the same page has never been easy. Ego, politics, and miscommunication quietly drain millions in strategic waste every quarter. The most brilliant minds in the room often talk past each other, armed with their own truths.

And while AI was supposed to fix this, it often amplifies it.

When every executive can generate their own “strategic analysis” from a model trained on the internet, alignment doesn’t improve—it fractures. Each leader arrives armed with a different AI narrative, polished by different prompts, reflecting different biases.

You can’t automate alignment.

You have to build it—through trust, shared context, and a common source of truth.

That’s where verified digital twins enter the picture. Not fictional avatars, but faithful digital representations of executives, domain experts, and peer networks—trained on verified expertise, not scraped data.

These twins don’t replace leaders; they reflect them. They create a space where collaboration can happen without ego, where ideas can be tested, refined, and aligned before they ever reach production.

Imagine your leadership team rehearsing decisions with their digital counterparts—testing scenarios, surfacing blind spots, and converging on clarity without the friction of personality or politics.

That’s not science fiction. It’s a new kind of organizational psychology powered by verified intelligence.

From Generative to Verified

The rise of digital twins and the return of provenance.

The next era of AI isn’t about generating more content. It’s about verifying the intelligence that drives decisions.

Large Language Models (LLMs) are broad but shallow—they know something about everything, but not enough about you.
Small Language Models (SLMs)—trained on specific, verified data—are the inverse. They know less, but what they know is true, trusted, and contextual.

It’s the difference between reading Wikipedia and calling a mentor who’s been there.

Verified digital twins combine these SLMs with authenticated sources of expertise—creating a chain of provenance from human knowledge → verified data → explainable output.

This mirrors what’s happened in supply chains, finance, and media: provenance is the new quality.

For organizations, this is more than technical evolution. It’s philosophical.

When you can trust your intelligence, you no longer need to over-engineer control. You can move faster with less oversight because the system itself embeds integrity.

That’s what it means to execute 10x faster with 1/10th the effort.

Speed doesn’t come from automation—it comes from alignment.
And alignment starts with trust.

The Real Cost of Trust

Now is the time to put trust back at the center of AI.

AI is cheap. Trust is expensive.

But if you think trust is expensive, try operating without it.

The cost shows up in misaligned strategy meetings, delayed decisions, duplicated work, and stalled innovation. It’s the silent tax of distrust—paid daily by organizations that confuse speed with progress.

The companies that will win the next decade aren’t the ones deploying the most AI. They’re the ones deploying the most trusted intelligence—systems that integrate verified expertise, ethical provenance, and transparent reasoning.

Trust is not a soft concept. It’s a hard asset. It determines whether a CISO can sign off on a risk model, whether a CEO can act on a market signal, whether an investor believes your AI has defensible value.

As California’s AI Transparency Act signals, the market is demanding proof, not promises.

And that’s where the opportunity lies.

The leaders who invest now in verified digital twins—who create AI systems rooted in authenticity, attribution, and trust—won’t just comply with the future. They’ll define it.

Because the next phase of AI isn’t about bigger models. It’s about better mirrors—digital counterparts that reflect what’s real, credible, and uniquely yours.

The question isn’t whether you’ll build one.
The question is when.

Final Reflection

AI is no longer the differentiator. Everyone has it.
What will separate tomorrow’s market leaders is whether anyone believes what their AI says.

The companies that invest in verified expertise, transparency, and trust won’t just build better technology—they’ll build the credibility to lead.

And in a world where everyone’s shouting through machines, credibility might just be the last human advantage.

As we head into budget planning season for the next calendar year, one theme keeps showing up in every conversation: ROI.

Executives love certainty. Boards demand it. Vendors try to simulate it.
And somewhere in that tension lives the great illusion of modern enterprise finance—the illusion of pre-proven ROI.

ROI isn’t an oracle. It’s a model. It doesn’t predict the future; it helps you price it.
And in that sense, it functions much like Net Present Value (NPV) or the time value of money: both are forecasts that rely on real data, reasonable assumptions, and continuous refinement.

When leaders expect “proven ROI” before an engagement begins, what they’re really asking for is a forecast without inputs.
That’s not rigor—it’s wishful thinking dressed as discipline.

ROI as Forecast, Not Faith

ROI forecasting is not a sales tactic; it’s a financial instrument.
In finance, investors don’t demand proof of return before deploying capital. They model expected return using known variables: capital costs, cash flows, discount rates, and risk-adjusted assumptions.

Cybersecurity investments should be treated the same way.
Potential ROI is calculated through financial modeling, not conjecture. The process applies economic principles to project the present value of future benefits relative to the present value of future costs.

The key distinction is that ROI modeling is forecastable, not hypothetical.
It’s a legitimate form of decision analysis that provides directional confidence—not false precision.

The Discipline of Cost-Benefit Analysis

A well-constructed Cost-Benefit Analysis (CBA) is the backbone of ROI modeling.
It’s not about storytelling—it’s an exercise in economics.

The data required isn’t secret; it’s just often unavailable to external partners. It includes:

• Capital costs

• Operational costs

• Cost reductions

• Reduction of manual effort

• Efficiency gains

• Financial impact on the P&L

Each of these inputs connects directly to real financial systems—your ledger, your labor data, your operational reports. Without those inputs, external ROI projections are like calculating NPV with blank cells.

As shown in the example:

Alternative Total Costs Total Benefits Benefit-Cost Ratio A $100,000 $120,000 1.20 B $150,000 $190,000 1.27 C $200,000 $230,000 1.15

The Benefit-Cost Ratio (BCR) is calculated as:

BCR = Σ Present Value of Total Future Benefits / Σ Present Value of Total Future Costs

A ratio above 1.0 means benefits outweigh costs; the higher the number, the greater the return on investment.
But the value of the analysis isn’t in the number—it’s in the inputs.

Everything in cost-benefit analysis is measurable, but nothing is meaningful until the data reflects the realities of your environment.

The Time Value of Money: ROI’s Silent Variable

Every executive understands the time value of money—a dollar today is worth more than a dollar next year.
But in cybersecurity and operations, this truth is often forgotten.

When projects stall in pursuit of pre-proven ROI, the organization quietly accrues what economists call the Cost of Delay.
Security risks persist. Operational inefficiencies linger. Opportunity costs compound.

Time is a variable in every ROI equation.
Real ROI, therefore, is a function of time, money, and resources—not just savings. It recognizes that the longer a system remains inefficient, the smaller the present value of future benefits becomes.

Waiting for proof before acting is, in financial terms, a negative-yield strategy.

Forecasting with Real Data

To transform ROI from abstraction into strategy, organizations must model it like they would any other investment—using financial data grounded in reality.

The process typically includes:

1. Establishing Baselines – Gather financial and operational metrics that describe the current state: time spent, headcount, system costs, and performance indicators.

2. Modeling Scenarios – Use those baselines to model potential future states under different investment scenarios.

3. Applying Discount Rates – Adjust for the time value of money to calculate the present value of future benefits.

4. Analyzing Sensitivity – Identify which variables most affect outcomes; this drives smarter decisions and better risk management.

This process isn’t theoretical—it’s how mature organizations make capital budgeting decisions every day.

ROI as a Strategic Instrument

Once leaders accept that ROI is forecastable, not provable, the question shifts from “What’s the number?” to “What’s the model?”

A credible ROI model is a strategic instrument for prioritization. It helps leaders allocate capital across competing priorities based on expected value creation, not gut feel.

For example:

• An IAM modernization initiative might reduce operational cost and incident response time, improving both financial efficiency and enterprise resilience.

• A workflow automation platform might reduce manual effort, reallocating skilled labor to higher-value work.

• A governance dashboard might shorten reporting cycles, directly improving decision velocity and cost of coordination.

In each case, ROI isn’t proven in advance—it’s priced in advance and measured afterward.
That’s the discipline of real finance.

The Misunderstanding of “Proof”

Executives sometimes conflate forecasting with guaranteeing, but they’re fundamentally different.

Forecasting acknowledges uncertainty and quantifies it.
Guaranteeing denies it.

Demanding proof of ROI before engagement collapses the learning cycle that real innovation depends on.
The goal isn’t to eliminate uncertainty—it’s to make uncertainty investable.

That’s what separates a finance function from a procurement function.

Finance models potential return across a time horizon, adjusting for risk and delay.
Procurement demands certainty in a system that, by design, never offers it.

The strategic leader understands that you can’t measure ROI before you create the conditions for it to exist.

The Benefit of Shared Measurement

When both sides—provider and customer—commit to shared data, baselines, and transparency, ROI becomes not a point of contention but a system of continuous learning.

That’s why at Identient, our Strategic Performance Intelligence (SPI 360) framework builds ROI tracking into the engagement itself.
We don’t claim hypothetical returns. We create the environment to measure them—continuously, in real time.

This allows leadership teams to track Benefit-Cost Ratios dynamically, as projects mature and efficiency gains are realized. It replaces “proof” with visibility.

Beyond ROI: Real Options and Adaptive Value

Sophisticated financial modeling doesn’t stop at ROI or NPV—it extends into real options analysis, a method for valuing flexibility under uncertainty.

In cybersecurity, every investment creates future optionality—the ability to pivot faster, integrate more effectively, or scale without friction.
These are tangible financial benefits, even if they’re not reflected on a quarterly report.

Real options thinking transforms ROI from a static retrospective metric into a strategic forecast of adaptability.
It asks: “What is the value of keeping our options open?”
That’s a far more powerful question than, “What’s the ROI today?”

