Grayson Milbourne is a security intelligence director at OpenText Cybersecurity.
Across enterprises, AI adoption has moved from the goal to the baseline. Research we conducted in partnership with the Ponemon Institute found that more than half of organizations worldwide have already deployed GenAI in some form, and its growing role in operations means it’s interacting with more sensitive data and reshaping workflows across systems.
The bigger question now isn’t whether AI’s being used but whether it’s adopted responsibly and at scale. We found that only one in five enterprises has reached a level of AI maturity where systems are fully deployed with security risks assessed.
This gap is already creating risk. Many enterprises have moved forward with AI in practice, but they’re doing so without clearly defined approaches to privacy, security or governance. In many cases, innovation has moved faster than safeguards, a gap that will undermine long-term AI outcomes if left unaddressed.
In this environment, sustained success with AI depends on enterprises strengthening governance and security by implementing both from the outset.
Where AI Is Coming Up Short
As enterprises push AI deeper into operations, many are finding that it’s making security and compliance more complex, not less.
Our findings highlight a clear disconnect; while a majority of companies report increased difficulty managing privacy and security requirements resulting from AI, far fewer have established the policies and controls needed to manage those risks effectively. As a result, trust in these systems remains limited. While AI is exposing gaps in existing security and governance models, it’s also creating an opportunity for organizations to rethink how these systems are built and managed from the start.
Closing The Gap: What Secure AI Actually Requires
To safely and reliably implement enterprise-scale AI systems, organizations need to treat security and governance as foundational, not reactive. Achieving AI maturity ultimately comes down to a few core priorities:
Establishing Visibility And Control Over AI Systems And Access
Securing AI systems starts with understanding which models, services and agents are operating in your environment and controlling what they can access. Without clear oversight, companies run the risk of deploying AI capabilities that operate independent of security governances, creating blind spots that make it difficult to identify risk or enforce policy. As AI adoption accelerates across business units, maintaining a clear inventory of AI systems becomes increasingly important.
Organizations should leverage an identity-first approach that extends access management to include non-human identities such as AI agents. Each agent should be identifiable, assigned a defined role and governed by clear access permissions. The teams closest to an agent’s operational workflow should initially set the controls. To ensure several levels of governance, both identity and access management (IAM) and legal teams should approve those settings.
With that foundation in place, organizations can track agent activity, identify anomalous actions and ensure AI systems only have access to the resources required to perform their intended functions.
Protecting Sensitive Data Across AI Interactions
When AI interacts with sensitive data across systems, organizations need to enforce clear controls over what data can be accessed and how it’s used. Without proper safeguards, unintended access or misuse can expose sensitive information. Strong data security practices help ensure critical information remains protected.
The best solution begins with identification and least-privilege access control. Organizations should define which agents can access specific datasets, what actions they may take and whether those permissions include the ability to view, send or modify sensitive information. When agents are identifiable and trackable, deviations from their expected actions are easy to flag.
Encryption, personally identifiable information (PII) protections and oversight controls add another layer of security, but they’re most effective when paired with clear access boundaries from the start.
Maintaining Real-Time Visibility Into AI Behavior And Risk
Traditional security measures aren’t sufficient for AI-driven operations. With limited visibility into how AI systems operate and interact, continuous monitoring is critical to identify anomalous behavior and respond in real time. As AI-driven threats evolve, AI-driven security measures must too. Without continuous oversight, emerging risks can go undetected until significant damage has already occurred.
Organizations should incorporate AI activity into their existing security monitoring and response processes. This includes tracking system interactions, monitoring access to sensitive resources and identifying behavior that strays from established baselines. Teams should also be able to distinguish between approved agents operating within policy and unapproved or rogue agents acting outside expected boundaries.
When anomalous behavior is detected, organizations need a defined response path to investigate the activity and stop the agent from interacting with sensitive systems until it is validated.
End-To-End Security Across The AI Life Cycle
Security needs to be built into AI systems, not layered on after deployment. It should extend across the full life cycle, from development and training to deployment and integration within applications.
A ground-up approach to security and governance is important to lower vulnerabilities across systems. To reduce risk, organizations should incorporate security reviews, testing, governance and monitoring throughout the AI life cycle, from design and training through deployment and ongoing use.
This full-circle step requires collaboration between teams to ensure risks are identified and addressed before they become operational challenges. When security is embedded early, risk exposure is significantly reduced.
AI adoption will continue to accelerate, but adoption alone won’t determine success. As AI becomes more deeply embedded in enterprise operations, the organizations that succeed will be those that build security, governance and accountability into these systems as a foundation. Closing the gap between adoption and maturity is what will ultimately enable enterprises to deliver consistent, trusted AI outcomes at scale.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
