By Johnny Sheehan, AI Practice Lead at CWSI
AI is helping organisations move faster. That much is clear.
It can summarise, draft, compare, analyse, generate, recommend and automate. It can support security teams, developers, analysts, architects, consultants, compliance specialists, operations teams and business leaders.
Used well, it is genuinely useful. No argument there.
But in my role as AI Practice Lead at CWSI, and through the conversations we are having with clients every week, I am seeing another side of the story. It’s something I also spoke about during my CyberSec Europe presentation: AI is not just changing what people produce. It’s changing how people learn, check, challenge and take ownership of their work.
That matters for every organisation using AI. It matters even more when security, compliance, data and business risk are involved. Speed is helpful, but speed without understanding is where the interesting problems start.
The friction we used to complain about
Before AI became part of everyday enterprise work, most outputs had a slower path behind them. You had to find the information, read it, understand it, build the thing, test it, break it, fix it, explain it.
Nobody’s pretending this was always a joyful experience. Some of us have spent too many late evenings arguing with demo environments, documentation, policies, queries, reports and systems. Character building, as people tend to call it when they’re not the ones doing it.
But that friction did something useful. It built context and forced attention. It created hesitation. And hesitation, used properly, is not the enemy of progress. It’s often the small pause that stops a bad assumption becoming a confident mistake.
Early in my career, I worked extensively with Microsoft Purview, using searches, reports and data classification capabilities to help customers identify stale content and understand where sensitive information was stored. It took time. I tested, broke things, second-guessed myself and sometimes asked my line manager to join calls because I was not fully sure I had it right.
When I eventually presented the work, I understood it. I could explain the assumptions, the limits, the decisions and the risks. The process made the thinking visible.
In security, that matters. If you’re identifying sensitive data, reviewing access, investigating exposure or advising a client on risk, you need to understand the path behind the answer. Not just the answer itself. The same applies well beyond security.
It matters when an engineer reviews code. When a consultant writes a recommendation. When a compliance team interprets a requirement. When an analyst builds a report. When a leader makes a decision. Any time someone puts their name to a piece of work, ownership matters.
What we gain, and what we risk losing
AI changes the shape of work. Instead of working through every step, we can prompt, receive, approve and move on. That can remove unnecessary effort, speed up routine tasks and help people focus on better questions. That’s real progress.
But often, a neat answer arrives before the understanding does. This is not only an end-user problem. It is a professional one. It affects anyone whose work depends on judgement, expertise, interpretation or technical accuracy.
A security analyst might use a query they cannot explain. A developer might accept code they have not properly tested. A consultant might include a recommendation without checking the reasoning behind it. A business user might upload sensitive data into a tool without knowing where that data goes.
The issue is not that AI is bad. The issue is that speed can make shallow understanding look like progress. And because AI outputs often look polished, structured and confident, they can feel more reliable than they are.
That is where security teams need to pay attention.AI can help people work better, but it can also create new routes for data exposure, poor decision-making, over-permissioned access, untested automation and unclear accountability. Not because people are careless, but because the tools make it very easy to move quickly. Usually faster than the governance around them.
The ownership problem
Here is the question AI keeps bringing us back to: who owns the work?
If a person writes a report, builds a query, changes a configuration, designs an architecture, drafts a policy, reviews evidence or presents a recommendation, we know where accountability sits. But what happens when AI has created most of the output and a person has simply approved it?
Approval is not the same as understanding. That distinction matters across every sector where decisions have consequences. If people cannot explain what they are approving, trust starts to thin out. From a security perspective, this becomes even more important when AI tools are connected to business systems, sensitive data, collaboration platforms, identity environments and automated workflows.
If an AI assistant can retrieve, summarise or act on information, then organisations need to understand what it can access, who it is acting for, what data it is using and where human review is still needed. In other words, AI should not sit outside the same security thinking we apply everywhere else.
AI enabled services need appropriate access controls, data governance, monitoring and human oversight. Agents that authenticate, access systems or take actions also need clearly governed identities and permissions.
The pause still has a job to do
The pause is what used to happen when you got stuck.
You opened the documentation. Asked a colleague, tested again, checked the logs, read the standard properly. You took the longer route because the shorter one was not available.
Nobody loved the pause, but it built judgement.
It helped people learn the shape of the work, not just the final answer. It taught them what good looked like, what wrong looked like and what deserved a second look. That is what we risk losing if AI removes too much friction from too many workflows without anything replacing it.
The answer is not to slow everything down for the sake of it. That would be a strange way to welcome progress. The answer is to know where friction still matters. Keep enough of the pause to make sure expertise is still being built, not just borrowed. Keep enough review to make sure people can explain the decisions they are making. Keep enough governance to make sure AI is helping the organisation move forward without quietly increasing risk in the background.
This is where secure AI adoption needs to be practical, not theoretical. It’s not about blocking tools. It’s about making sure they are introduced with the right foundations in place.
What organisations should ask before moving faster
The right question is not simply, “How quickly can we roll this out?”
A better question is, “What needs to be true before we can trust it?”
That applies across the whole organisation, not just the IT team.
- Identify where AI is already being used.
- Understand which decisions or outputs now depend on it.
- Review what data, systems and permissions AI tools can access.
- Define which workflows need human review.
- Check where speed could create hidden risk.
- Assess whether users can validate, explain and take responsibility for AI-assisted outputs.
- Confirm whether specialists can explain what they have approved.
- Show leaders where accountability sits.
- Govern agents, automations and AI-enabled tools with the same care as other identities and systems.
- Build a secure baseline before scaling AI into more sensitive areas of the business.
If organisations do not understand their data, permissions, identities and workflows, AI can expose and amplify those gaps quickly.
Secure AI starts with the basics
At CWSI, we help organisations adopt AI in a way that is useful, secure and manageable. That starts with understanding the environment AI is entering. Where is sensitive data stored? Who has access to it? Which tools are already in use? What policies exist? What is being logged? Where are the blind spots?
These are not glamorous questions. Conveniently, they are the ones that matter.
Through our Secure AI Practice, we help organisations build the right foundations before AI is scaled across the business. We help organisations understand where they are, where the risks sit, what needs to be governed, and how people can use AI safely and effectively in real work.
Not as a blocker. Not as a policy document that gets admired briefly and then forgotten. But as a practical way to move forward without losing control.
Because the organisations that benefit most from AI will not simply be the ones using it fastest. They will be the ones using it with enough clarity, security and judgement to trust what comes next.
Assess your AI readiness
Understanding how AI is being used across your organisation is the first step towards adopting it with confidence. Through our AI readiness assessment, we help organisations identify where AI is being used, what it can access, and where governance, security or compliance gaps may need attention before they become larger challenges. Register your interest using the form below.
