See also (wiki): wiki/ai-cybersecurity.md, wiki/agentic-ai-governance.md, wiki/assistive-to-agentic-shift.md
Executive Summary
- Forrester’s The AI CISO (Amy DeMartine, VP Senior Research Director, Apr 9, 2026) names the CISO role redefinition the same week Mark Moccia named the CIO’s: the job shifts from “protector of systems” to “provider of trust and assurance” over autonomous AI outcomes. The unit of CISO accountability moves from preventing unauthorized access to proving that AI decisions are correct, explainable, and protected from corruption.
- Three drivers force the shift. First, traditional security controls cannot scale to oversee hundreds of autonomous agents and do not evaluate whether a decision had the right intent. Second, 56% of generative AI decision-makers already call agentic sprawl a current challenge (Forrester Q4 2025 AI Pulse Survey) — a number that rises as employees and third parties deploy more agents across supply chains. Third, regulatory accountability for AI-caused incidents is converging on the CISO personally.
- DeMartine prescribes three immediate moves: (1) map how the business actually delivers value end-to-end so guardrails have something to attach to; (2) define the future security org — the “trust and assurance” function — and start reskilling through AI experimentation now; (3) CISO leads by example, personally using AI to build the governance instincts that cannot be delegated.
- The April 9, 2026 Forrester CISO/CIO pairing (DeMartine + Moccia) is the operating-model half of a broader analyst convergence. Gartner (Apr 2, 2026, assistive-AI abandonment), McKinsey (Apr 7, 2026, AI Transformation Manifesto), IBM IBV + Palo Alto Networks (Mar 22, 2026, n=1,000 C-level executives), and Anthropic (Apr 9, 2026, Trustworthy Agents in Practice) all published in a six-week window. They agree: the security function’s center of gravity is moving from perimeter defense to outcome assurance.
- The practical exposure for a 200-2,000 person company is that the CISO job description most firms wrote in 2023 is now a structural gap. If the CISO’s 2026 plan is still “deploy more tools and tighten IAM,” the next agentic incident has no owner with the authority or telemetry to contain it.
What Forrester Is Actually Saying
DeMartine’s argument is narrower than a generic “CISOs must adopt AI” thesis. Three moves anchor it.
First, the unit of CISO accountability moves from systems to outcomes. The CISO who “secured the endpoints, network, and applications” is being replaced by the CISO who proves that AI-driven decisions are correct, explainable, and protected from corruption. DeMartine is direct: “AI creates outcomes that must be trusted, not just systems that must be protected.” Translation: the control environment must now cover the reasoning and decisions of the AI, not only the infrastructure it runs on. A perfectly secured agent that makes a policy-violating decision is still a CISO failure.
Second, scale breaks human-in-the-loop defaults. Traditional security controls assume a human is in the approval path somewhere. As enterprises deploy “hundreds of autonomous agents” — DeMartine’s phrase — the approval-per-action pattern collapses and policy-enforcement tooling was not built to evaluate intent. The Forrester Q4 2025 AI Pulse Survey finding that 56% of generative AI decision-makers already call agentic sprawl a current challenge is the leading indicator: the problem is present-tense, not forecast.
Third, regulatory accountability is converging on the CISO personally. When an autonomous agent causes an incident, breach, or financial harm, organizations must prove documented guardrails, continuous assurance, and auditable behavior — including across third-party AI supply chains. DeMartine’s key phrase: “In many enterprises, that accountability will land squarely with the CISO, making trust and assurance not just a capability gap but a personal risk.” This echoes the Delaware Caremark fiduciary exposure that boards face for unchecked AI deployment; the CISO is now inside that same liability envelope.
DeMartine is explicit that CISOs “cannot outrun this shift by changing jobs or waiting to get started.” The operating model is evolving. The accountability is not waiting for the operating model to settle.
Source Credibility
MEDIUM-HIGH. Forrester is a top-tier analyst firm with direct CISO-audience research distribution. This artifact is a blog post previewing a larger research note (The AI CISO), not the full study — the analytical frame is visible but underlying survey methodology, interview count, and role-definition detail are not disclosed in the public summary. Read it as an authoritative framing document from a firm with deep security-leader access, not as a primary-data study.
The one quantitative data point that is disclosed — 56% agentic sprawl as a current challenge — comes from the Forrester Q4 2025 AI Pulse Survey, an established recurring Forrester instrument. The triangulation with IBM IBV + Palo Alto Networks (n=1,000, Mar 22, 2026) showing 61% of organizations compromised in the past 12 months and Anthropic’s layered-defense framing gives the directional claim independent corroboration.