From Reporting to Strategy

When ROI is treated as proof, it becomes a rearview mirror.
When it’s treated as a forecast, it becomes a steering wheel.

Executives who understand this use ROI to inform where to steer next, not to justify where they’ve been.

This is where cybersecurity leaders can elevate their role—from cost managers to strategic investors in enterprise resilience.
By adopting cost-benefit analysis, time-value modeling, and real options frameworks, they move beyond budget defense into capital strategy.

Closing Thought

ROI isn’t something to prove; it’s something to build.

The discipline lies not in the pitch deck or the spreadsheet, but in the partnership that enables access to real data, shared baselines, and measurable outcomes over time.

In finance, as in cybersecurity, the most valuable returns compound quietly—through systems that learn, models that evolve, and leaders who understand that proving value starts by creating the conditions for it.

Closing Call to Action:
If you found this valuable and want to go deeper into how leaders make ROI real—balancing foresight, proof, and strategic execution—pick up my book, The CISO on the Razor’s Edge, available now on Amazon and Barnes & Noble.

If you’ve already purchased the book and want the companion Guide to Building a Business Case, just message me with a copy of your receipt—I’ll send you a private link to access it.

I love how she connects neuroscience, learning, and leadership in this piece. I hope you enjoy it as much as I did — and be sure to follow her on LinkedIn (links below).

— Steve

In the Fall of 2019, the supply chain and logistics firm I’d worked at adopted a new proprietary system across the entire worldwide firm. Fast-forward to Spring of 2020 and I’m a subject matter expert converting my branch to the new system; designing and delivering trainings to enable learning of the new system, skill development and behavioral change. While determining what level of support and guidance each member of my branch required to successfully adopt the new system, I considered factors like exposure to the system, length of tenure and each employee’s duty to their book of business. I considered the employee’s relationship to the business. Hindsight is 2020, so in retrospect I would have considered the sheer impact of change—not just on the functional or emotional capacities of my colleagues—but the physiological impact that change has on the brain and our learning capabilities.

At this year’s Association of Chang Management Professionals (ACMP) Chicago conference co-author of Neuroscience for Change at Work, Tibisay Vera, introduced many of us to a neural experience called maladaptive plasticity. It’s the phenomenon of our brains’ protective adaptation to constant change which left unsupported can show up as burnout, cynicism, withdrawal, disengagement and resistance to the change at hand. Vera presented on the PEPE model, a supportive framework for handling change that considers the natural reactions of our brains under transition duress. Woven throughout Vera’s PEPE methodology is not just an understanding but an acceptance of our natural brain functionality under change. Understanding maladaptive plasticity and its symptoms is paramount for change practitioners—particularly adult learning enablers.

Learning a new skill or behavior is one of the most vulnerable experiences consistent across all of humanity. I’m not sure if there’s a person reading this that hasn’t felt the anxiety of absorbing new information—the hesitancy in one’s mind and body that manifests as mental rigidity and physical stiffness as we practice new ways of thinking and new movements. As a change practitioner, think critically about the pressure of change on top of the vulnerability of learning. Think about the symptoms of burnout, cynicism, withdrawal and consider the sheer amount of might and dedication a learner must apply to absorb new information despite their disengagement.

Last year, the Society for Human Resource Management (SHRM) reported that 44% percent of their 1000+ surveyed American employees are experiencing burnout. SHRM cited that workers experiencing burnout are three times more likely to be actively job searching and are significantly less likely to go above and beyond in the role where they’re experiencing the burnout symptoms. The repulsion from the environment that causes symptoms of maladaptive plasticity on top of the drive toward relief is enough to stifle any business’ growth and innovation. The insight that burnout is nearly half the workforce’s experience should be enough to alarm any executive leader into action. Afterall, organizations’ greatest assets are its people. Time and time again, I’ve heard and said that change management focuses on the people side of innovation. If we don’t consider the whole human, we are not doing our jobs.

Here’s what it looks like to lead learning while considering maladaptive plasticity through a transition:

• Breaks in lessons are not spared.

• Self-care during the transition, such as taking breaks for walks, are required and taken into consideration of employee performance.

• Methodologies that incorporate support for individuals with ADHD, Autism, chronic anxiety and other neurodivergent experiences.

As a change practitioner, adult learning enabler, and, at my core, a person who learns differently, I think about accessibility of education through transitions. I apply a plethora of tactics to engage various learners and learning styles at once. My goals are simple: to be successful in the full realization of the benefits of the change. When we consider the impact of transitions on the brain and imbed specific support into lesson planning and strategic behavioral change, we approach learning enablement with equity. This is critical. It shouldn’t be an option to leave behind folks who are experiencing maladaptive plasticity or who learn differently. After all, that would be a willing submission to a subpar return on change investment. That simply won’t do.

Learning enablement isn’t whole without equity. We facilitate an equitable learning experience by:

• Assessing how enterprise transitions uniquely impact various job functions.

• Monitoring the symptoms of maladaptive plasticity in people and implementing symptom alleviation strategies.

As change practitioners and adult learning enablers, we must consider the whole human both internally (neurologically) and externally (how they experience the world.) This is how we approach learning enablement with equity in mind under the stress of ever-present change. In a world where change is rapidly increasing; where unlimited growth is pined after and ultimately unsustainable, we need to take care of one another. As business leaders and chief executives, the holistic wellness of your business’ greatest asset (its people) cannot be overstated. Failure to administer preventative burnout care is an acceptance of subpar returns on innovations investments. Secure your investments by:

• Factoring in maladaptive plasticity to enterprise change return and adoption rates

• Level-setting shareholders’ expectations of investment returns considering the statistical facts of neurological impact of change on the brain

Resources

Are you ready to envision a growth strategy that not only accepts but makes the most of the human condition?

Learn more about maladaptive plasticity and the PEPE model.

Learn more about Tibisay Vera, MBA, MSc.

See the SHRM article Here’s How Bad Burnout Has Become at Work.

About Nicolette

Tomilola “Nic” Sulaiman is a Prosci Certified Change Practitioner that hails from Houston, TX who has spent the last eight years living and working in Chicago, IL. Nic earned her stripes doing change work across both public and private industries such as Mergers + Acquisitions, ERP implementations, Health Care IT, Financial Technology, Supply Chain/3PL Freight forwarding, and Food + Beverage. She’s cut her teeth as a change manager, adult learning enabler and communications strategist embedding diversity, equity and inclusion practices in her delivery. Nic is an active member of her small midwestern community, lover and proprietor of local art, and champion of radical self-love and community care.

Follow Nic on LinkedIn HERE

That’s why the current fascination with AI is more than a passing trend, it’s a strategic risk. Too many leaders are mistaking faster answers for smarter execution. But IAM is not solved by access to information. It is solved by leadership, alignment, and judgment.

And those are things no algorithm can provide.

The Architect and the Algorithm (credit: my GPT:)

The Temptation of AI in IAM

Artificial Intelligence—particularly Large Language Models (LLMs) like ChatGPT, Claude, and Gemini—has captivated the business world. From the boardroom to the data center, leaders are asking: If AI can write code, generate board reports, and summarize 300-page analyst studies in seconds, why can’t it run Identity and Access Management (IAM)?

The question is understandable. IAM has always been a discipline flooded with information—white papers, analyst notes, vendor briefs, and implementation guides. The dream of instant expertise at the push of a button is alluring. Faster access to insights feels like it should unlock progress.

But it doesn’t. Having carried the responsibility for enterprise IAM across industries and sectors for over a decade, I can tell you this: access to information has never been the problem. Fifteen years ago, I had Gartner, KuppingerCole, and Forrester at my disposal. More recently, I’ve spearheaded CIAM modernization for Washington State with both the benefit of an IT degree, MBA toolkit, and GPT-4 at my side. None of it replaces the judgment, creativity, and leadership of a seasoned consultant or architect.

Because IAM is not just about knowing—it is about deciding, aligning, and executing. And that is where AI fails to deliver.

Information Isn’t Execution

Think back to the early 2010s. If I needed to know the recommended maturity model for privileged access management, I could find it in a research note. I could highlight the right quadrant and present it to a steering committee with confidence.

Today, I can prompt ChatGPT: “Outline the pillars of a successful IAM program.” In seconds, I’ll have a polished summary—structured, logical, and familiar. Yet the strategic value is unchanged. Faster delivery doesn’t mean better results.

Information—even when attractively packaged—cannot:

• Build a compelling business case for your CFO.

• Secure executive sponsorship when politics are stacked against you.

• Balance IAM investments with competing business priorities.

• Recognize cultural blockers that silently stall adoption.

• Be accountable at 2:00 AM when SSL certificates expire and customer portals go dark.

In other words, the hard part of IAM has never been the content—it’s the context. The art is in navigating people, priorities, and pressure. And context is where AI shows its limitations most clearly.

The Illusion of Stochastic Certainty

One reason AI is seductive is the fluency of its answers. An LLM can make even shaky reasoning sound confident. But behind the curtain lies stochasticity—the probabilistic process by which models generate responses.

Try this simple experiment: prompt your favorite AI chatbot with the request, “Outline the key pillars and success factors for an enterprise IAM program.” Do it four times in a row. Each time, you’ll get a slightly different list. Sometimes “governance” comes first, sometimes “technology.” One draft emphasizes user experience, another compliance. All are plausible. None are definitive.

This variability is not a bug; it’s the design of the system. LLMs are prediction engines, not reasoning engines. They excel at recombining patterns from training data, but they cannot guarantee consistency—or validity—over multiple runs.

