AI offers hockey stick business growth opportunities, but comes with a side salad of hockey stick risks.

How do you take the wins and avoid the losses?

I’ve been in the trenches for the last three months doing just that. This is what I’ve learned.

Number one lesson: Everything is same same but different. All the problems and lessons of enterprise security repeat themselves. Shadow IT? Shadow AI. Cost controls? Want those. API security? DLP? Software supply chain security? You betcha.

Same same but different.

So what’s different?

AIs need access to stuff. And if you don’t grant them access to stuff, they can’t do stuff. You know, the stuff that you want them to do. Which is the whole point!

So guardrails, but designed to constrain not human accidents and adversaries but AI accidents and adversaries.

Access: There is read and there is write. AI needs to read all the data to get context. Do not die on this hill. You will die.

Write access: Where is gets tricky. Do you really want AI standing up cloud infrastructure? In prod? With write access to your Google Workspace? Ability to send email from your inbox as you?

An AI is a disobedient, lazy, dishonest junior employee that happens to be autistically good at their job if managed well. That means you can never trust an AI=-that’s dangerous. This turns your job into: Verify, verify verify.

In fact proper use of AI comes down to specifications. The prompt and the verification after. You are now the director, the auditor, the band leader, the general.

When humans no longer do the grunt work itself, the acceptance criteria become the sine qua non.

Here’s an unsolved problem: How do you secure agentic AI? API keys sprawl, where are they running, what are they doing, how much are they spending?

I dunno.

That’s the answer for most folks today in March 2026. I see three emerging solutions: network layer (Cloudflare), API layer (Kong, etc), and identity layer (Okta, etc).

I’m bullish on the network layer. But no matter what you do, you must chokepoint your AI API access to govern it for both security and cost reasons.

Agentic AI in Modal goes off the rails? Kill the API key. Randoms shadow AI agent connections? Kill the API key and see what developer squawks. Developers taking API keys home for their weekend project? Naught naughty. Blocked.

AI makes me faster and better at my job, and reduces the size of the security team I need to be effective. Security is a broad field. As a human I can’t literally know everything--one lifetime is not long enough. But as a cyborg CISO, I am faster, stronger, and better at my job, and at a lower cost to my employer.

The future is cyborg.