Tag: AI Security Governance

Categories
Events

Report: Who Owns AI Accountability? Security, Legal, Compliance, or the Boardroom?

/home/u825148967/domains/quotients.com/public_html/wp-content/themes/twentytwenty/template-parts/featured-image.php on line 28
https://quotients.com/visibility-quotient/events/report-who-owns-ai-accountability-security-legal-compliance-or-the-boardroom/">
Categories
Events

Report: Who Owns AI Accountability? Security, Legal, Compliance, or the Boardroom?

Open Innovator, on May 21, 2026, hosted a virtual session that brought together four senior leaders across cybersecurity, technology, finance, and compliance to answer one of the defining questions of the AI era: When AI fails inside an enterprise, who picks up the phone? The discussion was moderated by Agrima Sharma and co-hosted by Ananya Gulati.

As it is known, Open Innovator is a thought leadership platform that convenes cross-functional leaders from technology, security, legal, compliance, and the C-suite to tackle the most pressing challenges at the intersection of innovation and accountability. Through live panel discussions, recorded sessions, and community-driven conversations, OI creates a space where practitioners speak plainly about what governance, risk, and responsible deployment really look like on the ground.

Speaker Profiles

Josh Scarpino — Cybersecurity & AI Governance Leader

Josh Scarpino brought a cybersecurity-first lens to AI accountability. He referenced the ARISE framework, which advocates unifying governance across ethics, legal, security, and AI oversight functions into a single operational model. He drew parallels between AI governance failures and longstanding cybersecurity lapses, arguing that organisations are measuring the wrong things — treating governance as a documentation exercise when it must be a demonstrable, measurable practice.

Will Lassalle — CTO & CISO

Will Lassalle spoke from the dual perspective of a technology and security executive, arguing that poorly engineered AI solutions — not just poor governance — are at the root of failures like the Rite Aid case. He emphasised the importance of AI operating committees, controlled deployment, and accountability at the C-suite level. He pushed back firmly against placing sole responsibility on the CISO, calling it both unfair and structurally flawed.

Olivia Phillips — Cybersecurity & Compliance Leader

Olivia Phillips brought the lens of structured, military-grade accountability to the discussion. Drawing on her government background, she advocated for explicit ownership at every layer of the enterprise — from the code level to the board — with clear structures that eliminate ambiguity when something goes wrong. She raised an important point about AI as an insider threat once deployed, requiring ongoing monitoring, re-evaluation, and access governance.

JC Spierer — Finance, Investment & AI Strategy Advisor

JC Spierer introduced the often-overlooked role of finance and investment committees in AI governance, coining the term “prosumer paradox” to describe how business users across organisations — including board members — are adopting AI tools informally, outside of IT oversight. He used BlackRock as an example of an organisation that successfully aligns risk with reward at scale, and raised thought-provoking questions about how accountability for agentic AI systems can be enforced.

Key Insights from the Discussion

1. The Rite Aid Case: A Leadership Failure, Not a Technology Failure

The session opened with the story of Rite Aid Pharmacy — a Fortune 200 company that installed facial recognition cameras in hundreds of stores, built the system using tens of thousands of low-quality images, and deployed it without rigorous testing. The result: innocent customers were flagged as shoplifters, followed through stores, searched, and in some cases had police called on them.

The key insight from the panel: this happened not because the technology was exotic or the company was reckless, but because no one in the leadership pipeline asked who owned the decision. Engineers assumed legal reviewed it. Legal assumed security had audited it. Security assumed compliance signed off. Compliance assumed the board had authorised it. No one had.

2. Accountability Is a Board-Level Obligation — But Responsibility Is Shared

All four speakers converged on a nuanced view: ultimate accountability must sit at the board or CEO level, but every function — engineering, security, legal, compliance, product — carries responsibility for its part of the pipeline.

The cybersecurity governance leader made the analogy to cybersecurity: just as “security is everybody’s responsibility” is the accepted norm for protecting against phishing and human error, so too must AI risk be owned across functions. But when it comes to technology deployed at organisational scale, there must be a distinct, senior-level accountability holder — not a committee that diffuses blame.

3. The CISO Is Being Unfairly Scapegoated

A recurring theme was the industry’s troubling tendency to land all AI accountability on the CISO. Speakers agreed this is both structurally wrong and operationally dangerous.

The cybersecurity and compliance leader noted that the CISO has historically been the “scapegoat” in security failures, and AI is following the same pattern. The CTO & CISO referenced peers who now joke that CISO stands for “Career Is Soon Over” — a reflection of unrealistic expectations placed on a single executive.

