Open Innovator, on May 21, 2026, hosted a virtual session that brought together four senior leaders across cybersecurity, technology, finance, and compliance to answer one of the defining questions of the AI era: When AI fails inside an enterprise, who picks up the phone? The discussion was moderated by Agrima Sharma and co-hosted by Ananya Gulati.
As it is known, Open Innovator is a thought leadership platform that convenes cross-functional leaders from technology, security, legal, compliance, and the C-suite to tackle the most pressing challenges at the intersection of innovation and accountability. Through live panel discussions, recorded sessions, and community-driven conversations, OI creates a space where practitioners speak plainly about what governance, risk, and responsible deployment really look like on the ground.
Speaker Profiles
Josh Scarpino — Cybersecurity & AI Governance Leader
Josh Scarpino brought a cybersecurity-first lens to AI accountability. He referenced the ARISE framework, which advocates unifying governance across ethics, legal, security, and AI oversight functions into a single operational model. He drew parallels between AI governance failures and longstanding cybersecurity lapses, arguing that organisations are measuring the wrong things — treating governance as a documentation exercise when it must be a demonstrable, measurable practice.
Will Lassalle — CTO & CISO
Will Lassalle spoke from the dual perspective of a technology and security executive, arguing that poorly engineered AI solutions — not just poor governance — are at the root of failures like the Rite Aid case. He emphasised the importance of AI operating committees, controlled deployment, and accountability at the C-suite level. He pushed back firmly against placing sole responsibility on the CISO, calling it both unfair and structurally flawed.
Olivia Phillips — Cybersecurity & Compliance Leader
Olivia Phillips brought the lens of structured, military-grade accountability to the discussion. Drawing on her government background, she advocated for explicit ownership at every layer of the enterprise — from the code level to the board — with clear structures that eliminate ambiguity when something goes wrong. She raised an important point about AI as an insider threat once deployed, requiring ongoing monitoring, re-evaluation, and access governance.
JC Spierer — Finance, Investment & AI Strategy Advisor
JC Spierer introduced the often-overlooked role of finance and investment committees in AI governance, coining the term “prosumer paradox” to describe how business users across organisations — including board members — are adopting AI tools informally, outside of IT oversight. He used BlackRock as an example of an organisation that successfully aligns risk with reward at scale, and raised thought-provoking questions about how accountability for agentic AI systems can be enforced.
Key Insights from the Discussion
1. The Rite Aid Case: A Leadership Failure, Not a Technology Failure
The session opened with the story of Rite Aid Pharmacy — a Fortune 200 company that installed facial recognition cameras in hundreds of stores, built the system using tens of thousands of low-quality images, and deployed it without rigorous testing. The result: innocent customers were flagged as shoplifters, followed through stores, searched, and in some cases had police called on them.
The key insight from the panel: this happened not because the technology was exotic or the company was reckless, but because no one in the leadership pipeline asked who owned the decision. Engineers assumed legal reviewed it. Legal assumed security had audited it. Security assumed compliance signed off. Compliance assumed the board had authorised it. No one had.
2. Accountability Is a Board-Level Obligation — But Responsibility Is Shared
All four speakers converged on a nuanced view: ultimate accountability must sit at the board or CEO level, but every function — engineering, security, legal, compliance, product — carries responsibility for its part of the pipeline.
The cybersecurity governance leader made the analogy to cybersecurity: just as “security is everybody’s responsibility” is the accepted norm for protecting against phishing and human error, so too must AI risk be owned across functions. But when it comes to technology deployed at organisational scale, there must be a distinct, senior-level accountability holder — not a committee that diffuses blame.
3. The CISO Is Being Unfairly Scapegoated
A recurring theme was the industry’s troubling tendency to land all AI accountability on the CISO. Speakers agreed this is both structurally wrong and operationally dangerous.
The cybersecurity and compliance leader noted that the CISO has historically been the “scapegoat” in security failures, and AI is following the same pattern. The CTO & CISO referenced peers who now joke that CISO stands for “Career Is Soon Over” — a reflection of unrealistic expectations placed on a single executive.
