The one structural shift CISOs must make before AI outpaces their security strategy
Enterprise CISOs are stuck at a crossroads.
Their budgets aren’t growing fast enough, AI is sucking up every bit of enterprise data, and the software environments for which chief information security officers are responsible have become increasingly diverse and dynamic.
Here’s more bad news: These problems can’t be solved by hiring more people, buying more tools, or working longer hours. The traditional centralized security model no longer scales. Instead, CISOs must now distribute those security models to business owners, who are closest to where risks emerge. In short, CISOs need to adopt a federated model of security governance.
The good news is that with a federated approach, CISOs can set enterprise-wide policy and risk strategy, while data owners and technical teams own security implementation within their business units. This enables centralized governance while ensuring the efficient implementation of policies.
Federation delivers agility and scale
Traditional security models require CISOs to be experts across a wide variety of business units and functions, each with its own set of challenges. Data protection requirements, local regulations, and industry-specific compliance can all vary widely across business units and operating entities.
“I’ve seen organizations struggle with this more distributed approach to security. If an enterprise already has a proliferation of silos, rigidity, and a top-down, command-and-control culture, federation won’t be easy.”
By contrast, the federated model assumes that business unit leaders have the best understanding of their unit’s nuances. With the right frameworks in place, their specialized knowledge helps them implement security strategies appropriate to their contexts.
With a federated approach, organizations can immediately realize three powerful benefits:
- Context-aware security minimizes friction. In a federated model, security decisions happen faster because they’re made closer to the action. When a product team wants to deploy a new customer-facing API, they don’t have to wait three weeks for a security review. The team’s security owner, who already understands the data model and compliance requirements, can approve it in 48 hours.
- Flexible policies speed up technology adoption. When governance is federated, a CISO can establish broad organizational standards for a technology’s adoption, while their technical partners in the business own the implementation. Today, a centralized approach might mean banning Claude Code outright because it could expose proprietary data. In a federated model, the CISO establishes a policy that AI tools must not transmit code containing customer or regulated data, and then business units can implement appropriate controls.
- Scalable security accommodates organizational growth. Acquisitions, new product launches, and geographic expansions all increase strain on centralized security teams. For example, expanding into Europe means they must become experts in GDPR, local data laws, and regional cloud infrastructure. In a federated model, the CISO would establish global data classification and protection standards, while regional IT leaders implement controls appropriate to their locales. This allows business units to move much more quickly while maintaining a consistent security posture.
When federation is a challenge
I’ve seen organizations struggle with this more distributed approach to security. If an enterprise already has a proliferation of silos, rigidity, and a top-down, command-and-control culture, federation won’t be easy.
The shift requires a new mindset of shared ownership. Security leaders must work as peers with their counterparts in business units to ensure the smooth adoption of new policies and frameworks. Standards and policies should account for the realities of modern technology stacks, not just try to force them into compliance.
In practice, that might look a lot like what Netflix’s security team has done with its “Paved Roads” philosophy. The team achieved policy adoption success by making the secure options the easiest for developers to adopt.
Outside of engineering, organization-wide standards need to offer flexibility. Avoid making standards overly specific to help them remain relevant to each business unit. Business unit partners can ensure that control structures are appropriate for their data classifications and for the organization’s overall policies. Establishing a self-service risk exception process can also simplify how units address special circumstances while still considering risk and impact.
Do all this, and security won’t hinder business unit function unnecessarily. To the contrary, it will accelerate technology adoption and help units meet their business goals faster and more effectively.
The ROI of federation
The C-suite and boards will continue to evaluate security investments based on their ability to offset risk while advancing the organization’s business objectives. The pressure on CISOs to deliver ROI and mitigate risk will remain intense in 2026 and beyond. Federation enables them to deliver business results more effectively while taking a more expansive view of organizational risk.
The need for a new approach is urgent. AI systems are becoming increasingly autonomous and interconnected, creating a vast and growing attack surface. Many of these AI systems are already well beyond the capabilities of any centralized team’s ability to govern effectively. In this environment, federation is a cybersecurity necessity.
Federation will also change how enterprises organize, budget, and execute security programs. For large, complex organizations, strategic advantage will depend on how quickly they adopt a federated approach and embrace a more collaborative, distributed security culture. Without it, their security teams will remain a bottleneck. With federation, they will thrive in this complex, diversified landscape.