For IAM leaders, this presents a serious risk. You cannot build board strategy or security policy on probabilistic outputs that shift with every prompt. This is why skilled professionals are indispensable. Leaders must oversee AI, interpret its outputs, and apply sound judgment. AI can accelerate tasks, but outsourcing critical thinking, strategy, and design work to it is an abdication of responsibility.

Share The Strategy Layer

What AI Still Can’t Do

Even with GPT-5 at my fingertips and the best academic and professional training behind me, I’ve seen the same recurring limits. AI doesn’t do the truly human parts of IAM.

• Strategic Alignment: AI can list best practices, but it doesn’t know whether your organization needs to move fast, cut costs, or restore customer trust first. Alignment is contextual.

• Business Case Creation: LLMs generate words, not conviction. Only a human partner can reframe IAM as business protection, growth enablement, or compliance cost avoidance in a way that resonates at the executive table.

• Stakeholder Engagement: IAM succeeds only when HR, legal, operations, and IT are on the same page. That’s not a prompt—it’s a negotiation, built on credibility and trust.

• Gap Analysis in Context: Every organization has gaps. The question is: which ones matter most right now? That’s prioritization—a skill born of judgment, not probability.

• Hands-On Firefighting: AI doesn’t triage outages. It doesn’t hold the pager. It doesn’t walk into the executive war room when customers are locked out.

At best, AI gives you a faster baseline. At worst, it convinces you that you don’t need a baseline built by professionals in the first place.

The Missing Human Dimensions

Beyond execution, there are higher-order functions that only people perform well. This is where the real gap lies.

• Asking Interesting Questions: Consultants and architects don’t just answer questions—they ask the ones nobody else is bold enough to pose. Why do we grant access this way at all? What if the barrier isn’t technical but cultural? AI can summarize knowledge, but it rarely provokes insight.

• Second-Order Effects: IAM decisions ripple outward. A tighter MFA policy may harden defenses but could also frustrate customers, leading to revenue loss. Humans are better at spotting those unintended consequences.

• Trade-Offs and Opportunity Cost: Budgets are finite. Should you invest in CIAM modernization or privileged access management this year? AI can list benefits, but it won’t balance them against organizational opportunity costs.

• Political Capital: IAM is as much politics as it is technology. Timing matters. Allies matter. Sometimes the right answer today is “not yet.” AI has no political capital to spend, no favors to call in, no trust to draw on.

These human dimensions are often the difference between a program that survives and one that fails.

Analyst Reports vs. AI: Same Song, Faster Tempo

In many ways, AI is simply the next iteration of what analyst firms have long provided. When I compare ChatGPT’s IAM advice to the templates and frameworks I pulled from Forrester or Gartner 15 years ago, the substance is strikingly similar. The difference? It arrives in seconds, not days.

That speed matters—but speed without strategy is just faster noise.

As Forrester puts it: “The paradox encapsulates one of the most pressing challenges facing enterprises today: the disconnect between ubiquitous AI adoption at the individual level and the absence of transformational business impact at the organizational level.” (Forrester, 2025)

Faster doesn’t mean wiser. And wisdom, not information, is what IAM requires most.

The Role of Human Expertise

This is why experienced consultants and architects remain irreplaceable. They bring qualities no AI can emulate:

• Contextual Understanding: Recognizing what “good IAM” means in your sector, culture, and maturity stage.

• Cultural Intelligence: Pacing change so adoption keeps pace with ambition.

• Pattern Recognition: Drawing lessons from dozens of prior implementations to spot risks early.

• Accountability: Owning outcomes with you—not just generating words but delivering results.

This fusion of technical skill, cultural sensitivity, and political acumen is what turns IAM from a perpetual struggle into a program that delivers measurable business value.

Design Thinking: Where AI Fits, Where It Doesn’t

The right question isn’t whether to use AI but where. Put your design thinking hat on:

• Use AI to accelerate: drafting RFPs, summarizing vendor documentation, sketching workflows.

• Don’t use AI to decide: choosing priorities, weighing risks, allocating scarce capital.

AI can help your team move faster, but it cannot decide what direction to run. That choice remains squarely in human hands.

What’s Really at Stake

IAM is not a playground for experimentation. It’s the connective tissue of digital business.

• Revenue: Frictionless, secure customer access drives loyalty and retention.

• Resilience: Outages tied to identity can grind operations to a halt.

• Reputation: Breaches stemming from identity failures can permanently erode trust.

This is too important to entrust to stochastic algorithms or generic templates. IAM is existential—and existential risks demand human leadership.

Why Now Is the Time to Invest in Consulting

If your IAM program feels stuck—or worse, if it feels “fine” but unprovable—this is the moment to bring in outside expertise. A skilled consulting partner can:

• Uncover hidden gaps before they metastasize.

• Translate IAM outcomes into board-level ROI.

• Build coalitions across siloed business functions.

• Architect AI systems of action that empower, rather than distract, your team.

Done right, this investment more than pays for itself in avoided rework, reduced audit exposure, and programs that actually stick.

Closing Reflection

The future will absolutely include AI in IAM products, processes, and programs—but as an amplifier, not a replacement. The leaders who win won’t be those who blindly outsource to machines. They’ll be the ones who integrate AI wisely, with judgment and strategy intact.

At the end of the day, IAM leadership requires more than access to information. It requires the courage to ask better questions, the foresight to weigh trade-offs, and the political capital to make change stick. These are human skills—and they always will be.

That’s why the call you make to a seasoned consultant at 2:00 AM will always matter more than the prompt you type into ChatGPT at 2:00 PM.

Let’s Talk!

If you need help spotting the gaps in your IAM program or designing and implementing AI systems of action for your team, let’s talk. There’s never been a more important time to balance speed with strategy. The work I do with clients consistently drives seven- and eight-figure impact—unlocking measurable ROI through stronger governance, reduced risk, and IAM programs that finally deliver on their promise.

Reference
Giron, Frederic. Forrester, Why AI ROI Remains Elusive Despite Widespread Adoption, July 2025. Retrieved from: https://www.forrester.com/blogs/why-ai-roi-remains-elusive-despite-widespread-adoption/

Cybersecurity leadership is starting to look like an unwinnable game. The average CISO tenure of 1.5–2 years tells us something isn’t working. Leaders are handed budgets where 75% of spend is locked into technical debt or mandatory controls, leaving only a sliver of discretionary funding to maneuver. Expectations continue to rise while resources stay flat—or even decline.

In game theory terms, cybersecurity leaders are being asked to play with fewer moves on the board while the stakes keep climbing.

The outdated “people, process, technology” model doesn’t help much in this new environment. Nor does the familiar cost-avoidance narrative: “we stopped bad things from happening.” That might have worked a decade ago. Today, boards and CFOs expect security leaders to frame their work in terms of options, trade-offs, and business value. In short, to play a game they can actually win.

The Economics of Cybersecurity Leadership

If the opening feels like a game rigged against CISOs, the numbers confirm it. The financial headwinds facing security leaders are undeniable. A recent IANS and Artico Search survey of nearly 600 CISOs found that only 47% reported a budget increase in 2025, down from 62% the year prior (IANS Research & Artico Search, 2025). Meanwhile, 54% are dealing with flat or shrinking budgets. And for the first time in five years, security’s slice of IT spending actually declined—from 11.9% to 10.9%—as dollars were redirected toward AI, cloud, and digital growth priorities (SecureWorld, 2025).

For many CISOs, these numbers translate into a game where most of the moves are already taken off the board. Fixed costs like technical debt, compliance requirements, and mandatory controls can consume three-quarters of a typical budget, leaving little discretionary funding for innovation or strategic bets. In this environment, cost avoidance alone isn’t enough to justify spend—or to ensure career survivability.

What leaders need instead is a new way to reframe and navigate financial constraints. Three starting points:

• Map fixed vs. discretionary spend: know exactly how much of the budget is locked in vs. how much can be maneuvered, and make that visible to the board.

• Translate dollars into Run / Grow / Transform categories: adopt a model the CFO already understands, showing whether spend is maintaining the baseline, enabling incremental growth, or transforming the business.

• Present investments as options and trade-offs: instead of “we need this much money,” offer “here are three paths forward—here’s what we gain, and here’s what we accept if we don’t.”

Each of these reframes gives CISOs more credibility in executive discussions and begins to shift perception—from tactical risk manager to strategic partner.

Why the Current Playbook Fails

For decades, the dominant framework for cybersecurity management has been the familiar trio of people, process, and technology. It served its purpose in an era when the biggest challenge was building controls and maturing basic practices. But in today’s economic climate, that model feels outdated.

Boards and CFOs are no longer impressed by a laundry list of controls or by the language of cost avoidance—“we stopped bad things from happening.” That narrative, while true, doesn’t hold up against competing investments in AI, digital expansion, or customer experience, where executives can see direct returns.

Worse, the old playbook locks CISOs into reactive cycles—always responding to the next regulation, audit, or incident—without a framework for shaping strategy. This undermines their ability to survive in roles where the average tenure is less than two years.

Three reasons the old playbook is breaking down:

• Cost avoidance isn’t strategy: Preventing losses matters, but it doesn’t prove value or growth potential.

• Controls ≠ credibility: Boards expect clarity on business impact, not just technical soundness.

• Reactive posture shortens careers: CISOs who only defend and comply rarely get the chance to innovate, which accelerates burnout and turnover.

The implication is clear: continuing to play by yesterday’s rules is a losing game. The question is whether CISOs can adopt a new playbook—one rooted in finance, strategy, and value creation—that allows them to compete on equal footing with other executives.

