The CISO role is changing as AI reshapes the cybersecurity landscape. At the same time, security leaders must deal with more complex cyber threats, increasingly distributed IT environments, and the continued shift to cloud computing.
CISOs have been dealt a mixed bag: the position is rising into the executive ranks and the pay packages are growing, but they are under increased pressure and at risk of burnout.
Two such reports were released this week, with agentic AI platform maker Seemplicity noting that AI is changing the nature of the role of CISOs, many of whom now are working the equivalent of a six-day work week. Meanwhile, security consultancy IANS Research, in conjunction with executive recruiting firm Artico Search and executive advisory company The CAP Group, said that while 95% of CISOs provide regular security updates to boards of directors, only 25% of them get extended airtime and just 10% influence financial decisions.
“What we’re seeing is that while boards are consistently informed, many are still working to translate cyber reporting into strategic decision-making,” Nick Kakolowski, senior director of CISO research at IANS, said in a statement. “Directors want clearer insight into what’s coming next, particularly as AI reshapes both the threat landscape and enterprise risk.”
From Building to Governance
AI is a common thread running through most of these reports about CISOs. In its 2026 State of the Cybersecurity Workforce Report, Seemplicity found that as the rapidly evolving technology assumes more of the technical execution tasks, security leaders are seeing their roles transitioning to governance, such as oversight, decision-making, and accountability.
“For a long time, the CISO’s job was to build and run the security stack,” Ravid Circus, co-founder and chief product officer for Seemplicity, told MSSP Alert. “You bought the gear, you set the rules, and you managed the people who used it. But as AI moves into the driver’s seat for things like detection and response, that is changing. The role is shifting from building the infrastructure to governing the results. You are now the person accountable for the decisions an automated system makes when no one is watching.”
In the survey of 300 U.S.-based cybersecurity leaders, 73% reported AI oversight and governance is the most important future capability, and 89% said the position now requires significant cross-functional collaboration and business alignment. In addition, 85% stated AI is increasing the pressure they feel to strengthen their communication and business skills, while for 82%, people skills are more key to security leadership than five years ago.
A Disconnect About Headcount
Circus also said that during a recent executive dinner Seemplicity hosted, there was a “major disconnect” between CISOs and others in the organization in how AI will affect headcount. Many executives see AI as a way to cut jobs and save money.
“The CISOs in the room were unanimous that this shouldn’t be the main driver,” he said. “When you treat AI purely as a way to cut staff, you are trading human intuition for algorithmic speed without the proper safety nets in place.”
That’s seen in the huge number of weekly hours CISOs are working. For 45% of them, this translates to an average of more than 11 extra hours worked every week, with 20% hitting more than 16 hours. Much of this is happening because few are comfortable letting AI systems make major decisions without human oversight, Circus said.
CISOs are responding by “moving away from the autopilot panacea and toward a more realistic co-pilot model,” he said. “They are setting up guardrails where AI does the grunt work, but a human still has the final ‘yes’ or ‘no’ on anything that could break the business. They are also retooling their teams so junior analysts handle the AI-driven alerts, while the senior folks focus on the big-picture governance.”
Boards Seek More Detail About AI
AI was also part of the How Boards are Partnering with CISOs report by IANS, Artico, and The Cap Group. Multiple directors and CISOs at various companies were asked about the updates presented by the cybersecurity leaders, with the frequency and length of reporting as a focus. Most CISOs report to the board – and 60% to the full board – but the time is short, coming in at about 30 minutes.
A key message coming out of the report is that what’s important in these meetings is less about the cadence and more about the dialogue itself and the clarity around decision rights, the report’s authors wrote. In this respect, 82% of directors said their CISOs’ reports about regulatory trends are at least satisfactory, but only 47% said the same about the security leaders’ ability to clearly talk about the impact of evolving threats.
Those evolving threats include AI. Directors need to be sure they understand what is happening with the technology, according to The Cap Group CEO Brian Walker.
‘The Primary Driver of Cyber Risk’
“AI is now a primary driver of cyber risk – both enabling more sophisticated attacks and introducing new forms of loss as AI models become high-value assets,” Walker said in the report. “AI and cybersecurity are inextricably linked, and boards must understand the business risks of both.”
As AI continues to evolve, the pressure on CISOs will only grow, according to Seemplicity’s Circus, noting that the shift to agentic AI – systems that autonomously execute tasks and make changes – will introduce major questions around trust.
“When an agentic system makes a million-dollar error in a millisecond, the board isn’t going to call the head of AI,” he said. “They are going to call the CISO to ask why the guardrails didn’t catch it. That makes the CISO the ultimate backstop for enterprise AI performance.”