Triangulation: The April 2026 Analyst Convergence on the Security Operating Model
Five institutional artifacts published within a six-week window all describe the same shift.
| Firm | Publication | Date | Core claim relevant to the CISO shift |
|---|---|---|---|
| Forrester | The AI CISO (DeMartine) | Apr 9, 2026 | CISO role shifts from system protection to trust and assurance; 56% cite agentic sprawl |
| Forrester | The AI CIO (Moccia) | Apr 9, 2026 | CIO shifts to outcome governance; four 2030 accountabilities including autonomous supervision and board assurance |
| Gartner | Assistive-AI abandonment prediction | Apr 2, 2026 | >50% of enterprises stop paying for assistive AI by 2028; “Agent Steward” role supervises outcomes |
| McKinsey/QuantumBlack | AI Transformation Manifesto | Apr 7, 2026 | Agentic engineering as next capability frontier; 12 themes separate AI-transformers from peers |
| IBM IBV + Palo Alto Networks | Agentic AI Cybersecurity | Mar 22, 2026 | 61% of organizations compromised in prior 12 months; 67% targeted by AI-enabled attacks; 27 AI tools × 10 vendors × 73 cyber tools × 22 vendors (n=1,000 C-level) |
| Anthropic | Trustworthy Agents in Practice | Apr 9, 2026 | Four-component agent decomposition (model/harness/tools/environment); “no single line of defense” against prompt injection |
Three analyst firms, two vendor-adjacent providers, and two primary surveys converging in a single window is unusual. The underlying claim they share: the control environment mid-market companies built for assistive AI (Copilot seats, IAM for humans, perimeter-based detection) does not scale to agentic AI. The CISO who treats the 2026 plan as “continuous improvement” of the 2024 plan is misreading the shift.
It does not follow that every 300-person company must run a 2027 operating-model redesign. Forrester’s arc is multi-year. IBM IBV’s data shows only 8% of organizations have deployed agentic AI at scale; 5% are running multi-agent orchestration. The framing is real. The timeline is long enough to do the mapping, reskilling, and tabletop work before the incident — and short enough that waiting until 2028 is not an option.
The Three Actions DeMartine Prescribes, Operationalized
1. Map how the business actually delivers value today.
DeMartine’s first action is “mapping how their business actually delivers value today … which customer and employee services truly matter and how they are delivered end to end through technology.” Her recommended starting point is the existing Business Continuity and Operational Resilience program.
This is the most easily underestimated move. A CISO cannot design guardrails for future agents without knowing which services are revenue-critical, where data flows, which systems the agents will act on, and what the blast radius looks like if an autonomous decision is wrong. The existing BCP documentation is the closest thing most companies have to a service-flow map — and in most mid-market firms it is out of date by 12–36 months.
Practical translation for a 200-2,000 person company: a four-week exercise, led by the CISO with the COO and CIO as co-sponsors, that produces a one-page service-flow map for the top five revenue-generating or customer-facing services. For each, document which systems, data stores, and decision points are involved. This is the substrate for every agent policy, every prompt-injection test, every incident playbook that follows.
2. Define the future security org and start training for it immediately.
DeMartine’s second action: “CISOs must clearly articulate what a trust and assurance function looks like, which roles will evolve or disappear, and what new skills are required. Start reskilling now through AI experimentation so that fear and inertia don’t slow the organization down.”
The Anthropic Trustworthy Agents in Practice four-component decomposition (model, harness, tools, environment) gives a practical org-design scaffold for this. Each component needs an owner. In most mid-market organizations today, the model is owned by vendor management, the harness by the AI/platform team, the tools by application owners, and the environment by the CISO. Nobody owns the agent as a system. The trust and assurance function is the role DeMartine is describing — the single accountable party for the end-to-end behavior of the agent.
The reskilling point is important. DeMartine is explicit that experimentation beats training content: the team that has personally built and broken agents develops governance instincts that no certification curriculum produces. For a mid-market CISO, this looks like a 90-day internal project — pick one narrow agentic use case (vendor due diligence, customer support triage, contract red-lining) and have the security team build, red-team, and instrument it themselves before any business unit deploys one.
3. CISO leads the transition by personally using AI.
DeMartine’s third action is both practical and political: “CISOs who personally use AI to automate reporting, analysis, and decision support build the instincts needed to govern AI at scale. Firsthand experience helps leaders understand where automation adds value, where it fails, and what must be controlled.”
The instinct development is real. The political dimension matters more in mid-market companies where the CISO’s authority over AI is contested — AI may sit under the CIO, CTO, Chief Data Officer, or a new Chief AI Officer role. A CISO who is personally hands-on with the technology earns standing in governance debates that a CISO who delegates to the team does not.