Reframing the Role: From Cost Center to Value Creator

If the old playbook is failing, what replaces it? The answer lies in shifting the frame—from security as an unavoidable cost to security as a portfolio of strategic options the business can choose to invest in.

This is more than semantics. In The CISO On The Razor’s Edge, I argued in Chapter 7 (Security Leadership as a Series of Real Options) that CISOs must think less like operators and more like financial strategists. Every initiative—whether it’s a new control, a modernization effort, or a cloud migration—can be presented as an option with trade-offs: invest and gain future flexibility, delay and accept defined risks, or decline and carry the exposure. This approach allows the board to see security decisions in the same way they evaluate other capital investments.

Industry leaders echo this. Mark Settle advises CISOs to “follow the money” through budgeting frameworks like Run / Grow / Transform, which reveal whether dollars are being used simply to keep the lights on or to unlock growth and transformation. Steve Zalewski, drawing on his time as CISO at Levi Strauss & Co., pushes CISOs to ensure that cybersecurity isn’t just about protection—it must directly support the mission of the business. As he often says, security has to “help sell more jeans.”

Taken together, these perspectives form a new leadership model: the financially literate, strategically minded CISO who frames security not as an overhead cost but as an investment portfolio. And it’s a model that boards are more likely to respect—and fund.

Tools for Playing a Winnable Game

Shifting from cost center to value creator isn’t just about mindset—it’s about using practical tools that reshape how security is discussed in executive conversations. CISOs don’t need to become CFOs, but they do need to adopt financial frameworks that make their work legible and valuable in business terms.

Here are four tools that create leverage and credibility:

• Budget Mapping: Break down spend into fixed vs. discretionary categories. Show explicitly how much of the budget is consumed by technical debt and mandatory controls versus what’s available for strategic investment. Boards respond to clarity.

• Run / Grow / Transform: Reclassify spend using a model familiar to CFOs. Demonstrate which investments simply keep operations running, which enable incremental improvements, and which unlock real transformation.

• Options & Trade-Offs: Frame every major initiative as a set of choices: If we invest, here’s the upside. If we don’t, here’s the risk we’re carrying. Boards don’t want ultimatums—they want structured options.

• Value Creation Scenarios: Move beyond cost avoidance by modeling how security investments can generate value—faster time to market, higher customer trust, stronger brand resilience, or lower cost of capital through risk reduction.

Each of these tools has the same effect: they reposition security decisions from technical necessities to strategic investments. They give CISOs a way to demonstrate alignment with business goals—and to survive, and even thrive, in a budget-constrained environment.

The Payoff: Confidence, Impact, and Career Resilience

Mastering strategic finance is not just about surviving another budget cycle—it’s about changing the way the game is played. CISOs who frame investments as options and trade-offs, who can translate dollars into growth and resilience, and who model value creation are no longer trapped in a defensive posture. They step into the role of strategist, gain confidence in boardrooms, and extend their career runway.

A winnable game is one where:

• The board sees clarity, not confusion.

• The CFO sees alignment, not overhead.

• The CISO sees a path forward, not burnout.

That’s the future of cybersecurity leadership—and it’s within reach.

The urgency is real: only 47% of CISOs reported budget increases in 2025, while security’s share of IT spending actually fell for the first time in five years. The game is tightening. Now is the moment to master the skills that make it winnable.

If you want to sharpen these skills and apply them in your own organization, join us on Tuesday, September 16th for the webinar Strategic Finance for Cybersecurity Leaders. We’ll dive deeper into how CISOs can reframe budgets, speak the language of the business, and make smarter strategic bets in the year ahead.

And if you’d like a companion to guide you even further, pick up a copy of The CISO On The Razor’s Edge, especially Chapter 7: Security Leadership as a Series of Real Options. It will help you increase your odds of surviving—and thriving—in the game you’re already playing.

References

IANS Research & Artico Search. (2025, August 5). Security budgets under pressure: How CISOs can navigate tight budget constraints. IANS Research. Retrieved from https://www.iansresearch.com/resources/all-blogs/post/security-blog/2025/08/05/security-budgets-under-pressure--how-cisos-can-navigate-tight-budget-constraints

SecureWorld. (2025, July 24). CISO budget squeeze: Security growth slows as IT priorities shift. SecureWorld. Retrieved from https://www.secureworld.io/industry-news/cisos-budget-squeeze-security-growth-slows

Fast forward a few years, and the landscape looks very different. What began as a fight to control developer pipelines has evolved into a much larger, more urgent problem: safeguarding data privacy, security, and governance in the age of generative AI. Today, that evolution is crystallizing into a new strategic discipline: AI Security Posture Management (AI-SPM).

The Inflection Point for CxOs

The adoption of generative AI and large language models (LLMs) is not optional anymore. McKinsey estimates that generative AI could deliver up to $4.4 trillion annually in economic value across industries. A Salesforce study shows that 61% of employees are eager to leverage generative AI, yet most lack the knowledge or skills to use it securely.

That tension—between enthusiasm and operational readiness—is where risk breeds. On one hand, boards and executive teams see AI as a lever for efficiency and competitive advantage. On the other, CISOs and CIOs are already grappling with a new class of threats, from data leakage to adversarial attacks, without the benefit of well-worn playbooks.

The next 18 months will determine whether enterprises harness AI’s potential responsibly or stumble into costly missteps. And the stakes are high: regulators are moving quickly, consumers are hyper-aware of privacy risks, and adversaries—both criminal and nation-state—are actively probing weaknesses in AI systems today, not tomorrow.

From Governance Gaps to Strategic Imperatives

One of the biggest lessons I’ve seen firsthand is that the governance gaps inside enterprises are often more dangerous than the technology itself.

• Security vs. Data Teams: Too often, the security organization and the data organization operate in silos. Without a shared governance framework, critical questions—Who owns the data? Who sets the policies? Who enforces them?—go unanswered. This disconnect is where vulnerabilities flourish.

• Super Users Without Guardrails: Generative AI has effectively turned non-technical employees into “super users.” With the right (or wrong) prompt, an employee could trigger a destructive query like drop table, leading to catastrophic data loss. Traditional access controls weren’t built for this.

• Model Integrity Risks: Nearly every LLM today is vulnerable to prompt injection and manipulation. What looks like an innocent request for analysis can be hijacked to exfiltrate sensitive data or generate biased, harmful, or even malicious outputs.

The result? An urgent need for proactive, executive-level strategies—not just tactical fixes.

The Three Pillars of AI Security Posture Management

At TrustLogix, I’ve watched the thinking around governance evolve into what we now call AI-SPM: AI Security Posture Management. It’s a high-level discipline designed to give enterprises the same kind of control, resilience, and visibility for AI that they’ve long pursued in cloud and DevOps.

The framework rests on three pillars:

1. Proactive Data Protection

   • Automatic discovery and classification of sensitive data across AI training and inference pipelines.

   • Data lineage tracking to ensure auditability and reproducibility.

   • Granular access controls (RBAC, ABAC) tailored for AI workloads.

2. Secure Model Lifecycle Management

   • Model registries with strict access controls and full audit trails.

   • Integrity verification using digital signatures and cryptographic checks.

   • Real-time monitoring to detect adversarial attacks and anomalous behavior.

3. Continuous Posture Monitoring

   • Centralized visibility into who has access to what data and models.

   • Automated, template-driven policy enforcement.

   • Continuous risk detection against benchmarks like NIST and CIS.

This isn’t theory—it’s the pragmatic blueprint enterprises need to operationalize today. Just as cloud security posture management (CSPM) became indispensable for cloud adoption, AI-SPM is fast becoming the non-negotiable foundation for AI.

Why the Next 18 Months Matter

CxOs can’t afford to wait. Here’s why:

• Regulatory Momentum: The EU AI Act, U.S. executive orders, and state-level privacy regulations are converging to place heavy accountability on AI use. Compliance won’t be optional.

• Adversary Sophistication: Organized crime and nation-state actors are already targeting LLMs and AI-enabled applications. Unlike early-stage technologies, this isn’t “wait and see.” The battlefield is live.

• Market Expectations: Customers and investors are paying close attention. A single AI-driven data leak could undo years of trust-building and destroy competitive positioning.

The organizations that will thrive are those that move deliberately—implementing governance frameworks now, before AI adoption scales beyond their ability to control it.

A Real-World Wake-Up Call: The Salesloft Breach

In September 2025, the industry saw just how fast trust can unravel when AI security posture isn’t managed proactively. A breach at Salesloft, an AI-driven chatbot provider, exposed the fragility of enterprise integrations at global scale.

Attackers from the UNC6395 group stole OAuth tokens from Salesloft’s Drift platform, using them to pivot into hundreds of downstream integrations. This wasn’t just a contained incident—it spread into enterprise systems like Slack, Google Workspace, AWS, Microsoft Azure, and even OpenAI environments. Along the way, attackers harvested AWS keys, VPN credentials, and Snowflake tokens, and then deleted logs to cover their tracks (KrebsOnSecurity, ITPro).

The impact was sweeping. Security leaders at firms like Palo Alto Networks and Zscaler confirmed their organizations were affected, reminding us that even cybersecurity vendors aren’t immune (TechRadar, ITPro).

Why it matters: This was a classic case of authorization sprawl—unchecked AI-integrated tokens giving adversaries the keys to the kingdom. For executives, the lesson is crystal clear: AI governance cannot lag adoption. A single data leak or compromised token can wipe out years of trust-building and competitive advantage in a matter of days.

A Call to Action for Leaders

As I look back on my journey with TrustLogix, the throughline is clear: security and governance are not blockers to innovation; they are the enablers of sustainable, responsible AI adoption.