The panel’s consensus: the CISO is well-positioned to manage security risk and compliance best practices, but should not be the sole owner of AI governance. A cross-functional AI Operating Committee or AI Governance Committee, with representation from all business units and accountability at the C-suite level, is the right structure.

4. Governance Must Be Operational, Not Just Documented

The cybersecurity governance leader challenged the common enterprise approach of treating AI governance as a documentation problem — policies, frameworks, audit checklists. His argument: documentation governs human behaviour, but autonomous systems behave differently.

When an AI model drifts from its original parameters, or when a deployment decision was made based on policies that have since become outdated, point-in-time audits will not catch the issue. Governance must be continuous, measurable, and tied to demonstrable system behaviour.

A recent statistic cited during the session: 78% of organisations cannot confidently submit an independent AI governance audit within 90 days. That means roughly 4 out of 5 companies do not fully know what they have built and deployed.

5. The Prosumer Paradox: AI Is Already Inside the Boardroom

The finance and AI strategy advisor introduced one of the session’s most distinctive concepts: the prosumer paradox. Half the people in any boardroom are likely already using AI tools — on their laptops, on their phones — without formal IT oversight. These prosumers are not doing anything malicious; they are simply trying to be productive. But they are taking on risk the organisation has not accounted for on its balance sheet.

His point: the finance and investment committee is often the first to know about AI adoption at scale, because at some point, money must be allocated or approved. Bringing this committee into AI governance structures earlier is an underutilised lever.

6. Speed vs. Safety: The Hot Take Debate

The panel debated a pointed hot take: “Companies that move fast on AI and skip governance will win by 2028. The cautious ones will be acquired or irrelevant.”

The responses reflected the complexity of the real landscape:

  • Finance & AI Strategy Advisor (nuanced yes/no): If you move fast and move right, you will win. But velocity without direction leads to crashes, not victories.
  • Cybersecurity & AI Governance Leader (disagrees): Recent legal precedents — including a judge ruling that a venture capital firm could be held liable for advising a portfolio company to cut cybersecurity budgets — signal a coming shift. Organisations that ignore foundational governance will become uninvestable.
  • CTO & CISO (it depends): The jury is out. If everyone rushes in without governance, the most cautious organisations may end up being the only ones still standing.
  • Cybersecurity & Compliance Leader (history repeats itself): The COVID-era remote work rush created BYOD governance failures that took years to resolve. AI is following the same arc. Governance cannot chase deployment; it must run alongside it.

The panel’s collective conclusion: you can build boldly and govern well at the same time. The two are not in opposition.

7. Agentic AI Raises Accountability Questions No One Has Answered Yet

The finance and AI strategy advisor raised the session’s most forward-looking concern: agentic AI — systems that not only execute tasks but train themselves and exercise a degree of independent agency — creates accountability structures that existing governance models are not equipped to handle.

If an agentic AI goes awry, with good intention but bad outcomes, how do you hold it accountable in any meaningful sense? How do you assign consequences? The panel acknowledged there are theoretical answers — including proxy accountability assigned to the human responsible for the system — but noted that no enterprise governance framework has operationalised this yet.

The cybersecurity governance leader added a technical concern: a shared knowledge layer across agentic systems — often proposed as a governance solution — also creates a single, high-value attack vector. If compromised, it could bias an entire agentic workflow.

Conclusion

The session closed with the moderator drawing together the central thread: AI does not fail because technology is broken. It fails because no one in the room raises their hand and says, “That’s my responsibility.”

The Rite Aid case was not an outlier. It was a preview. Across industries, organisations are deploying AI systems with unclear ownership, untested assumptions, and governance frameworks that exist on paper but not in practice.

The panel’s unified message to every leader in attendance: go back to your organisation tomorrow and find the person who is supposed to raise that hand. If you cannot name them, that is not a technology problem. That is your problem. A Part 2 of this conversation is planned, given the depth of interest and the volume of questions that could not be addressed in the session.

This report is based on the recorded panel discussion hosted by Open Innovator on May 21, 2026. All insights are attributed to the respective speakers.