The Security Org Redesign: What Moves Where
Synthesizing DeMartine’s framing with the Anthropic four-component model and the IBM IBV + Palo Alto Networks attack-surface data:
| Layer | 2024 CISO Control | 2026–2028 CISO Accountability |
|---|---|---|
| Perimeter | Firewalls, network segmentation, endpoint protection | Same — still necessary; no longer sufficient |
| Identity | Human IAM; service-account hygiene | Non-human identity governance at 82-to-1 ratio; agent identity lifecycle |
| Application | Vulnerability management; secure SDLC | AI model supply-chain review; harness security (system prompts, tool defs) |
| Data | DLP; classification; encryption | Training data provenance; inference-time data exposure; output review |
| Detection & response | SIEM; EDR; IR playbooks | AI-specific IR playbook; agent tool-abuse detection; continuous assurance |
| Outcomes (new) | — | Decision correctness, explainability, policy adherence; board-level trust reporting |
The “Outcomes” row is the new CISO accountability DeMartine is naming. None of the rows above disappear — the traditional security program is still the floor. The trust and assurance function sits on top, operating across all five traditional layers plus a new reporting obligation to the board about AI-decision integrity.
Key Data Points
| Metric | Value | Source | Date |
|---|---|---|---|
| GenAI decision-makers calling agentic sprawl a current challenge | 56% | Forrester Q4 2025 AI Pulse Survey | Q4 2025 |
| Three immediate CISO actions Forrester prescribes | Map value delivery; redesign security org; lead by personal AI use | Forrester The AI CISO (DeMartine) | Apr 9, 2026 |
| CISO role shift named by Forrester | “Protector of systems” → “provider of trust and assurance” | Forrester The AI CISO (DeMartine) | Apr 9, 2026 |
| Organizations reporting AI assets compromised in prior 12 months | 61% | IBM IBV + Palo Alto Networks (n=1,000 C-level, 17 countries) | Mar 22, 2026 |
| Organizations targeted by AI-enabled cyberattacks | 67% | IBM IBV + Palo Alto Networks (n=1,000) | Mar 22, 2026 |
| Average enterprise AI solutions / vendors | 27 AI solutions from 10 vendors | IBM IBV + Palo Alto Networks (n=1,000) | Mar 22, 2026 |
| Average enterprise cybersecurity solutions / vendors | 73 cyber solutions from 22 vendors | IBM IBV + Palo Alto Networks (n=1,000) | Mar 22, 2026 |
| Organizations with agentic AI at scale | 8% | IBM IBV + Palo Alto Networks (n=1,000) | Mar 22, 2026 |
| CISOs leading their organization’s AI adoption program | 58% | Gartner, Evolution of the Cybersecurity Leader | 2025 |
| Non-human identities vs. human users (enterprise networks) | 82-to-1 | CyberArk | 2026 |
| CISOs lacking confidence legacy IAM can govern non-human AI identities | 92% | Saviynt/Cybersecurity Insiders (n=235) | 2026 |
| Production AI deployments with prompt-injection exposure | 73% | OWASP / Prompt Security | 2025 |
| Breach-cost reduction with AI-specific security controls | $1.9M; 80 fewer days in lifecycle | IBM Cost of a Data Breach (n=600) | 2025 |
| Enterprises predicted to stop paying for assistive AI by 2028 | >50% | Gartner assistive-AI abandonment | Apr 2, 2026 |
What This Means for Your Organization
DeMartine’s argument, read against the IBM IBV data, lands on an uncomfortable point: the attack surface a mid-market CISO inherited from 2024 — managed endpoints, a known IAM population, a bounded vendor list — has already been replaced, whether or not the CISO has updated the org chart. Non-human identities at 82-to-1 and agentic sprawl at 56% of the market are not forecasts; they are the current state. The companies where the CISO is still running a 2023 operating model are not holding the line — they are running blind on an expanded attack surface.
For a 200-2,000 person company, the three-move sequence is sharp enough to act on this quarter. Move one: spend four weeks with COO and CIO producing the service-flow map for the top five revenue-critical workflows. This is the cheapest move and the one that unblocks every other decision. Move two: pick one narrow agentic use case and have the security team personally build, red-team, and instrument it before any business unit launches its own agents. The instinct that builds is the only thing that closes the governance-policy gap Anthropic is warning about. Move three: the CISO spends four weekly hours personally using AI for their own reporting and analysis work. That is not a tool deployment; it is the political and cognitive foundation for the trust-and-assurance role DeMartine describes.