CxOs need to think differently. This isn’t about securing yesterday’s systems. It’s about preparing your enterprise to navigate the next wave of disruption with confidence. That requires new disciplines, new governance models, and new partnerships.

If you’re a CIO, CISO, or senior executive wrestling with these questions, I’d encourage you to take action now:

• Schedule a private briefing or demo. I’m happy to arrange a session where you can see firsthand how TrustLogix is helping enterprises operationalize AI-SPM.

• Connect directly. Reach out to me if you’d like to discuss your specific challenges, roadmap, or board-level concerns.

• Learn more. Visit TrustLogix’s website for additional resources and insights.

Final Word

AI adoption is moving faster than most governance structures can keep up with. The temptation is to prioritize speed and deal with governance later. That’s a mistake.

What I’ve learned as an early advisor to TrustLogix is that governance isn’t the brake—it’s the steering wheel. Without it, you may move fast, but you’ll end up in a ditch. With it, you can accelerate into the future of AI confidently, knowing your enterprise is secure, compliant, and ready for what’s next.

The question isn’t whether AI-SPM will become a strategic priority for enterprises. It’s how quickly your organization will adopt it—and whether you’ll be ahead of the curve or playing catch-up.

👉 Call to Action: Contact me directly if you’d like to arrange a private briefing, demo, or meeting with a representative from TrustLogix. Or visit trustlogix.io to explore more.

References

McKinsey & Company. (2023, June). The economic potential of generative AI: The next productivity frontier. McKinsey Digital. Retrieved from https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier

McKinsey Global Institute. (2023, June). Generative AI could add up to $4.4 trillion annually to the global economy. Retrieved from https://www.mckinsey.com/mgi/media-center/ai-could-increase-corporate-profits-by-4-trillion-a-year-according-to-new-research

Salesforce Research. (2023, August). Generative AI Snapshot Series: AI Ethics. Salesforce Newsroom. Retrieved from https://www.salesforce.com/news/stories/generative-ai-ethics-survey/

Salesforce Research. (2023, October). Generative AI Snapshot Series: AI Skills. Salesforce Newsroom. Retrieved from https://www.salesforce.com/news/stories/generative-ai-skills-research/

Forbes India Staff. (2023, July 14). Generative AI could add up to $4.4 trillion a year to global economy: McKinsey. Forbes India. Retrieved from https://www.forbesindia.com/article/news/generative-ai-could-add-up-to-44-trillion-a-year-to-global-economy-mckinsey/86157/1

This is the paradox of modern cybersecurity. Organizations are checking all the boxes but failing to protect the very thing that matters most: the humans behind the data. When security is reduced to compliance theater, breaches stop being treated as existential failures. They become routine. And in that routine, leadership normalizes the erosion of privacy and dignity.

Sidelining CISOs Normalizes Breaches

The sidelined or weakened CISO is the hallmark of this dysfunction. Instead of acting as strategic multipliers, CISOs are too often cast as compliance managers. Their remit is narrowed to passing audits rather than preserving trust.

The result? A culture that tolerates breaches as the “cost of doing business.” This isn’t just bad governance. It’s organizational surrender. When boards minimize the CISO’s voice, they signal to the enterprise that protecting dignity is optional.

Recent research underscores this gap. In a 2025 Harvard Business Review study, 71% of executives believed their cybersecurity funding was adequate or strong. Yet only 39% rated their board’s understanding of cyber risk as proactive, and just 31% considered their organization an innovator or early adopter in cyber readiness[^1]. The illusion of readiness masks the normalization of failure.

The People/Process/Technology Prison

Why does this dynamic persist? Because CIOs and CISOs are often trapped in what I call the people/process/technology prison.

Legacy frameworks treat people as risks to be managed, processes as boxes to check, and technology as the silver bullet. Humans are reduced to “actors,” “insiders,” or “threat vectors.” Leadership is forced to view the enterprise through a compliance lens, not a human lens.

This prison strips cybersecurity of its real purpose: enabling people to thrive with dignity in a digital-first world.

The Stakes: Privacy and Dignity

Breaches aren’t just technical failures. They are human failures. They rob customers, employees, and citizens of their dignity. They leave people feeling exposed, powerless, and undervalued.

HBR research shows that dignity violations are common in organizations, and that treating people with dignity significantly improves motivation, satisfaction, and overall flourishing[^2]. Cybersecurity is no different. Each time leadership accepts compliance theater, it chooses to normalize dignity violations at scale.

The Golden Rule has long reminded us: treat others as you would like to be treated. Today, leadership demands an even sharper ethic: treat others as they want to be treated[^3]. That requires designing systems of trust, not systems of control.

The Escape Route: SPIRE as Human-Centered Leadership OS

How do CIOs and CISOs escape the prison? By reframing security leadership through SPIRE: a human-centered operating system for leadership .

• Signal – Upgrade the signal. Replace noisy dashboards and vanity metrics with board-relevant telemetry: drag, control effectiveness, velocity friction, trust signals.

• Performance Intelligence – See the real system. Surface blind spots, entropy, and misaligned incentives that undermine execution.

• Insight – Understand what system you’re truly running. The CISO is not a translator but a Strategic Multiplier, co-designing systems of trust, speed, and resilience.

• Reframe – Stop reporting problems. Start commanding the system. Position security not as liability management but as enterprise execution.

• Execution – Close the loop. Translate insight into prioritized action with financial discipline, governance, and feedback.

SPIRE is not abstract philosophy. It is a leadership design system. It restores agency to CIOs and CISOs. It elevates the role from compliance enforcer to guardian of dignity.

Why Symbolic Leadership Matters

MIT Sloan Management Review warns that simply adding more senior cybersecurity roles can actually increase collective overconfidence, leading leaders to overestimate capabilities compared to peers[^4]. In other words, title inflation doesn’t fix the problem—it makes it worse.

The solution isn’t more hierarchy. It’s more symbolism. An empowered CISO isn’t just a functional leader; they are a signal to the enterprise that dignity, trust, and momentum matter. Weakening that signal weakens the system.

Actionable Moves for CIOs and CISOs

1. Reframe Board Discussions

   • Don’t settle for “Are we compliant?” Ask: “How does this strategy preserve dignity and trust?”

2. Elevate the Symbolic Role of Security

   • Communicate not only risk reduction but also human empowerment.

3. Challenge the Prison Mindset

   • Reject frameworks that treat people as liabilities. Treat them as voices with potential.

4. Measure What Matters

   • Replace red-yellow-green dashboards with metrics tied to performance, friction, and trust.

These aren’t theoretical exercises. They’re boardroom moves CIOs and CISOs can make today.

Closing Call-to-Action

Compliance theater might pass audits. But it fails people. And in failing people, it fails the enterprise. Normalized breaches don’t just erode data—they erode dignity.

CIOs and CISOs who want to break free from the people/process/technology prison need a new operating system for leadership. That system is SPIRE.

Learn how to apply SPIRE as a leader, and inside your organization: identient.ai/spire

Footnotes

[^1]: “Boards Need a More Active Approach to Cybersecurity.” Harvard Business Review, May 20, 2025.

[^2]: “The Dignity Mindset: How to Build Organizations Where People Flourish.” Harvard Business Review, Oct 30, 2024.

[^3]: “The New Golden Rule of Leadership.” Harvard Business Review, Aug 2022.

[^4]: “The Case for Lean Cybersecurity Leadership.” MIT Sloan Management Review, Feb 10, 2025.

In my recent piece, “Identity is Moving Faster Than Your Roadmap”, I argued that technology outpaces governance if equity and transparency aren’t engineered in. This post builds on that experience by sharing how we approached digital equity as the driver of Washington State’s CIAM modernization.

Identity modernization is often pitched as a technology upgrade: stronger authentication, smoother login, lower fraud. But for us, it was about something deeper: making sure every resident, regardless of income, ability, or access to technology, could interact with the state on equal footing. That meant designing for the blind and disabled, the elderly, the unbanked, and the digitally underserved. It meant not just doing no harm, but actively lowering barriers that had excluded people for years.

Today, many vendors are talking about bias in AI and digital equity. It’s become the language of the moment. But unless a company can show independent test results and demonstrate a commitment to equity by design — from the product spec to the demo to the customer references — then talk and philosophy alone are not enough.

This is the story of how we set the bar, how we evaluated vendors, and the lessons others can draw as AI and biometrics rush into the identity ecosystem.

Why Digital Equity Had to Lead

Washington State’s services touch millions of people — renewing a driver’s license, applying for unemployment, accessing healthcare. Yet for too many, access had become a barrier in itself.

• 45 million Americans lack credit histories, disproportionately young, low-income, and minority. Traditional knowledge-based authentication excluded them before they even started.

• Multi-factor authentication, often lauded as secure, was inaccessible to the visually impaired or those without multiple devices.

• Biometric systems introduced risks of racial and gender bias, not to mention concerns about surveillance creep.

The reality was simple: if modernization didn’t expand equity, it wasn’t modernization at all.

So from day one, equity wasn’t a requirement buried in an RFP — it was the lens through which every option would be judged.

Setting the Evaluation Criteria

The first step was translating values into hard criteria. We built a transparent, data-driven evaluation framework that measured vendors across bias, privacy, and transparency:

• Bias & Inclusion

  • Independent third-party bias testing across gender, race, and age groups.

  • Usability for visually and cognitively impaired populations.

  • Support for residents without smartphones or broadband.

  • Explainable AI — no black boxes making automated access decisions.

• Privacy & Consent

  • Explicit proof of consent for biometric use.

  • User control to view how their data is used and revoke consent at any time.

