Shadow AI and V‑CISO push

Security leaders are treating unsanctioned artificial intelligence use inside companies as a governance problem, not just an information technology problem, and many are turning to virtual chief information security officer advisers to fill gaps in oversight. (csoonline.com) “Shadow artificial intelligence” means employees use chatbots, copilots, or built-in artificial intelligence features without security review, often through a browser or a software update that the security team never approved. Andrew Walls of Gartner told CSO Online on March 26, 2026, that “every CISO I talk to has discovered some form of shadow AI.” (csoonline.com) Security teams are focusing on the data inside those tools: what workers paste in, where it is stored, and whether the provider uses it to train models. Proofpoint said on August 26, 2025, that it surveyed 1,600 chief information security officers in 16 countries and found 80% of United States respondents worried about customer data loss through public generative artificial intelligence platforms. (proofpoint.com) Deepfakes are part of the same shift because they let attackers fake a voice, face, or message cheaply enough to scale. InformationWeek reported on February 25, 2026, that Gartner found 62% of organizations had faced a deepfake social-engineering attack in the prior 12 months. (informationweek.com) European rules are tightening at the same time. The Network and Information Security 2 Directive requires covered entities to send an early warning within 24 hours of becoming aware of a significant incident and a fuller incident notification within 72 hours. (eur-lex.europa.eu) The European Union’s Artificial Intelligence Act is also building new disclosure rules for synthetic media. The European Commission says Article 50 requires providers and deployers of some artificial intelligence systems to mark artificial intelligence-generated or artificial intelligence-manipulated content, including deepfakes, in a clear and accessible way. (digital-strategy.ec.europa.eu) That mix of faster reporting deadlines and wider artificial intelligence use is pushing companies to look for outside executive help. A virtual chief information security officer is an external security leader who advises on risk, policy, compliance, and incident planning without the cost of a full-time in-house chief. (marketresearch.com) The model also fits a staffing market under strain. Proofpoint said 76% of chief information security officers expected a material cyberattack within a year, 58% said they were unprepared to respond, and 66% said they would consider paying a ransom to stop data leaks or restore systems. (proofpoint.com) Companies are not trying to ban every artificial intelligence tool. Security advisers told CSO Online that the job is to inventory use, rank the risk, decide what data can and cannot be shared, and fold artificial intelligence incidents into the same response plans used for other breaches. (csoonline.com) The thread running through the current debate is visibility: if a company cannot see which tools employees use, what data those tools receive, or whether a video or voice is real, it cannot prove control to regulators or its board. (csoonline.com)