In the penultimate episode of our podcast series, we shift focus to the CISO’s office to explore how to guardrail innovation without stifling it.
The AI era has arrived, but success is far from guaranteed. With industry estimates suggesting that 70% to 95% of AI pilots fail to launch , the real challenge for leadership is moving beyond prototypes to measurable business outcomes.
In Episode 4 of The AI Advantage: Navigating Risk, Reward, and Real-World Deployment, host Barbara Call sits down with two veteran financial industry CISOs—Allen Wilson and Brian Fricke—to discuss the "quiet and fast" risks of AI and how to build a secure, compliant operating model.
Common AI security risks: shadow AI and data exfiltration
AI risk doesn’t always announce itself with a loud breach. Often, it’s already inside the enterprise via "shadow AI". What is shadow AI? In the enterprise, it refers to employees using unapproved AI tools like public browser extensions that can leak sensitive data.
- Invisible data exfiltration: AI creates new, often unlogged paths for corporate data to leave the building.
- The breakdown of identity: Traditional security models were built for people and devices. AI introduces autonomous agents that can reason and act, requiring an entirely new approach to authentication and authorization.
- The lethal trifecta: Guest, Brian Fricke, warns of a "toxic combination" where an agent has access to private data, exposure to untrusted content, and the ability to communicate externally.
Designing around the attack: prompt injection
Malicious prompt injection is a primary concern, but Allen Wilson notes that you don’t defend against it like a traditional exploit—you design around it.
- Never trust prompts as boundaries: System prompts and policies are advisory, not enforcement.
- Hard authorization: Keep data access controls and business logic outside of the AI model.
- Broker layers: Isolate Large Language Models (LLMs) from sensitive APIs and databases using a broker to enforce rate limits and intent.
Scaling enterprise AI: evaluating buy vs. build strategies
When scaling AI, a major question is whether to use a single enterprise platform or multiple niche vendors.
- The case for consolidation: A single platform can reduce "chaos" and security overhead by limiting the number of data flows and integrations.
- The risk of monoculture: However, relying on one vendor for everything—reasoning, workflows, and data—creates a single point of failure.
- Usability as security: If the approved corporate LLM is harder to use than public alternatives, employees will bypass it. Security adoption follows usability, not just policy.
Security as a business accelerator
The consensus from our experts is clear: Security must be a "business enabler" rather than a hurdle. By providing pre-approved models, templates, and "safe defaults," security teams actually help developers move faster by eliminating late-stage rework.
"Ultimately, we're all here to support the business and their strategic objectives... if we can't translate the ones and zeros into dollars and cents, we're not doing our jobs." — Brian Fricke
Stay tuned for Episode 5, where we’ll explore how to get AI projects started, even after they’ve stalled.