AI Expands the Cyber Risk Surface, and Governance is Crucial
Agencies can no longer treat cybersecurity and AI adoption as separate initiatives. AI introduces new dependencies on data, software, infrastructure and third-party providers, making governance a critical consideration from the outset rather than an afterthought. Studies consistently show that organizations that have been aggressive at embracing AI in the workplace but whose AI governance structures and practices have failed to keep pace suffer more AI-related breaches than those with clear governance processes, and that these breaches also tend to be more damaging.
One of AI governance’s biggest challenges is organizational rather than technical. AI initiatives are often driven by teams focused on model performance, data quality and mission outcomes, while cybersecurity teams prioritize risk management, access controls and continuous monitoring. When those efforts operate independently, visibility gaps and accountability challenges can emerge. At its heart, AI governance is about assigning clear ownership for AI outcomes and for ensuring that key stakeholders — not security professionals alone — are responsible for the performance of AI, including its security.
AI systems also create new attack surfaces. Sensitive data may be exposed through training, queries and increasingly through agentic AI. Third-party models and AI services introduce supply chain risks. Automated decision-making systems can create operational and security concerns when agencies lack transparency into how models function, what data they rely on and who is responsible for oversight.
Integrating security, governance and operational oversight throughout the AI lifecycle will be essential to managing risk while realizing AI’s potential.
ACCOMPLISH THE MISSION: Modernize your agency’s IT infrastructure.
Identity and Access Management Meets Agentic AI
At many organizations, the number of nonhuman identities greatly exceeds the number of IDs and passwords for human employees, sometimes by a factor of 100 or more. While this trend began with Internet of Things devices, it accelerated dramatically with the adoption of agentic AI, and data shows that nearly 70% of organizations give NHI’s more access privileges than they would a human performing the same role. Many of these NHIs receive static access credentials that aren’t updated like a human user’s password, and few organizations ‘retire’ obsolete AI agents when new agents are created or the need for the agent is fulfilled.
In short, we lack the equivalent of a “digital HR process” for handling agentic AI. Coupled with the nondeterministic nature of generative AI and the propensity of agents to do things their creators didn’t intend and would prohibit, this places an even greater premium on adopting strong AI governance practices.
Do Not Create Another Governance Silo
Agencies should also resist the urge to build separate governance structures for every AI initiative. Complexity is already one of the biggest challenges facing federal technology teams. New technologies often arrive with new tools, review boards and management processes. While we currently lack a standardized model or framework for AI governance, the National Institute of Standards and Technology AI Risk Management Framework provides agencies with sound guidance and best practices, and if adopted by multiple agencies, it can facilitate identifying common problems and successful solutions.
The goal should be a consistent framework that supports innovation while maintaining security and accountability. The strongest approach is to integrate AI governance into existing cybersecurity, risk management and procurement processes.
Visibility Is the Foundation of AI oversight
For agency CIOs and CISOs, AI governance is ultimately an operational challenge. Success depends less on creating entirely new oversight structures and more on ensuring AI systems can be monitored, secured and managed within existing technology environments.
Effective governance starts with visibility. Agencies need to know what AI systems are in use, where sensitive data is flowing, who owns those systems and how risk is being monitored over time.
GET SECURE: Learn how federal agencies can boost security against threats.
AI Governance Requires Continuous Risk Management
Federal cybersecurity initiatives such as the Cybersecurity and Infrastructure Security Agency’s Secure by Design effort have increasingly emphasized security, accountability and confidence in the technologies supporting government missions. AI introduces many of the same considerations.
Organizations need to know where models originate, how they were trained, who maintains them and whether the surrounding technology ecosystem meets security requirements. As AI adoption grows, understanding the supply chain behind a model may matter as much as evaluating its output.
Build AI Into the Broader Modernization Strategy
AI adoption should be evaluated as part of broader modernization efforts. Agencies need to understand how AI capabilities fit within existing technology strategies and whether they simplify operations or create new management burdens.
Ultimately, AI governance is less about creating new oversight structures and more about extending proven cybersecurity disciplines to a new class of technology. Agencies that build visibility, accountability and continuous risk management into AI programs today will be best positioned to scale adoption securely and effectively in the years ahead.