  • Permanent deletion of stored data, including selfies used for verification.

  • No tolerance for vendors selling data or contracting with federal enforcement agencies.

• Compliance & Governance

  • Teams supporting engineering, operations, and customer support had to be U.S.-based.

  • Full adherence to RCW 40.26.020 (biometric identifiers) and RCW 43.386 (facial recognition accountability).

  • Documented incident response and breach notification plans.

Every vendor knew the rules upfront. Equity, privacy, and transparency were not philosophical aspirations — they were measurable requirements.

Beyond Pedestrian Commitments

Here’s where most vendors stumble.

It’s one thing to mention bias or accessibility in a presentation. It’s another to show enterprise-wide commitment. The vendors who passed evaluation didn’t just tack on fairness as a feature. They could demonstrate that equity shaped decisions in engineering, legal, operations, and customer-facing design.

In other words: privacy and equity by design, not as an afterthought.

One vendor, for example, was disqualified outright because of their use of 1:many biometric face matching and the controversy that followed around transparency and user rights.* This was more than a red flag — it was a reminder that identity systems live and die on trust. The lesson was clear: without a stellar track record, you cannot credibly claim to serve all residents.

The Nash Equilibrium of Stakeholders

The deeper lesson is that equity in identity isn’t one-dimensional. It’s a balancing act across multiple stakeholders:

• Residents who need access without barriers.

• Agencies that must meet service delivery mandates.

• Regulators demanding compliance.

• Vendors seeking to grow responsibly.

I often described this as finding a Nash Equilibrium — a state where no single stakeholder’s needs could be met by disadvantaging another. Achieving this balance came at real cost. Some vendors simply weren’t able to bear it. Those who did earned credibility that philosophy alone could never buy.

My Approach as an Advisor: The Playbook

When people hear “vendor evaluation,” they picture an RFP, a demo, and a scoring sheet. In practice, what I led was closer to an archaeological and sociological excavation.

We weren’t just comparing features. We were interrogating culture, governance, and commitment to equity under pressure.

Here’s how I structured the process:

1. Market Analysis
We began by mapping the CIAM, IDM, and IDV landscape. It wasn’t about who was trending in analyst quadrants, but who had demonstrated credibility in public-sector contexts — without scandal, without hidden tradeoffs. Doing no harm and preserving trust was non-negotiable.

2. Workshops with Agencies
Each administrative agency had its own reality. Some served urban populations with smartphones; others reached rural communities with limited broadband. We convened workshops to capture these needs directly. Equity wasn’t abstract — it was grounded in personas and barriers that residents faced daily.

3. A Data-Driven Evaluation Framework
I developed a transparent, weighted model that scored vendors across functionality, privacy, transparency, and usability. Everyone saw the rules. No vendor could hide behind glossy decks or vague assurances.

4. Privacy Reviews with Counsel
We put attorneys from both sides in the room. That meant parsing terms of service, breach obligations, and data residency policies line by line. Privacy wasn’t allowed to be a compliance afterthought.

5. Deep Dives and UX Assessments
Beyond demos, vendors faced scenario testing and independent accessibility reviews. Could a visually impaired resident reset their password without calling a help desk? Could someone without a smartphone verify their identity? These weren’t edge cases — they were essential.

6. Customer References
We validated with customers — not just curated references, but independent sources who could speak candidly. Did commitments hold up in production? Did the vendor respond to real-world challenges with transparency and speed?

This was more than evaluation. It was a playbook for exposing culture and intent. Vendors who treated equity as marketing didn’t survive the process. Those who embedded it into their DNA did.

Lessons Learned

Several insights stand out from this experience:

1. Independent validation is everything. Vendors’ claims mean little without third-party testing and references.

2. Equity is measurable. It can be designed into evaluation frameworks and scored — not just spoken about.

3. Privacy and equity by design separate leaders from laggards. Bolted-on fairness is not fairness at all.

4. Compliance is table stakes. The differentiator is whether equity and transparency are core to the business model.

Call to Action

For CIOs, CISOs, and policymakers evaluating identity platforms today, the lesson is simple: don’t settle for vendor philosophy. Demand proof.

Ask for independent bias testing. Ask to see how consent is captured and revoked. Ask where operations teams are located, and whether customer references validate the promises.

Digital equity in identity is not a philosophy — it’s engineered, tested, and proven. Anything less is just noise.

* Footnote: One vendor (ID.me) was disqualified from consideration in Washington State due to use of 1:many biometric face matching and subsequent controversy. Their case underscored the importance of transparency, consent, and trustworthiness as non-negotiable prerequisites for public identity systems.

Additional Resources

Jimmy is the CISO of Save Mart overseeing more than 200 stores across the West Coast, the former CISO of Netflix DVD, and the current President of ISSA International — giving him a rare, global vantage point on how the role of CISO is being redefined in real time.

But this conversation isn’t just about job titles. It’s about transformation.

Together, Steve and Jimmy dive into how the CISO role is shifting from technician to strategist, why governance frameworks often crumble under real-world politics, and what it takes to lead when budgets are flat, expectations are exponential, and trust is the only currency that matters.

What we cover in this episode:

• Why automation must come before AI — and how to prepare your team for agents

• The hidden costs of being “just the technician” instead of the strategic partner

• The politics of governance and why frameworks often fail without enforcement

• How to measure human-centered risk: burnout, fatigue, and decision friction

• Why trust and presence — not titles — determine whether you get heard at the board level

• The future of the CISO: from risk manager to Chief Trust Officer, or even CIO

• The limitations of “people, process, technology” thinking

And I finally introduced the SPIRE leadership model — my push to move beyond “people, process, technology” into something built for the AI era:

🔹 Signals

🔹 Performance Intelligence

🔹 Insight

🔹 Reframing

🔹 Execution

Whether you’re leading your first security team or steering global strategy, this episode will challenge you to rethink what leadership looks like when the CISO’s true mandate is to create resilience, not just reduce risk…

I’ve seen this play out before. During my work with Washington State on CIAM modernization, we confronted many of the same issues that NIST has now codified in Rev 4 — equity and usability in user journeys, sub-account and account-linking for families and caregivers, independent privacy reviews, and fraud signals embedded even at IAL-1. (E.g., Passive new account onboarding) Those decisions weren’t theoretical; they were the difference between whether citizens could access services fairly and whether fraudsters could exploit weaknesses in our systems.

The lesson then is the lesson now: identity threats evolve continuously. Guidelines like Rev 4 aren’t a checklist to adopt blindly. They’re a compass pointing to where attackers, customers, and regulators are already moving. Leaders who treat them that way will shape their roadmaps with foresight. Those who wait will find themselves reacting under pressure.

Signals That Matter

Revision 4 makes dozens of changes, but not all of them deserve equal weight in the boardroom or in a CIO’s roadmap. The point isn’t to memorize every adjustment; it’s to recognize the signals of direction that will shape identity resilience, customer experience, and risk posture over the next 18–24 months.

Several stand out:

• Sub-accounts and account linking acknowledge the real-world complexity of digital lives — families, caregivers, and delegated authority — moving identity beyond the single-user model.

• Equity, accessibility, and privacy are no longer afterthoughts; they’re explicit expectations. Designing for inclusivity is becoming inseparable from building trust.

• Phishing-resistant authenticators and digital wallets show the shift toward modern, user-controlled trust mechanisms. Passwords and static factors are fading into the background.

• Fraud detection and account recovery get sharper attention, reflecting the reality that attackers exploit the weakest seams in identity flows.

• Continuous evaluation replaces “annual reviews” with a living model of posture — measuring, adapting, and mitigating in near real time.

None of these should surprise seasoned leaders. They mirror challenges already surfacing in enterprise programs. The real value of Rev 4 is in its ability to crystallize these priorities into a shared language — one that CIOs and CISOs can use to rally security, product, and business teams around the same identity horizon.

Lessons from the Field

The signals in Rev 4 aren’t theoretical for me. I saw them firsthand during my work consulting to the State of Washington on CIAM modernization. Long before NIST put these themes into writing, we had to make hard decisions about how to deliver both security and usability at scale.

Several priorities stand out from that experience:

• Account linking and sub-accounts. Citizens don’t interact with government systems as isolated individuals. Families, caregivers, and delegated authorities all need the ability to manage services without breaking trust or security.

• Equity and usability. We had to evaluate how different groups experienced the digital journey — and whether design choices unintentionally excluded or disadvantaged certain users.

• Independent privacy reviews. Transparency wasn’t optional; it was critical for maintaining trust in identity systems that handled sensitive data.

• Fraud and threat intelligence signals. Even at IAL-1, we considered checks like email compromise detection to harden flows that attackers were already probing.

To make these priorities concrete, we developed what we called Dani’s Journey — a user-centered storyline that every vendor in the evaluation process had to deliver against during proof-of-concepts. Instead of simply asking for compliance with standards, we mapped Dani’s end-to-end experience across registration, login, profile updates, and service access. Each vendor was judged on whether they could provide:

• An equitable and inclusive experience that worked across diverse user groups.

• A frictionless journey that reduced unnecessary steps without weakening assurance.

• Security in context, where fraud detection and MFA were woven naturally into the flow, not bolted on as obstacles.

This approach forced vendors to prove that they could connect identity assurance, security posture, and user experience. And it revealed a truth that Rev 4 now reinforces: continuous risk evaluation is essential because threat actors adapt daily, while users expect consistency and fairness.