The second audit is the vendor-contract one. If the security team’s 2026 posture still relies on “the vendor’s guardrails will protect us,” that assumption does not survive the shift to autonomous decisions across third-party supply chains. DeMartine is explicit that accountability crosses supply-chain boundaries. Reading the top-five AI vendor contracts for breach notification, indemnity on AI-caused harm, model supply-chain representations, and exit clauses for model weight transfer is a 2026 task, not a renewal-cycle task. The insurance overlay — WR Berkley, AIG, Great American, Hiscox, AXA XL have all added AI-specific questionnaire sections for 2026 renewals — is the forcing function that makes the contract audit unavoidable.
If this framing raised questions specific to your security operating model — how to sequence the trust-and-assurance redesign against existing program commitments, how to reskill a small security team without adding headcount, or how to brief the board on AI-decision assurance without overcommitting the CISO personally — I’d welcome the conversation at brandon@brandonsneider.com.
Sources
- Forrester, “CISOs Have Plenty Of Work To Do In An AI-Driven Future” — Amy DeMartine, VP, Senior Research Director, Forrester. Published April 9, 2026. Blog summary of full research note The AI CISO. URL: https://www.forrester.com/blogs/cisos-have-plenty-of-work-to-do-in-an-ai-driven-future/. Credibility: MEDIUM-HIGH — top-tier analyst firm, direct CISO-audience distribution; blog summary, so underlying research note methodology and interview counts not publicly disclosed.
- Forrester Q4 2025 AI Pulse Survey — Source of the 56% agentic-sprawl data point; Forrester recurring analyst survey. Referenced in DeMartine, April 9, 2026. Credibility: MEDIUM-HIGH — established analyst survey instrument.
- Forrester, “The AI CIO Will Govern Outcomes At Scale” — Mark Moccia, VP, Research Director, Forrester. Published April 9, 2026. Paired CIO operating-model piece; see
research/04-consulting-firms/forrester-ai-cio-outcome-governance-2026.md. Credibility: MEDIUM-HIGH. - IBM Institute for Business Value + Palo Alto Networks, Agentic AI Cybersecurity Study — n=1,000 C-level executives, 17 countries, Q4 2025–Q1 2026. Published March 22, 2026. Primary source for 61% compromised / 67% targeted / 27+10 AI tools / 73+22 cyber tools / 8% agentic scale. See
research/06-security-frontier/ibm-ibv-agentic-ai-cybersecurity-2026.md. Credibility: HIGH — large-sample C-level primary survey; IBM + Palo Alto vendor caveat applies for the framing, not the data. - Anthropic, “Trustworthy Agents in Practice” — Published April 9, 2026. Four-component agent decomposition (model/harness/tools/environment); layered-defense framing for prompt injection. See
research/06-security-frontier/anthropic-trustworthy-agents-in-practice-2026.md. Credibility: MEDIUM — vendor-published governance framework; primary-source artifact from the model maker. - Gartner, “Gartner Predicts Over 50% of Enterprises Will Stop Paying for Assistive AI by 2028” — Published April 2, 2026. See
research/05-analyst-firms/gartner-assistive-ai-abandonment-2026.md. Credibility: MEDIUM-HIGH — Gartner prediction, not survey data. - McKinsey/QuantumBlack, “The AI Transformation Manifesto” — Singla, Sukharevsky, Lamarre, Smaje, Levin. Published April 7, 2026. See
research/04-consulting-firms/mckinsey-ai-transformation-manifesto-2026.md. Credibility: MEDIUM — consulting-firm framing document. - MIT CISR, “Mapping the Generative AI Risk Space” — van der Meulen, Lefebvre, Wixom, Legner, based on 62 executive interviews. Published January 15, 2026. GenAI risk taxonomy (embedded vs. enacted). See
research/06-security-frontier/mit-cisr-genai-risk-space-2026.md. Credibility: HIGH — academic research briefing. - “What the CISO Needs to Know About AI Risk That Traditional Software Risk Models Miss” — Internal synthesis file with 58% CISOs leading AI, 82:1 non-human identity ratio, 92% legacy IAM confidence gap, $1.9M breach-cost reduction. See
research/06-security-frontier/ciso-ai-risk-briefing-framework.md. Credibility: HIGH — synthesis of CyberArk, Saviynt, IBM, OWASP, Gartner primary sources. - IBM Cost of a Data Breach 2025 — n=600 organizations. $1.9M reduction and 80-day shorter lifecycle with AI-specific controls. Credibility: HIGH — large-sample annual IBM/Ponemon study.
- Saviynt/Cybersecurity Insiders CISO AI Risk Report — n=235, 2026. 92% confidence gap on legacy IAM for non-human identities. Credibility: MEDIUM — vendor-sponsored but primary survey with disclosed methodology.
Brandon Sneider | brandon@brandonsneider.com April 2026