Do you need to stop treating AI like magic?

There was a period when every cybersecurity vendor added the word ‘encryption’ to their product messaging whether it made sense or not. According to Trina Ford (CISO at iHeartMedia), AI is at risk of heading down the same path.

“Many mention AI like we used to mention encryption – just throw it out there,” she said during a recent interview for the BHMEA podcast. 

AI has rapidly become the default language of modern cybersecurity – so every platform promises automation, every tool claims intelligence, and every roadmap includes AI agents. But if we put the hype to one side for a moment, there’s a practical question that lots of organisations still can’t answer properly: 

How exactly should security leaders manage AI systems responsibly?

Ford’s answer is grounded in years of experience. 

“I look at it from the human aspect all the time,” she says.

AI agents are not magic – they’re managed systems

One of our favourite moments in the interview was when Ford compared AI governance to onboarding a junior employee. It’s a mental model that instantly makes AI governance feel less abstract. 

Speaking of those new employees, Ford notes that “you don’t just turn them loose.” 

Instead, organisations should approach AI systems the same way they approach new staff members:

• restricted access
• controlled environments
• staged trust
• oversight
• policy alignment
• monitored outputs

“You give them certain access, a set of tasks, and you see what they can do.” 

And that sounds a lot like sandboxing, doesn’t it? Or as Ford describes it, “a test environment, or an isolated environment.” 

AI adoption is well underway 

As Ford points out, many organisations are already using AI whether they realise it or not – because a growing number of new tools have AI built in. 

This is increasingly true across detection engineering, endpoint security, SIEM platforms, email filtering, threat intelligence, and identity protection.

“The way many of the vendors are staying relevant is to make sure they’re building it in.” And this creates a strange new reality for CISOs. Organisations are debating AI policy while simultaneously deploying AI-enabled tools across their environment through third-party vendors – and the result is fragmented governance. 

CISOs need control (but not perfection) 

Ford’s comments also highlight the fact that most organisations don’t have unlimited resources for security. 

“We’re not building Fort Knox,” she says. “We don’t get that type of budget or investment.”

So security leaders increasingly rely on automation and AI to offset staffing pressures and operational overload.

“We have to be smart about our approach to protecting our companies. Technology will allow us to leverage and position resources elsewhere while the technology does work for us.”

But Ford repeatedly returns to the same point: AI still requires management. You can’t just leave it to be this automated thing that does its job while you ignore it – you have to engage with it every day. 

And you have to make sure the AI tools you’re using are working in line with your policies. Because AI systems reflect the controls, guardrails, permissions, and governance structures that organisations build around them.

The future CISO may become an AI behaviour manager

AI governance is not fundamentally a new discipline.

“AI is new for all of us but it’s really no different,” Ford says.

That may ultimately become one of the defining lessons of enterprise AI adoption. The technologies are changing rapidly – but the leadership principles are not.

Security leaders already understand access control, risk management, monitoring, policy enforcement, and staged trust. AI simply extends those responsibilities into a new operational layer.

The challenge now is making sure organisations treat AI with the same discipline they apply to human employees – especially before those systems are trusted with critical decisions. Because in cybersecurity, the dangerous systems are the ones everyone assumes will manage themselves.