AI is now a board-level risk in cyber security. Most organisations still treat it as IT.
The industry already agrees on the diagnosis. The hard part is not deciding that AI belongs on the board agenda. It is reasoning well once it gets there.
Request a Strategic Briefing →Ask the people who lead security and they will tell you: AI in the enterprise is a whole-organisation governance question, not a tool to be bought and delegated to IT. That view is now the consensus across cyber-security vendors, analyst houses and governance bodies. The trouble is that consensus stops at the diagnosis. Knowing AI is a board-level risk does not tell a leadership team how to reason through an AI-shaped decision, and a confident, unchallenged answer is exactly what they tend to get. Gildoni installs the Havruta Methodology (formerly the Think Partner Methodology) into how leadership teams reason with AI, so the governance they already know they need becomes something they can actually do. This is not a security tool. It is the reasoning discipline underneath the oversight.
The industry already agrees: AI is a board-level risk
This is not a contrarian claim. It is the settled view of the people closest to the problem.
Deneen DeFiore, Chief Information Security Officer of United Airlines and herself a public-company board director, puts it plainly: "Some people tend to say that AI is just another piece of software. It is not." She argues that accountability and ownership are the heart of responsible AI, and that security leaders have to look at it through a far broader lens than cyber alone.
The governance bodies say the same. The UK's National Cyber Security Centre is explicit that cyber risk, and now AI, demands board-level attention: directors do not need to be technical experts, but they own the governance, because "a cyber security incident will affect the whole organisation, not just the IT department."
And the numbers show how far the practice still lags the principle.
of boards engage their CIO on AI, but only 12% engage their Chief Risk Officer. AI is still routed through technology, not enterprise risk.
of organisations with an AI-related breach had no AI access controls in place, and 63% had no AI governance policy at all.
of leaders now name AI the most significant driver of change in cyber security.
The diagnosis is not in doubt.
Some people tend to say that AI is just another piece of software. It is not.
Why the blind spot persists
If everyone agrees, why is the gap so wide? Three reasons.
Ownership is not missing so much as diffuse and contested. AI risk spans legal, compliance, risk, IT and the business, and no single function holds it end to end, until an incident compresses it onto one point of failure. "No one owns it" is really "everyone owns a piece and no one owns the decision."
Adoption is outpacing governance. EY's research found that 52% of department-level AI initiatives run without formal oversight, and 78% of leaders say adoption is outpacing their ability to manage the risk, a velocity paradox in which the speed that makes AI valuable is the same speed that outruns control.
And AI keeps being sent to the CIO because that is where technology has always gone. But the risk it creates does not stay in the technology function. It lands on the whole organisation, and on the board that answers for it.
It is worth being honest about the other side of this. The disciplines of good governance, knowing your exposure, assigning accountability, deciding under uncertainty, are old. AI has not rewritten them. It has stress-tested them, and found most organisations governing at committee speed while deploying at production speed.
Agreeing it is a board-level risk is the easy part
Here is the part the consensus leaves out. Every vendor, analyst and governance body now says the same thing: govern AI as enterprise risk, put it on the board agenda, assign ownership. Almost none of them say how a leadership team actually reasons through an AI-shaped decision once it is there.
That is the real gap, and it is not a tooling gap. Put a board-level risk question to a commodity AI and it will hand back a fluent, confident answer without ever asking what you have missed. At the altitude where the decisions are largest, that is the Mirror Principle at its most expensive: if the reasoning going in was generic, the risk position coming out is generic, however polished it reads. A governance framework can tell you that AI risk must be owned. It cannot make the thinking that goes into an AI-assisted board decision any good. That is a different discipline.
AI enters low, bought and delegated at the IT and procurement desk, which is where most organisations stop. Its real exposure rises to the boardroom that answers for it. The red is the distance between where AI is bought and where its risk lands: owned, but not governed.
