How CISOs Enable Enterprise 'Builder' Culture By Embedding Security Into Every AI Workflow

As powerful models from the major AI players become more accessible, a growing number of employees across the enterprise are becoming builders, creating novel solutions for their teams and shaking up what it means to make software. But this decentralized innovation creates a visibility and governance gap stemming from unmanaged shadow AI usage, and traditional security models designed for a different era are struggling to keep pace.

It’s a strategic transformation that Rinki Sethi, Chief Security and Strategy Officer at Upwind Security, knows well. Sethi has a long career as a CISO and security advisor, developing security infrastructures at Fortune 500 companies and major technology firms, including Twitter, IBM, BILL, and eBay, where she managed budgets in excess of $100 million and led international teams. Sethi sees these decentralized builders reshaping the enterprise, but also introducing risks organizations aren’t fully prepared to manage. “Everybody’s turning into a builder right now, which is exciting, but it’s also generating a level of risk we’re not fully prepared for," she says.

As employees learn to build around roadblocks, the CISO’s role is changing the "department of no" to that of a business enabler and chief educator. The change is reflected in a new dynamic in which business leaders initiate the conversation, asking their CISOs to help them securely leverage AI. It's a direct response to a top-down strategic realignment, reflecting how executives are thinking about AI as a competitive necessity.

• The new mission: CISOs, according to Sethi, now inhabit an educational space where it's up to them to teach about AI, and its safe use. "The mission of the CISO and CIO has now broadened. We're going to have to sit down with leaders to show them the kinds of tech out there and what can be done with it. Part of that will have to be security training, while security teams figure out how to build the platform securely. The goal is to turn everybody into a builder."

The business case for this transformation is illustrated by the growing divide between hyper-productive, AI-native startups and the legacy giants they now challenge. The previous "wait and see" caution from many CEOs is giving way to a clear mandate to figure it out, driven by the understanding that in the current climate, many now see inaction as a greater risk than imperfect action. For large enterprises, this pressure has turned AI adoption from an option into a competitive necessity, even if it means navigating a challenging top-down deployment.

• Doing more with less: On the innovation side, Sethi is clear that AI is levelling the playing field. AI-driven startups are becoming ultra-efficient, reshaping entire markets. "Look at Cursor, how they got to their initial ARR with so few people because it's AI everywhere. You think about a company like that and compare it to companies that have 10,000 people, and what a shift it's going to take. These companies are 10xers or 100xers because they're able to do a lot with very little."

• No more sidelines: Because AI is such a disruptive tech, business and security leaders aren't interested in waiting. They are, as Sethi points out, ready to put AI into practice now. "Last year, the attitude I saw from security leaders and other CEOs was one of hesitation and waiting to see. Now, that sentiment has completely shifted to a mandate to figure this out. When you think about a 10,000-person company, if you can make everybody 10 to 20% better, that's how you're going to compete. The 'one foot in, one foot out' approach is going to start disappearing."

• A new kind of phishing: As adoption accelerates, the nature of security risk is also evolving. That acceleration has given rise to new AI security threats, including sophisticated phishing campaigns. The core challenge facing security now involves understanding the agentic AI capabilities gap and the risk of real humans' data being exposed by autonomous systems, which has already led to security incidents. "I've been seeing some of the most sophisticated phishing I've ever seen. Before, phishing attacks were resource-intensive, so attackers relied on a sense of urgency. With AI, you can do it at scale, but you can do it slowly. There's no rush; the sense of urgency is gone. It's a completely different way of operating. And for an attacker, even if you only hit a few targets, it's a win."

Sethi insists that the response to this is to include human agency and intuition wherever agents are deployed, and to decide where agents are suitable and where they are not. "As attackers use AI in different ways, human intuition is going to come into play. That's something technology can't replace. Even with autonomous agents, you're going to need people. Our role is simply going to change." For Sethi, this means visibility, guardrails, and ongoing training. In other words, organizations should be able to move smart, not just fast. The most successful strategies pair a relentless "builder mentality" with strong foundational security practices, recognizing that reckless innovation and poor hygiene can lead to serious consequences.

• A familiar forecast: In many ways, we're facing a familiar technological shift, one that Rethi believes offers insight into how to address the rapid transition to AI. "The security landscape is going to evolve to a point where we've figured it out, just as we did with the cloud. We didn't have robust security vendors in the beginning; we were all figuring it out and relying on the big cloud providers. Then vendors emerged to help, and now they're so robust that it's standard practice. At some point, AI security will become like that. But people do have to have a builder mentality right now."

Sethi notes that the industry may be underestimating the scale of new threats and the remaining gaps in enterprise visibility. While she observes that the security community will be heavily focused on these emerging threats, her final outlook is on opportunity rather than risk. She compares this new builder culture to the discovery of new energy sources, which render other industries obsolete. "Jobs didn't go away; in fact, more jobs were created because we found more creative ways to use that energy. It's the same with AI. I'm an optimist. This is going to be an incredible time for people, and I don't believe jobs are at risk if we embrace this technology in the right way."