Categories
DTQ Data Trust Quotients

Report: Redefining Cybersecurity Accountability in the Age of AI

/home/u825148967/domains/quotients.com/public_html/wp-content/themes/twentytwenty/template-parts/featured-image.php on line 28
https://quotients.com/dtq/report-redefining-cybersecurity-accountability-in-the-age-of-ai/">
Categories
DTQ Data Trust Quotients

Report: Redefining Cybersecurity Accountability in the Age of AI

DTQ recently organized an online event—Time To Accountability – Why 2026 is the year the blame game ends— focusing on a critical challenge facing businesses today: who’s responsible when cybersecurity fails. As companies rely more heavily on digital infrastructure, cloud services, and AI systems, the risks have evolved dramatically. Cybersecurity is no longer just an IT problem—it’s now a strategic priority demanding leadership attention.

The discussion kicked off with an insightful observation: organizations typically react to security incidents in one of two ways—either scrambling to fix the problem or pointing fingers. This defensive posture has characterized cybersecurity approaches for years. But speakers argued this mentality falls short in an era of sophisticated cyber threats, high-profile data breaches, and devastating business impacts.

The dialogue proposed a radical rethink—shifting from reactive blame games to continuous, proactive ownership. Under this model, companies must do more than respond swiftly to breaches. They need to explicitly assign responsibilities, integrate security into every layer of operations, and foster collective accountability throughout the organization.

Speakers

  • Dr. Rajeev Jha – Chief Information Security Officer (CISO), Comviva
  • Sunil Sharma – Deputy Chief Information Security Officer (Deputy CISO), Hitachi Digital
  • Sudhanshu Pandey – Cybersecurity Professional, UNISON Insurance Broking Services Pvt Ltd
  • Sanjay Kaushal – Global Chief Information Security Officer (Global CISO), Orbit Techsol

Moderator:

  • Fabrizio Degni – Global Council for Responsible AI (Expert in AI Ethics and Data Governance)

Key Insights and Discussion

  • Cybersecurity Failures Begin Long Before Breaches

A central idea that emerged early in the discussion was that cybersecurity incidents do not originate at the moment of attack. Instead, they are the result of decisions made much earlier within the organization. Breaches are often the final outcome of accumulated risks, ignored warnings, and delayed actions.

The conversation made it clear that focusing only on incident response overlooks the deeper issue. The real problem lies in how risks are identified, prioritized, and addressed before an incident occurs. By the time a breach becomes visible, it is already too late—the failure has already happened at a systemic level.

  • Accountability is Misunderstood as Blame

A recurring theme throughout the session was the misunderstanding of accountability. In many organizations, accountability is treated as a post-incident exercise focused on identifying who is at fault.

However, the discussion challenged this notion by emphasizing that accountability is not about punishment. It is about preparedness and system design. When an incident occurs, the question should not be “Who made the mistake?” but rather “What structures allowed this to happen?”

This shift in perspective moves the focus from individuals to systems, highlighting the importance of building resilient architectures and processes.

  • The Gap Between Compliance and Real Security

The session strongly highlighted the difference between compliance and actual security. Many organizations operate under the assumption that meeting regulatory requirements ensures protection. In reality, compliance often represents only the minimum standard.

Participants discussed how compliance is frequently treated as a checklist activity. Organizations complete required steps, generate reports, and assume they are secure. However, this approach fails to account for real-world threats, evolving attack methods, and internal vulnerabilities.

As a result, organizations may appear compliant while remaining exposed to significant risks. This creates a dangerous illusion of safety that can lead to complacency.

  • Execution and Ownership as Points of Failure

While most organizations intend to implement strong security practices, the breakdown typically occurs during execution. Security frameworks and controls may be defined, but they are not always effectively implemented.

A major contributing factor is the lack of clear ownership. When responsibilities are not clearly assigned, risks tend to remain unaddressed. Teams may assume that someone else is responsible, leading to delays and gaps in action.

The discussion emphasized that while accountability can be shared across teams, ownership must always be clearly defined. Without ownership, there is no follow-through, and without follow-through, security measures fail.

  • Organizational Silos and Misaligned Priorities

Another key issue discussed was the disconnect between different departments. Business teams often focus on growth and revenue, while security teams prioritize risk reduction. This creates a natural tension between speed and protection.

In many cases, business units request exceptions to security controls in order to meet targets or deadlines. These exceptions, while seemingly minor, can accumulate and create significant vulnerabilities.

The session highlighted the need for better alignment between departments. Security should not be seen as a barrier to business but as an enabler of sustainable growth.

  • Leadership as the Driver of Security Culture

Leadership plays a critical role in shaping how cybersecurity is perceived and practiced within an organization. The discussion made it clear that accountability must start at the top.

