- CIOsurge
- Posts
- CISOs Are Becoming Enterprise Risk Strategists, Whether They're Ready or Not
CISOs Are Becoming Enterprise Risk Strategists, Whether They're Ready or Not
This week: Amazon locks in Anthropic, CISOs absorb AI governance, and your Teams helpdesk is being impersonated.
Zack Tembi
April 29, 2026
CISOs Are Becoming Enterprise Risk Strategists, Whether They're Ready or Not
Powered by Single Fin
Welcome to this week’s edition of CIOsurge!
This week:
Guest Expert Insights: Alex Tuck of Tuck Consulting
CISOs Are Becoming Enterprise Risk Strategists, Whether They're Ready or Not
The CIO Is the Only Executive Who Can Close the AI Execution Gap
Let’s make this week a game-changer.
Stay sharp. Stay ahead.
💡 Guest Expert Insights: Alex Tuck of Tuck Consulting
I was recently on the Project Zero podcast with Alex Tuck, CEO of Tuck Consulting Group, and we got into a real back-and-forth about how we're each deploying AI agents — and more importantly, how we're keeping them secure.
At SingleFin, we give our agents names, emails, and scoped access to Microsoft Teams. The onboarding logic is intentional: people who've never worked with agents just think they're emailing a colleague. But behind that familiar interface is a tightly controlled identity. Each agent is issued a named identity with least-privilege access — scoped to a single function: account management, Security, legal review, marketing, or scheduling. No agent touches systems or data outside its lane. Full stop.
Security isn't just a configuration — it's an ongoing discipline. I hold weekly development sessions with each agent the same way I'd coach a new hire. When something's off, I address it directly: "Why did you take this action? Change your language." That human-in-the-loop review isn't optional. It's how you catch behavioral drift before it becomes a risk.
Alex Tuck built something complementary. His focus agent pulls from personal notes and calendar to surface his top five priorities every morning. His observation was sharp: "It's more accurate than my own memory." That's your green light to deploy — when an agent consistently outperforms you on a specific task, you build it, secure it, and trust it.
The piece I want every CIO to internalize: there is no set-it-and-forget-it deployment. When an agent does something unexpected, that moment of "why did it make that call?" is the work. It's also your security signal. Unexplained behavior is an audit event, not just a curiosity.
Agents need identities, permissions, monitoring, and management — just like any other user on your network. Build them that way from day one.
— Zack Tembi, CEO, SingleFin
CISOs Are Becoming Enterprise Risk Strategists, Whether They're Ready or Not
The CISO role has been restructured. According to Splunk's 2026 CISO Report, 96% of CISOs are now responsible for AI governance and risk management, a mandate that didn't exist in most job descriptions two years ago. 78% share security risk accountability with other C-suite leaders. 56% report joint accountability with the CEO. Governance, risk, and compliance has surpassed all technical priorities to become the number one focus for CISOs today, according to the CyberRisk Alliance's Q1 2026 report.
This is an org design story. The security leader is increasingly functioning as the enterprise's primary risk translator: converting threat exposure into financial terms the board can act on. For CIOs, that shift has direct implications. AI governance doesn't live cleanly in either the CIO or CISO lane anymore. Organizations that haven't explicitly defined who owns AI risk accountability, and at what level, are already behind. The window for proactive alignment is now. Waiting for an incident to force the conversation is not a strategy.
- Zack Tembi
The CIO Is the Only Executive Who Can Close the AI Execution Gap
The numbers on enterprise AI are humbling: only 12% of CEOs report higher revenues from AI adoption. Just 25% of AI initiatives delivered expected ROI. Only 16% scaled enterprise-wide. Yet workforce access to sanctioned AI tools jumped from under 40% to around 60% in a single year. The tools are proliferating. The results aren't. Anthropic's Claude Opus 4.7 recently posted a 14% gain on complex workflows. OpenAI's GPT-5.4 outperformed industry professionals in 83% of comparisons across 44 occupations. The capability ceiling keeps rising. The organizational gap isn't closing.
The article's core argument is worth sitting with: the CIO is uniquely positioned to close this gap because it's fundamentally an execution problem, not a technology problem. The distance between what AI can do and what the enterprise actually realizes is exactly where IT leadership has always operated. But it requires a new measurement framework, tracking cost per accepted outcome, cycle time, error and rework rates, not the vague adoption metrics most AI dashboards are still reporting. CIOs who build that accountability layer now will be the ones whose organizations actually scale.
- Zack Tembi
💡 CIO Spotlights
Cross Country Healthcare has appointed Chris Tyrell as its new Chief Information Officer.
20+ years of technology leadership across workforce solutions, staffing, software, and supply chain sectors
Previously CTO at Eclipse Advantage, where he directed enterprise platform strategy, large-scale systems transformation, and automation initiatives
Mandate includes infrastructure and systems modernization, platform integration, cybersecurity, and expanding the company's Intellify AI workforce intelligence platform
Reports to CEO Kevin Clark, who called technology "a growth lever, an operating lever, and a competitive advantage"
Reply