For years, resilience and data security operated in separate organizational silos. The resilience team focused on keeping systems running, while the security team focused on keeping data safe. They attended different briefings, reported through different chains of command, and, in most enterprises, barely spoke to each other. AI is making that model no longer viable.
Steve MacIntyre, SVP and product lead for data security and analytics, and cloud security at Fidelity Investments, and Wim Geurden, EY’s chief architect of enterprise technology, are two IT executives who manage some of the most complex data environments. Both recently spoke at the VeeamON event in New York and put great emphasis on how the convergence of resilience and data security is no longer a future trend but an immediate operational necessity, driven, accelerated, and exposed by AI.
AI didn’t create the problem — it revealed it
AI isn’t introducing new security vulnerabilities so much as it’s making long-ignored ones glaringly visible. “We gave out a few licenses for Copilot, and two days in, someone from the legal team I work with said we have an AI problem,” said MacIntyre about Fidelity’s early Microsoft 365 Copilot pilot. Another member of his team did a search and said AI found all the PowerPoints that were on SharePoint he used about four jobs ago. So it wasn’t an AI problem. “AI just searches everything you have access to and surfaces it in a meaningful way,” said MacIntyre. “Everybody thinks they have an AI problem, but what it shows is areas that must improve.”
Geurden encountered the same phenomenon at EY. “We found it about six months before Copilot was launched,” he said. “All kinds of data started surfacing in every location.” EY’s first response was to shut down unlicensed AI access entirely. “There was no lifecycle management and we didn’t know when sites were last accessed,” he added. The next phase involved using AI to label and classify the vast repositories of unstructured data EY had accumulated over decades, because, he said, it’s unfathomable that humans do it. “Especially with turnover every four years, you can’t keep training people at a 400,000-employee scale,” he continued.
The implication for CIOs is if you haven’t audited your unstructured data, you already have an AI security problem. You just need to turn on the tool that will expose it.
The threat is moving at AI speed
The urgency isn’t a hypothetical one. A recent BCG CISO survey found that half of cyberattacks over the past six months involved non-human identities, meaning adversaries are already deploying AI agents to conduct attacks. The same survey found that nearly half of business-sponsored AI projects resulted in unintended data leakage. These aren’t shadow IT experiments but sanctioned and approved deployments that leaked data because the underlying governance and access controls weren’t in place before the AI was turned on.
The problem is likely to worsen before it improves. Another study, this time by ZK Research, found that 65% of respondents believe AI adoption is outpacing their ability to govern it. Additionally, 89% of decision makers expressed concern about AI agents inheriting excessive access, underscoring a critical risk to data integrity and security. All these data point to a world where AI creates a fundamentally new operating model, where companies need to rethink how they address the risks and why the traditional separation between resilience and security must end.
Resilience without data governance means you can recover your systems, but not trust the data within them. Security without resilience planning means your controls may be sound on Tuesday, but nonexistent after a Wednesday incident. The organizations getting this right treat data as a first-class asset with its own governance lifecycle, rather than an afterthought attached to applications.
Three governing principles
Based on what MacIntyre and Geurden say, here are three concrete principles for CIOs to build integrated resilience and a strong security posture for the AI era.
Know what you have before you deploy what you want. “Get a handle on what’s actually important for the business and the use cases, and then get a handle on your data,” said MacIntyre. “If you can marry those two, you can make risk-based decisions on where to apply the work.” This means completing a data asset inventory — not just a list of systems, but a clear understanding of where data resides, who owns it, who has access, and whether that access has been reviewed. At Fidelity, this means tying AI use cases to approved projects so every agent or model deployment is matched to a registered business need. This is easier said than done, however, as the data within most organizations is messy. But getting a handle on data is a mandatory step toward AI success.
Build governance that moves at the speed of the threat. MacIntyre also acknowledged that GRC has historically been a slow, human-driven process, and AI is breaking that model. “They’re trying to figure out how to build automation, how to use AI to help the GRC function get aligned to this, because it’s moving at light speed,” he said. The answer isn’t simply to hire more compliance staff, but automate the monitoring, labeling, and control verification functions that humans can’t perform at AI scale.
Solve the agent identity problem now before regulators force you to. Both MacIntyre and Geurden flagged AI agent identity as one of the most unresolved and most consequential challenges in enterprise AI governance. Geurden described agents triggering unexpected SAP licensing costs as a first signal. MacIntyre raised the regulatory stakes in that he needs to be able to go backward. “I need to be able to say an agent took that action on that data set because a customer asked it to do it,” he said. That audit trail, from human intent to agent action to data record, doesn’t yet exist cleanly in most enterprises. And building it isn’t optional. In financial services and regulated industries, it’s a matter of when not if regulators demand it.
The cloud journey was a preview
MacIntyre offered a useful frame for the CIO community in that the AI governance challenge is structurally similar to the cloud transition, and enterprises that went through that migration have hard-won lessons that apply now. “When the explosion of AI happened, it didn’t just affect security and the attackers,” he said. “It also impacted the business, increasing velocity, and the ability to innovate and move faster. So we have to be there and be able to safely enable that for them.”
The instinct to block AI entirely will fail, just as blocking cloud adoption failed a decade ago. Business units will find workarounds. The job of the CIO and CISO, therefore, is to channel that velocity through governed, instrumented, and recoverable infrastructure.
Geurden’s framing from EY’s audit practice added a useful warning about overconfidence. Three years ago, the firm tested whether AI could pass the CPA exam. It could, easily, but the team quickly discovered that for complex professional judgment questions, the model assigned roughly equal probability to multiple answers. “At which point, you can’t build a control structure because you have to check everything it does,” he said. That discovery slowed EY’s AI rollout in the audit practice and arguably saved them from a much larger exposure. The lesson is that capability and trustworthiness aren’t the same thing, and closing that gap requires exactly the kind of integrated data governance and resilience architecture that most enterprises have yet to build.
AI has knocked down the wall between resilience and security, and CIOs who rebuild it will spend the next three years reacting to incidents. But those who build a unified data trust architecture will be the ones empowering the business to move fast with confidence, and that’s a position all CIOs should strive to be in.
Read More from This Article: CIOs: tear down the wall between resilience and data security
Source: News