Why CIOs & CISOs Can’t Wait for 2026

It would be easy to look at NIST Rev 4, note that it isn’t mandatory for the private sector, and push it down the priority list until the next budget cycle. That would be a mistake. The updates in Rev 4 don’t describe a distant future; they reflect realities already shaping the digital identity landscape. By the time 2026 arrives, these practices will be table stakes.

Consider what’s already in motion:

• Phishing-resistant authentication is no longer experimental. Major platforms and consumer ecosystems are moving aggressively toward passkeys and FIDO2.

• Fraud detection isn’t optional. Attackers are already exploiting the seams of account recovery and low-assurance on-boarding.

• Digital wallets and user-controlled credentials are beginning to reshape federation models.

• Equity and accessibility are becoming brand-level trust issues as much as technical requirements.

Waiting until 2026 means scrambling to retrofit systems, retrain teams, and react to mounting fraud and user dissatisfaction. Worse, it means letting competitors define the trust baseline while your organization plays catch-up.

Acting now, on the other hand, provides space to experiment, learn, and evolve without crisis pressure. Leaders who begin assessing their identity posture today — against Rev 4’s signals and their own customer journeys — will enter 2026 with confidence, not anxiety.

Strategic Actions for Executives

One of the most important lessons I learned in Washington State came from briefing the CISO on CIAM modernization. At the time, cybersecurity was treated as a low priority in the project, overshadowed by usability and program delivery. The result? Gaps opened between cybersecurity and usability — gaps that were preventable, but only if security leaders got more engaged.

That’s the risk for CISOs today. I understand how IAM often lands at number five, six, or seven on a priority list — behind cloud transformation, endpoint visibility, or regulatory audits. But that doesn’t mean your influence should be missing. In fact, many of the most consequential changes in NIST Rev 4 are policy-level updates designed to accommodate new technology innovations. And here’s the catch: just because the technology exists doesn’t mean the gaps disappear. You know what they say about assumptions.

This is where proactive leadership matters. CISOs and CIOs need to step forward now — not as owners of every identity project detail, but as shapers of direction and champions of balance between assurance and experience. Consider these actions:

• Get involved early. Establish forums (like the Identity Security Forum I recommended in Washington State) where security has a seat at the table for program design decisions.

• Bridge security and usability. Demand that identity flows be tested through the lens of equity and user experience, not just policy compliance.

• Challenge assumptions. Don’t let your teams or vendors assume that “new tech” equals “no risk.” Push for fraud detection, continuous monitoring, and independent privacy reviews.

• Treat IAM as strategic. Even if it isn’t your top-3 operational fire, identity is now the foundation of digital trust — and when it breaks, everything else is exposed.

This is what Rev 4 makes clear: it’s not about perfect compliance with guidelines, but about proactive, visible leadership from cybersecurity executives. Without it, identity gaps will remain hidden until they become incidents. With it, identity becomes a driver of resilience, trust, and competitive advantage.

Identity as a Trust Advantage

NIST Rev 4 won’t appear on your compliance calendar. It won’t trigger an audit. But it does provide a clear signal of where identity assurance is headed — and by 2026, these practices will be expected baseline. The question for CIOs and CISOs is whether you will arrive there by design or by scramble.

The leaders who move now will have the advantage. They will have already pressure-tested their posture, improved customer journeys, and closed gaps before adversaries exploit them. They will have turned identity from a back-office control into a visible trust advantage for their organizations.

At Identient, we see Rev 4 not as a checklist but as an opportunity for leadership. Our guidance to cybersecurity executives is to begin now by:

• Conducting a thorough gap analysis against the Rev 4 guidelines to identify where posture, equity, and resilience need reinforcement.

• Planning strategic adoption of phishing-resistant authentication methods such as FIDO2 and synced passkeys, ensuring both workforce and customer readiness.

• Reevaluating and modernizing identity proofing and federation processes, with attention to wallets, delegated authority, and accessibility.

Rev 4 is not regulation. It is a compass. And for those who choose to act, it is a chance to lead. The CIOs and CISOs who use it to shape their roadmaps now will define the trust advantage of 2026. The rest will be left reacting.

Earlier this year, I was hired to spearhead a privileged access management (PAM) proof of concept (POC) at a $2.5 billion public cybersecurity company. Scope was clear. Expectations were set. Everyone wanted this to work.

But two weeks in, after a handful of stakeholder interviews, the signals started shifting.

Teams weren’t just hesitant—they were resistant. And not in the passive-aggressive, “we’ll get to it later” way. Some of them had already built high-integrity PAM solutions using HashiCorp Vault, with role-based access managed through Okta. These weren’t hacks or shortcuts. These were engineered, maintained, and trusted.

The more I listened, the clearer it became: this wasn’t a PAM problem. It was a non-human identity (NHI) problem. And the proposed solution didn’t match the shape of the real need.

When the Stakeholders Whisper, You Listen

Most CISOs don’t get the luxury of hindsight in real time. They’re under pressure to act, perform, and show progress—fast.

But in this case, I wasn’t the one under pressure.

The VP of Global Cybersecurity & GRC I was advising had aspirations beyond the current org chart. A successful PAM deployment would’ve been a feather in his cap—a proof point on his way to the C-suite. He was sharp. He was motivated. But his assumptions were brittle.

He wanted a centralized PAM system. The org wasn’t ready.

What the teams actually needed was a lightweight, internal solution that improved NHI hygiene without rewriting the security culture overnight. Centralizing control would’ve sparked more friction than value—politically, technically, and financially.

So I Did What a Consultant Is Supposed to Do. I Told the Truth.

I stepped back, reframed the problem, and presented the VP with a different option:

Pivot from PAM to NHI governance.
Leverage the existing Vault + Okta + Conductor One integrations.
Avoid a disruptive vendor rollout.
Save $2M in year one.

That’s not the kind of advice that protects your billable hours. But it’s the kind of advice that protects the customer from self-inflicted wounds.

We talk a lot about vendor lock-in and feature gaps. But sometimes the real danger is strategic misalignment—pushing forward because the project is in motion, not because it still makes sense.

You Don’t Always Need More Tools. You Need More Foresight.

How does this happen? In 2026, with all the conferences, research, and chatter on LinkedIn, how does a well-funded cybersecurity firm almost walk straight into a multimillion-dollar misstep?

Simple: the landscape is changing faster than most teams can track. Tools blur. Categories shift. What looked like a clear roadmap three quarters ago might be outdated today.

And even if the VP had perfect market intelligence, he still would’ve faced internal resistance. The engineering teams weren’t bought in. IT had their own ideas. SREs weren’t even in the room.

The risk wasn’t just a failed implementation. It was organizational backlash, political fallout, and lost trust.

The Customer Isn’t Always Right — But They’re Always Worth Protecting

This is one of those moments where I didn’t have all the answers. I wasn’t the most technical person in the room. I didn’t know more about Vault or Okta or NHI architecture than the people building it.

But I did know how to read a room. I knew how to map incentives. I knew what happens when strategy and execution fall out of sync. And I knew when the smartest move was to stop the train before it jumped the track.

That’s the real work of a strategic advisor.

It’s not about selling the scope. It’s about saving the system.

Start with Feasibility, Not Fantasy

If you’re leading a cybersecurity team right now, here’s the uncomfortable truth:

You can execute flawlessly—on the wrong thing.

That’s the story I want to expand from The CISO On The Razor’s Edge—the second CISO from “A Tale of Two CISOs” who had the right vision, but the wrong timing. Not because they were naïve or underprepared. But because they didn’t step back and ask the harder question:

Is this right—for this org, right now?

The temptation to push forward is strong. Especially when budget is secured, headcount is assigned, and the goal is tied to your performance review. But leading on the razor’s edge means something different. It means having the guts to pause. To pivot. To protect your people—even from well-meaning plans.

Saving $2M Wasn’t the Point. Saving Trust Was.

A failed PAM rollout would’ve cost $2 million. But the deeper cost would’ve been internal fragmentation, eroded credibility, and another data point in the “security slows us down” narrative.

Instead, we shipped something leaner. We built momentum. We delivered a win. And we set the stage for bigger change later—when the organization is ready to absorb it.

That’s how transformation really works.

Not by forcing tools into cultures that don’t want them. But by sequencing moves that build trust, reduce noise, and surface insight.

Final Thought: The Consultant’s Real Job Isn’t Delivery. It’s Discernment.

What most companies need isn’t more vendors, more dashboards, or more “strategy in a box.”

What they need is someone who can sit across the table and say, “I hear you. I get it. But I think there’s a better way.”

They need someone who isn’t afraid to ask:

• Is the problem what you think it is?

• Are you solving for optics or outcomes?

• Are you ready for what this solution will really change?

This isn’t theory. This is real leadership, in the real world.

And sometimes, it looks like walking away from a $2 million implementation—because the most valuable thing you can build is trust.

Like this post?
If you’re leading a complex cybersecurity program and wondering if your current path still makes sense, I’m here to help. Let’s talk.

Sometimes, the most critical signal in a security program is the vibe.

That uneasy feeling before a breach. The tension in a cross-functional meeting. The moment when everyone follows the policy—but no one feels responsible.

Call it soft. Call it squishy. Or start listening to what it's telling you.

Because vibe CISOing is real.

And if we’re going to move from the old playbook to the next edge of cybersecurity leadership, we need to get serious about what it means.

What Is Vibe CISOing?

It’s not about intuition in place of data. It’s about recognizing that data isn’t only what you log—it’s what you observe, what you sense, what you create clarity around.

Vibe CISOing is a mindset and practice that takes the invisible parts of organizational life seriously:

• The vibe of a team after a restructure

• The social cues when developers avoid raising security concerns

• The energy in the room when a CISO presents to the board

• The burnout that doesn’t show up in quarterly KPIs

You’re not imagining it. You’re leading in it.

