This week's briefing
Boardroom5 min read2026.04.26

The CISO–CAIO operating model

How leading enterprises are structuring shared accountability for AI risk without creating duplicate governance overhead.

The cleanest operating models we've observed give the CAIO accountability for model lifecycle and evaluation, and the CISO accountability for identity, data boundaries, and incident response. A shared council reviews high-risk deployments — and is empowered to block. The structure is simple to describe and difficult to implement, because it requires both functions to surrender some of the territory they would naturally want to own.

The CAIO that insists on owning identity for AI agents reproduces the worst of shadow IT. The CISO that insists on owning model evaluation discovers that the depth of the work is not where their team is strong. The clean division — model behavior to CAIO, principal behavior to CISO, with a shared forum for the interactions — produces the fastest decisions and the lowest duplication.

Avoiding the duplicate-governance trap

When AI risk gets its own parallel committee, work doubles and decisions slow. Every deployment touches two governance forums, every incident touches two response chains, and every policy has to be reconciled across two owners. The organizations that have stumbled into this pattern report the same symptoms: decisions take twice as long, the technical teams complain about governance overhead, and the actual risk reduction is harder to identify than it would be in a more integrated structure.

The remedy is to embed AI-specific review into existing change-management and incident-response forums; add specialist seats rather than new structures. The CAIO's office contributes the AI expertise; the CISO's office contributes the security expertise; the forums that already exist make the decisions, with the specialist seats ensuring that the AI-specific concerns are represented at the moment of decision rather than as a separate sign-off.

The transition from parallel committees to integrated forums is politically harder than the technical change suggests, because the parallel committees usually have constituencies that derive status from their existence. The leadership move is to make the integration explicit, to reassign the affected staff to roles inside the integrated structure, and to communicate the change clearly enough that the constituencies do not reconstitute the parallel structure informally. Organizations that handle this transition well end up with faster decisions and lower overhead; organizations that handle it poorly end up with both the new integrated structure and the old parallel one, which is worse than either alone.

What the council should actually do

The shared council that reviews high-risk AI deployments works when it has a small, named membership, a standing cadence, and explicit authority to block. The membership is typically the CISO, the CAIO, the relevant business owner, the data protection officer, and a rotating engineering lead. The cadence is proportional to the deployment volume; weekly works for most enterprises. The authority to block is the load-bearing element; a council that can only advise produces minutes that nobody reads.

What the council should not do is review every AI deployment. The risk classification has to be explicit, and only the high-risk deployments come to the council. Routine deployments flow through the normal engineering process, with the AI-specific evaluation gates handled by the platform. Confusing the two produces a council that is too slow and too distracted to handle the deployments that actually need its attention.

The risk classification itself needs to be owned by a small group that can apply it consistently across the organization, with appeals to the council for the cases that are genuinely ambiguous. Programs that allow each business unit to classify its own deployments end up with inconsistent application of the criteria and a council that sees too many low-risk deployments and not enough high-risk ones. The centralized classification with the appeal path produces both consistency and a release valve for the genuinely difficult cases.

Reporting lines and accountability

The reporting structure that has worked in mature organizations treats the CAIO and the CISO as peer roles, both reporting to either the CEO or a chief risk officer who has independence from the engineering and business functions whose work they evaluate. The peer structure prevents the implicit subordination that occurs when one function reports to the other, and the independent reporting line preserves the council's authority to block when the business pressure to ship would otherwise overwhelm it. The structure is unglamorous and it works; the alternatives produce decisions that are biased by reporting incentives in ways that the council was designed to prevent.

Shared metrics for shared accountability

The CAIO and CISO functions need a small set of shared metrics that both organizations are measured against, or the natural pull of separate metrics will reproduce the silo behavior the integrated structure was designed to prevent. The metrics that have worked are concrete and short. Time from model-incident detection to containment. Percentage of production AI deployments with current evaluation evidence on file. Number of high-risk deployments reviewed by the council in the period, with the disposition of each. Mean time to revoke an agent identity under incident conditions. Each of these requires both functions to perform, and each of them moves in the right direction only when the coordination is working.

Publishing the metrics to both leadership teams and to the council itself produces accountability that no organizational chart can substitute for. The functions are measured on outcomes that require their cooperation, which makes the cooperation a self-interested behavior rather than a negotiated one. Programs that have wired the metrics in this way report that the council conversations become substantively different — focused on the small set of decisions that materially move the metrics, rather than on the procedural review of every deployment that crosses a low threshold.

Incident response across the two functions

AI-related incidents almost always touch both functions, and the response is fastest when the runbook explicitly names which function owns which step. Containment of the principal — revoking the compromised agent, rotating affected credentials, blocking the affected user — sits with the CISO's organization. Containment of the model behavior — rolling back the prompt, switching to a backup model, isolating the affected retrieval source — sits with the CAIO's organization. The handoff between the two has to be rehearsed, because the incidents move faster than the negotiation about ownership can keep up with.

The post-incident review is the artifact that compounds the cooperation over time. Reviews that are conducted jointly, with both functions in the room, produce corrective actions that span both domains and improve the next response. Reviews that are conducted separately produce two narratives that do not connect, and the next incident reveals the same coordination gaps that the previous one did. The discipline of joint reviews is unglamorous and pays disproportionately, and the leadership move is to insist on it even when calendars and incident fatigue argue against it.

Communicating the model to the rest of the business

The clarity that the CISO–CAIO operating model produces inside the security and AI organizations has to be translated for the rest of the business, or the engineering teams who actually build the AI systems will continue to operate from the assumption that the previous, less coordinated model is still in force. The translation usually takes the form of a short internal document that names the council, the criteria for bringing a deployment to it, the expected turnaround, and the path for the cases that fall outside the standard criteria. The document is not long and the value is not in the prose; the value is in the existence of a single canonical reference that engineers can consult when they are deciding whether their next deployment needs the council's attention.

Organizations that publish the reference and refresh it on a fixed cadence report that the council's workload self-regulates as the engineering teams internalize the criteria. The deployments that arrive at the council are the ones that should arrive, the routine deployments flow through the normal process, and the friction of the coordination is bounded. Organizations that leave the criteria informal find that the council either drowns in routine deployments or misses the high-risk ones, depending on which way the informal expectations have drifted.