What the Havruta Methodology installs at leadership level
The Havruta Methodology is that discipline. It changes the default behaviour of the machine from agreeing with you to reasoning with you, which is precisely what a board-level decision needs.
The Flip
The Flip puts the machine on the other side of the question. Instead of confirming the risk position, it argues against it: where is this exposure understated, what is the board not asking, what would have to be true for this to be wrong. The leadership team gets challenged before the incident does the challenging.
Ground Truth
Ground Truth keeps the reasoning anchored in the organisation's real exposure, its actual estate, controls and obligations, rather than in the generic risk language an AI produces by default. A board decision built on a plausible average is worse than no AI at all.
Decision Velocity
And Decision Velocity lets the team decide at the speed AI is changing the threat, compressing the path from question to defensible position without surrendering the judgement to the machine.
The fuller account of how all of this works is on the methodology page.
What this is not
This is not a security product and it is not a governance platform. It is not GRC software, AI-governance tooling, compliance automation, or a risk register. It is not AI training or general AI literacy. The tooling and the frameworks are a separate market. This is the thinking underneath them.
It changes how the leadership team reasons about the AI risk it already owns: the board position, the risk-appetite call, the oversight question, the decision after an incident.
Where a leadership team starts
The methodology is installed along a ladder, and a leadership team enters at the rung that fits.
Most begin with the Eye-Opener Workshop, a half-day in which the team sees the shift on its own real work.
A leadership group embeds the practice through the Havruta programme, taking the discipline across the team.
A single high-stakes question, a board AI-risk position, an oversight model, a post-incident decision, can be worked through Advisory Havruta.
How a CISO and security leadership reason with AI
For the security leaders specifically, the role page takes the same discipline to the role that owns the risk day to day. A Strategic Briefing is how to decide where to begin.
Go to the security-leaders pageBoard-level questions about AI risk
Is AI a board-level risk or an IT issue in cyber security?
Both the people who lead security and the governance bodies that oversee them now treat it as a board-level risk. AI changes an organisation's exposure, accountability and decision-making, which are board responsibilities, not technology-function tasks. It is bought and run with help from IT, but the risk it creates belongs to the whole organisation, and the board answers for it. Treating it as a purely technical or procurement matter is the mistake the evidence keeps surfacing.
Who owns AI risk in an organisation?
In most organisations, ownership is diffuse: it spans legal, compliance, risk, IT and the business, and no single function holds the decision until an incident forces the question. The healthier answer is that the board owns the oversight and accountability, the executive owns the governance, and the reasoning that goes into each AI-assisted decision is a discipline the leadership team has to actually practise, not a box a tool ticks.
Why do boards still treat AI as an IT decision?
Because technology has always been routed to the technology function. Deloitte's data shows boards engaging the CIO on AI far more than the Chief Risk Officer. The habit is understandable and increasingly costly: the risk AI creates does not stay in IT, so governing it from there leaves the accountability sitting with a board that has not been brought into the reasoning.
Is this AI governance software or a security tool?
No. It is not GRC or AI-governance tooling, not compliance software, not a security product, and it does not touch your stack. Those address the framework and the controls. This addresses the thinking: how a leadership team reasons through an AI-assisted risk decision so the answer is genuinely theirs, anchored in their real exposure, and stress-tested before an incident does it for them.
How should a leadership team govern AI risk well?
Start by treating it as an organisation-level decision, not a tool rollout. Assign clear accountability above the technology function. Then install the reasoning discipline underneath the oversight: make the AI argue the risk case rather than confirm it, anchor it in your real exposure rather than generic risk language, and decide at the speed the threat is changing without handing the judgement to the machine. The frameworks tell you what to govern; this is how you reason while you do.
Where should we start?
With a Strategic Briefing, or with the Eye-Opener Workshop, where a leadership team sees the difference between instructing AI and reasoning with it on its own real work. From there the path depends on whether you are setting board-level oversight, embedding the practice across a leadership group, or working a single high-stakes question.