The vibe is not fluff. It’s feedback.

And like all feedback, it’s either listened to—or it becomes something you can’t ignore.

Why It Matters Now

The pressure is rising.

Budgets are tightening. Political and economic uncertainty is expanding. And many cybersecurity leaders are being asked to do more with less—faster, with fewer people, and higher expectations.

In that kind of pressure cooker, traditional risk models break down. Not because the frameworks are wrong, but because they miss what happens in the gray space:

• Where people are confused, overloaded, or incentivized to bypass controls

• Where entropy accumulates in communication, workflows, or incentives

• Where the org quietly drifts out of alignment

When leaders stop listening to those signals, they lose the plot. And eventually, they lose the team.

From Strategic Multiplier to System Builder

In a recent post, I introduced the idea of the CISO as a Strategic Multiplier—someone who doesn’t just reduce risk, but expands organizational capacity.

That’s the shift: from managing controls to multiplying clarity, trust, and performance.

But how?

The best CISOs I know do three things differently:

1. They listen to the system, not just the stakeholders. They pick up weak signals, early warning signs, and contradictions in their environment.

2. They shape the narrative. They give language to what others feel but can’t articulate—and use that to reframe decisions and actions.

3. They move with intent. They don’t just fix problems; they design conditions for better performance, better outcomes, and a better future.

This is what Vibe CISOing enables.

It’s not mystical. It’s managerial courage and cultural awareness, tuned to the signals that metrics miss.

A Better Way to Lead Through Uncertainty

We don’t need more dashboards. We need a different design for leadership.

SPIRE is that design.

It’s not a feel-good framework or rebrand of soft skills. It’s a system—a leadership operating system—for navigating uncertainty with intention and impact.

Each letter in SPIRE points to what matters now:

• Signal — Cut through the noise. Know what’s actually happening across your org, not just what gets reported in the dashboard.

• Performance Intelligence — Understand how identity, governance, and security directly affect execution, delivery, and trust—not just compliance.

• Insight — Expose what’s invisible in static metrics: bottlenecks, misalignment, entropy.

• Reframe — Shift from reactive technician to strategic multiplier. Redefine security as a system of business enablement.

• Execution — Close the loop. Ensure that what you know turns into what gets done—with clarity, cadence, and consequences.

SPIRE is not just a mindset—it’s a method.
And when paired with SPI 360, it gives CISOs and cybersecurity leaders a way to observe, measure, and act in alignment with the system they’re actually running—not just the one they hope they’re running.

This is how we lead differently.
Not by forcing performance, but by creating the conditions where high performance is inevitable.

The Conversation Continues

Join me and Jimmy Sanders tomorrow at Noon PT for a bold conversation about the next generation of cybersecurity leadership.

We’ll talk about:

• What’s really broken in today’s CISO model

• How governance must evolve as a living doctrine

• And why no one can lead the next era alone

🎯 Register here: Strategy Layer Live — Monday, July 28th, Noon PT / 3:00 ET

Let’s bring more clarity, courage, and creativity into how we lead.

Because if we don’t tune into the signals—we’ll be the ones sending the wrong ones.

Andy is the former CSO of Akamai, a CISO Hall of Fame inductee, leadership coach, and the author of How To CISO 1.1 — a sharp, experience-driven guide for navigating the first 91 days and beyond as a security leader.

But this conversation isn’t just about onboarding. It’s about enduring.

Together, Steve and Andy unpack how the CISO role is evolving — not just in scope, but in identity — and what it takes to lead effectively when frameworks fall short, trust is fractured, and security teams are expected to protect systems they don’t fully control.

What we cover in this episode:

• Andy’s vision behind How to CISO and why version 1.1 matters

• The Zero Trust paradox and how it undermines human trust when misapplied

• Why your “first 91 days” might be more telling than your title

• The difference between control, clarity, and presence in the boardroom

• What Andy sees coming next — and why the CIO may outlast the CISO

Whether you're a first-time CISO or a seasoned operator, this episode will challenge how you think, lead, and speak inside the enterprise.

🎙️ Check out Andy’s work: https://www.howtociso.com

📘 Learn more about Steve's book, The CISO On The Razor’s Edge: https://www.stevetout.com/book

Here's a tougher question: how would you even know?

The CCISO Certified Chief Information Security Officer All-in-One Exam Guide (2020) calls governance a "living doctrine"—something that evolves with your organization, adapts to new threats, and aligns with shifting business priorities. But here's what no one says out loud: Most organizations are measuring governance like it's dead. Stuck in last quarter's PowerPoint. Buried in a maturity model that hasn't been updated since 2019. Reduced to a dashboard that shows the same green checkmarks month after month, telling you nothing about what's actually happening beneath the surface.

Governance Is a Living System. Your Measurement Approach Should Be Too.

The CCISO All-in-One Guide gets the philosophy right. It emphasizes that CISOs should define a security charter that evolves with the organization, demonstrates clear alignment with business goals, and shows measurable progress. It even calls for measuring governance ROI and performance—not just controls and compliance.

The spirit of that guidance? Spot on. The tools we use to execute it? Still trapped in 2010.

We're using balanced scorecards designed for manufacturing plants. Maturity models that assume linear progression. Static dashboards that report on the past instead of informing the future. Excel spreadsheets masquerading as strategic intelligence.

Then we wonder why board conversations feel like theater. Why security investments are impossible to justify in business terms. Why the same issues resurface after every incident review, despite our "lessons learned" sessions.

The Dangerous Illusion of Measurement

Here's how most organizations "measure" governance today. They check whether activities happened:

• Did we review the security charter this year? ✅

• Do we track open risk items in a register? ✅

• Did we present metrics to the board quarterly? ✅

• Is our maturity score improving year-over-year? ✅

Congratulations. You've proven that meetings occurred and documents exist.

But these checkbox metrics mask critical realities:

• How quickly governance adapts when business priorities shift

• Whether your security teams have genuine strategic clarity

• Where organizational entropy is building silently

• If the governance model itself creates value or just compliance theater

When real pressure hits—during an M&A, a sophisticated attack, or a strategic pivot—these surface measurements offer no guidance. Governance collapses precisely when leadership needs it most.

What Living Governance Actually Feels Like

At its best, governance isn't a compliance burden or administrative overhead. It's an enterprise capability—a strategic muscle that strengthens with use, flexes under pressure, and builds organizational resilience.

Living governance should:

• Surface strategic misalignments before they become critical failures

• Guide investment decisions with real-time business context

• Connect cybersecurity outcomes directly to enterprise value

• Improve your ability to lead through uncertainty and change

But achieving this requires fundamentally rethinking how we measure and manage governance. Static assessments and backward-looking metrics won't cut it. You need intelligence systems designed for dynamic environments.

Enter Strategic Performance Intelligence: The SPI 360 Approach

This is where Strategic Performance Intelligence changes the game. SPI 360 wasn't built as another dashboard or GRC platform. It's a strategic leadership system designed for the complexity and velocity of modern enterprise security.

1. Continuous Strategic Alignment, Not Annual Reviews

Your security program operates in a dynamic business environment. Market conditions shift. Threats evolve. Priorities change quarterly. SPI 360 maintains live alignment between governance structures and enterprise goals—not through annual reviews, but through continuous intelligence gathering and pattern recognition.

2. Value Creation Metrics That Matter

Forget vanity metrics and meaningless percentages. SPI 360 translates governance effectiveness into business language that resonates in the boardroom. It surfaces the actual impact of governance improvements on risk reduction, operational efficiency, and strategic agility—with data that CFOs and CEOs actually care about.

3. Early Warning Systems for Governance Drift

Where is organizational energy being wasted? Which governance processes are creating friction instead of value? SPI 360 detects weak signals and emerging patterns before they cascade into systematic failures. It's the difference between preventing governance breakdown and explaining it afterward.

4. Adaptive Response to Strategic Shocks

Whether facing an acquisition, responding to a breach, or navigating leadership transitions, SPI 360 provides leaders with a live system for rapid recalibration. No more scrambling to update static documents or create emergency dashboards. The intelligence is already there, ready for strategic decision-making.

5. Enterprise-Wide Visibility Without Information Overload

Governance touches every corner of your organization—security, IT, legal, operations, finance. SPI 360 creates shared visibility across stakeholder groups without drowning them in data. Each leader sees what matters for their decisions, while maintaining enterprise coherence.

From Static Documents to Living Intelligence

Let's face an uncomfortable truth: that beautifully crafted governance framework sitting in SharePoint? The one that took six months to develop and get approved? It became obsolete the day after the board signed off.

What you need isn't better documentation. You need living intelligence that evolves with your organization, learns from your operations, and strengthens your leadership.

That's the transformative gap SPI 360 fills.

Because governance isn't a one-time declaration captured in a PDF. It's a living discipline that requires continuous sensing, adaptation, and evolution. And it's time we started measuring it like one.

Modern enterprises don't need more governance frameworks. They need governance intelligence—systems that transform static policies into dynamic capabilities, converting compliance obligations into competitive advantages.

Ready to Bring Your Governance to Life?

If you're tired of measuring governance like it's a corpse instead of a living system—if you're ready to transform compliance theater into strategic capability—it's time to explore Strategic Performance Intelligence.

Ready to discover what your governance system can really do? Let's map the system and build a stronger foundation for what comes next.

Book a Strategy Call | SPI 360 Demo

Because the best time to evolve your governance measurement was yesterday. The second best time is now.