AI Risk, Compliance, and the CISO’s Evolving Role at RSA 2025

RSA 2025: AI’s Risk Surface and the Role of the CISO

The RSA 2025 conference in San Francisco highlighted how artificial intelligence (AI) is reshaping compliance and security landscapes. Mathieu Gorge, CEO of Vigitrust, shared insights on AI’s growing impact on organisations' risk surfaces, the evolving responsibilities of CISOs, and a fresh approach from vendors focused on business outcomes.

AI and Compliance: An Expanding Risk Surface

AI adoption is spreading rapidly across enterprises, bringing with it a significant increase in potential risk. Much like the early days of cloud services, AI deployments can widen the attack surface and create compliance challenges that companies must address carefully. AI generates vast amounts of new data, often with less control than traditional data sources, which complicates governance and protection efforts.

Despite numerous AI frameworks aimed at managing AI deployments and data classification, awareness remains limited—even among security leaders. This gap underscores the need for clearer guidance and simpler tools to help organisations maintain control and compliance.

Compliance Takes Center Stage

At RSA 2025, compliance was a dominant theme across talks and vendor showcases. Unlike previous years where the focus might have been on a single technology trend, this year the emphasis was on practical compliance innovation. Vendors demonstrated solutions that help organisations track data protection and compliance status with ease, enabling quick identification of issues.

There was a noticeable shift from product-pushing to outcome-driven conversations. Vendors presented case studies and whitepapers illustrating how proper compliance practices benefit businesses, rather than just selling technology for technology’s sake.

The Changing Role of the CISO

The role of the Chief Information Security Officer (CISO) was a key topic, especially in relation to AI governance. With AI introducing new risks and complexities, many questioned whether CISOs should hold sole responsibility for AI adoption and oversight.

Discussions suggested that managing AI risks might require collaboration between CISOs, heads of risk, compliance officers, and possibly new roles like chief AI officers or AI security officers. This team approach could better address the nuances of AI governance, ensuring compliance and security measures keep pace with AI’s evolving challenges.

Vendors Focus on Business Outcomes

Vendors at RSA 2025 took a more consultative stance, focusing on how their solutions drive measurable business results, particularly in compliance and data protection. Their messaging shifted from “you need this product” to “here’s how this solution helps you meet compliance goals and manage AI risks effectively.”

This approach reflects a growing awareness that AI adoption must be balanced with strong governance to avoid increasing vulnerabilities. Vendors are encouraging organisations to adopt AI responsibly, integrating security and compliance into their AI strategies from the start.

Looking Ahead

As AI continues to expand across industries, organisations must address the accompanying risks with clear frameworks and shared responsibility. CISOs will remain central figures, but they won't act alone. Successful AI governance will require coordinated efforts across multiple roles and a focus on business outcomes.

For those interested in deepening their understanding of AI and its practical impacts on security and compliance, exploring specialised training can be valuable. Resources like Complete AI Training’s latest AI courses offer practical insights for IT professionals navigating these new challenges.