What we learned when three security leaders got honest about AI

Last week I had the pleasure of sitting down with John Yeoh (CSO, Cloud Security Alliance) and Steve Tran (VP of Global Security, Iyuno) for the first ever Fable Fireside – an unscripted conversation about what AI is actually doing to the security function.

The conversation started with a great insight from Steve: “when a team can adopt an AI tool before lunch, security isn’t managing the risk anymore. It’s documenting it from last place.” His recent white paper, Governance first: AI, building trust through transparency in media localization, gets into what it actually looks like to build decision architecture for teams so they’re not starting from zero every time an AI question comes up.

John put it plainly: AI moves at a pace that makes the old procurement and assessment processes feel like they were built for a different century. Because they were. His work with the CSA CISO Community, The “AI vulnerability storm”: building a “Mythos-ready” security program, makes the stakes clear. The time between a vulnerability existing and being exploited is now down to hours, and governance processes that add friction to defensive AI adoption are now a liability, not a safeguard.

The shift security teams need to make isn’t necessarily increasing risk tolerance or saying yes more, it’s developing a modernized program.

Materially this means:

Leaning into using AI to access vendor risk
Use third party risk practices as a tool to understand what needs to be done to support the business, not as “low, medium, high” and yes/no gating.
Talk to business units on what they need and help find solutions

A big part of what that looks like in practice is owning the human layer. When employees are adopting tools (AI or otherwise) on their own, we have a broken enablement process, and technology stack, not a security problem. In other words, leaders are failing to enable employees to work efficiently and effectively. In security we own that problem just as much as the CIO or CTO offices.

To bring this to a quick close, I can summarize the conversation as this: Bureaucracy isn’t the only answer to managing risk. Lets, as an industry, focus on changing our perception, behavior, and processes to be fast and responsive.

We covered a lot of ground: governance redesign, agentic AI accountability, shadow AI as the new shadow IT, and what the CISO role looks like once the shift takes hold. I don’t think we got to say everything we wanted to, so I am looking forward to continuing these conversations with Steve, John, and everyone in our industry.

If you missed the discussion, you can check out the recording here:

Want more of this? We’re turning Fable Firesides into a regular series. Subscribe to our newsletter to get the next one in your inbox before it goes anywhere else.

Even better, come find us in person. I meant it at the end when I said beer to beer is better. If you’re at an upcoming event and want to have this conversation properly, come say hi. We’ll be at the following places real soon, and we’d love to see you there:

Gartner Security & Risk Management Summit — Reach out if you want to schedule time to meet. Register for our dinner. We’re bringing the discussions from this series right to the dinner table.
Cyber Leadership Summit — We will be there, so DM me if you’d like to find a time to meet there.
Black Hat — Seems far away, but it will be here before we know it. We’ll have a suite, and we’d love to meet up with anyone who wants to discuss these topics. DM me, and we’ll get some time on the calendar.
Cognitive Security Conference – Use code Fable2026 for $100 off your registration, and let’s connect.