When leadership treats cybersecurity as a secondary concern, it influences the behavior of the entire organization. Employees are less likely to take security seriously, and compliance becomes a formality rather than a priority.

On the other hand, when leadership actively engages with cybersecurity issues, asks informed questions, and takes ownership of risks, it creates a culture of responsibility. This cultural shift is essential for building a resilient organization.

  • Communication Challenges with Non-Technical Stakeholders

One of the practical challenges highlighted was the difficulty of communicating cybersecurity risks to non-technical stakeholders. Technical teams often struggle to translate complex issues into language that business leaders can understand.

This communication gap leads to poor decision-making. Risks may be underestimated, misunderstood, or ignored altogether. As a result, critical security measures may not receive the support they need.

The discussion emphasized the importance of bridging this gap through education, awareness, and simplified communication. Stakeholders must understand not just the technical details, but the business implications of cybersecurity risks.

  • Low Engagement in Security Awareness

Even when organizations invest in training and awareness programs, engagement remains a challenge. The session highlighted that many employees participate in these sessions only to meet compliance requirements, without actively engaging with the content.

This lack of engagement reduces the effectiveness of training programs and leaves organizations vulnerable to human-related threats such as phishing and social engineering.

Building a strong security culture requires more than just mandatory training—it requires continuous effort, relevance, and active participation.

  • Data Visibility as the Foundation of Security

A fundamental principle discussed during the session was that organizations cannot protect what they cannot see. Data is at the core of cybersecurity, yet many organizations lack a clear understanding of where their data resides and how it is used.

Without proper visibility, security measures become ineffective. Organizations may implement controls, but they cannot ensure protection if they do not know what they are protecting.

Data discovery and mapping were identified as critical first steps in building a strong security framework.

  • Frameworks vs Real-World Preparedness

While frameworks and policies provide structure and guidance, they do not guarantee success. The session emphasized that real-world preparedness requires more than documentation.

Organizations must be ready to respond to incidents in real time. This includes defining roles, conducting drills, and ensuring coordination across teams. Without practice, even well-designed frameworks fail under pressure.

Preparedness is not theoretical—it is operational.

  • AI as Both an Opportunity and a Threat

Artificial intelligence emerged as one of the most significant factors influencing cybersecurity today. The discussion highlighted both its benefits and its risks.

On one hand, AI enhances productivity, automates processes, and improves threat detection. On the other hand, it introduces new vulnerabilities, including advanced phishing attacks and data exposure risks.

The concept of “AI versus AI” reflects the evolving landscape, where both attackers and defenders use AI to gain an advantage. This dynamic creates a continuous cycle of innovation and adaptation.

  • The Challenge of Black Box AI and Accountability

A particularly complex issue discussed was the use of AI systems that are not fully explainable. These “black box” systems make decisions that are difficult to interpret, raising questions about accountability.

If an AI system fails or behaves unpredictably, it becomes unclear who is responsible. This challenges traditional models of governance and risk management.

Organizations must develop strategies to manage these uncertainties, including monitoring AI behavior, setting clear boundaries, and ensuring transparency wherever possible.

  •  Balancing Speed with Security

In a fast-paced business environment, organizations are under pressure to innovate quickly. However, this often leads to compromises in security.

The session emphasized that security should not slow down progress. Instead, it should be integrated into processes from the beginning. By embedding security into development and operations, organizations can achieve both speed and protection.

This balance is essential for long-term success in a competitive and risk-prone environment.

Conclusion

The session provided a comprehensive exploration of cybersecurity accountability, highlighting the need for a shift from reactive practices to proactive, system-driven approaches. It emphasized that accountability is not about assigning blame after an incident but about building resilient systems and cultures that prevent failures.

Key themes included the importance of leadership involvement, the limitations of compliance, the need for clear ownership, and the growing impact of artificial intelligence. The discussion also underscored the importance of communication, collaboration, and continuous preparedness.

Ultimately, the session reinforced that accountability is a shared responsibility. Organizations that embrace this mindset will be better equipped to navigate the complexities of modern cybersecurity and build lasting resilience in an increasingly uncertain digital landscape.

DTQ is a global platform that brings together professionals from diverse industries to share best practices, discuss challenges, and exchange innovative ideas and solutions. It fosters meaningful conversations aimed at strengthening trust in today’s rapidly evolving digital ecosystem. By encouraging collaboration and knowledge sharing, DTQ helps organizations and individuals build more secure, resilient, and accountable systems.