The panel’s consensus: the CISO is well-positioned to manage security risk and compliance best practices, but should not be the sole owner of AI governance. A cross-functional AI Operating Committee or AI Governance Committee, with representation from all business units and accountability at the C-suite level, is the right structure.
4. Governance Must Be Operational, Not Just Documented
The cybersecurity governance leader challenged the common enterprise approach of treating AI governance as a documentation problem — policies, frameworks, audit checklists. His argument: documentation governs human behaviour, but autonomous systems behave differently.
When an AI model drifts from its original parameters, or when a deployment decision was made based on policies that have since become outdated, point-in-time audits will not catch the issue. Governance must be continuous, measurable, and tied to demonstrable system behaviour.
A recent statistic cited during the session: 78% of organisations cannot confidently submit an independent AI governance audit within 90 days. That means roughly 4 out of 5 companies do not fully know what they have built and deployed.
5. The Prosumer Paradox: AI Is Already Inside the Boardroom
The finance and AI strategy advisor introduced one of the session’s most distinctive concepts: the prosumer paradox. Half the people in any boardroom are likely already using AI tools — on their laptops, on their phones — without formal IT oversight. These prosumers are not doing anything malicious; they are simply trying to be productive. But they are taking on risk the organisation has not accounted for on its balance sheet.
His point: the finance and investment committee is often the first to know about AI adoption at scale, because at some point, money must be allocated or approved. Bringing this committee into AI governance structures earlier is an underutilised lever.
6. Speed vs. Safety: The Hot Take Debate
The panel debated a pointed hot take: “Companies that move fast on AI and skip governance will win by 2028. The cautious ones will be acquired or irrelevant.”
The responses reflected the complexity of the real landscape:
- Finance & AI Strategy Advisor (nuanced yes/no): If you move fast and move right, you will win. But velocity without direction leads to crashes, not victories.
- Cybersecurity & AI Governance Leader (disagrees): Recent legal precedents — including a judge ruling that a venture capital firm could be held liable for advising a portfolio company to cut cybersecurity budgets — signal a coming shift. Organisations that ignore foundational governance will become uninvestable.
- CTO & CISO (it depends): The jury is out. If everyone rushes in without governance, the most cautious organisations may end up being the only ones still standing.
- Cybersecurity & Compliance Leader (history repeats itself): The COVID-era remote work rush created BYOD governance failures that took years to resolve. AI is following the same arc. Governance cannot chase deployment; it must run alongside it.
The panel’s collective conclusion: you can build boldly and govern well at the same time. The two are not in opposition.
7. Agentic AI Raises Accountability Questions No One Has Answered Yet
The finance and AI strategy advisor raised the session’s most forward-looking concern: agentic AI — systems that not only execute tasks but train themselves and exercise a degree of independent agency — creates accountability structures that existing governance models are not equipped to handle.
If an agentic AI goes awry, with good intention but bad outcomes, how do you hold it accountable in any meaningful sense? How do you assign consequences? The panel acknowledged there are theoretical answers — including proxy accountability assigned to the human responsible for the system — but noted that no enterprise governance framework has operationalised this yet.
The cybersecurity governance leader added a technical concern: a shared knowledge layer across agentic systems — often proposed as a governance solution — also creates a single, high-value attack vector. If compromised, it could bias an entire agentic workflow.
Conclusion
The session closed with the moderator drawing together the central thread: AI does not fail because technology is broken. It fails because no one in the room raises their hand and says, “That’s my responsibility.”
The Rite Aid case was not an outlier. It was a preview. Across industries, organisations are deploying AI systems with unclear ownership, untested assumptions, and governance frameworks that exist on paper but not in practice.
The panel’s unified message to every leader in attendance: go back to your organisation tomorrow and find the person who is supposed to raise that hand. If you cannot name them, that is not a technology problem. That is your problem. A Part 2 of this conversation is planned, given the depth of interest and the volume of questions that could not be addressed in the session.
This report is based on the recorded panel discussion hosted by Open Innovator on May 21, 2026. All insights are attributed to the respective speakers.
