The Security Foundation

Earlier this month, The Security Foundation, OSAC, and DSAC partnered to convene members in Arlington, Virginia for a private Topical Forum focused on one of the most pressing issues facing the security profession today: artificial intelligence.

Security leaders, intelligence practitioners, risk professionals, and technology experts gathered for candid discussions about how AI is already reshaping security operations. Across sessions, the conversation centered on implementation challenges, workforce readiness, governance concerns, and the operational risks emerging alongside rapid AI adoption.

Much of the day focused on a practical challenge facing security teams now: separating AI hype from operational reality.

Building a Shared Understanding of AI

One of the day’s earliest discussions focused on a deceptively simple question: what exactly do organizations mean when they say “AI”?

Sessions explored foundational models, generative AI, and emerging agentic systems capable of autonomous action. Conversations also addressed the probabilistic nature of AI systems and the reality that models can produce outputs that sound authoritative while still being inaccurate or incomplete.

Attendees repeatedly returned to the importance of human oversight and operational judgment when integrating AI into security workflows. Discussions also touched on the practical challenges organizations are facing internally, from unclear use cases to overreliance on automation and pressure to commit too quickly to specific vendors or platforms.

The forum also made clear that AI literacy is quickly becoming a professional requirement across the security industry.

AI as Both Operational Tool and Threat Vector

AI is already helping organizations accelerate intelligence workflows and process large volumes of information more efficiently. At the same time, it is making fraud, impersonation, and social engineering efforts faster, cheaper, and more convincing.

Conversations throughout the forum highlighted several rapidly evolving threat areas, including:

• deepfake-enabled impersonation,
• manipulated resumes and fraudulent hiring schemes,
• synthetic communications designed to bypass trust mechanisms,
• and disinformation campaigns capable of influencing operational decisions.

Attendees also examined how online deception can quickly create physical-world consequences, particularly when executive impersonation or fraudulent communications trigger real-world action.

Another consistent theme was that AI risk no longer sits solely with cybersecurity teams. Human resources, finance, legal, communications, and executive leadership all have a role in detection, validation, escalation, and response.

Preserving Human Judgment

Security leaders repeatedly returned to the question of where automation should stop and human judgment must remain.

AI can provide meaningful efficiency gains in areas like summarization, drafting, and analytical support work. Still, discussions consistently reinforced that accountability and critical thinking cannot be delegated to a model.

Conversations also explored the long-term workforce implications of AI adoption. Attendees raised concerns about skill atrophy and the potential erosion of foundational analyst development if organizations fail to continue investing in workforce training and upskilling.

Even with those concerns, the tone throughout the forum remained practical and forward-looking. The future workforce will depend on professionals who combine foundational security expertise with the ability to use AI tools effectively and responsibly.

Governance and Accountability

As organizations accelerate AI adoption, governance questions are becoming harder to postpone.

Sessions focused on practical approaches to risk-based governance, oversight, auditability, accountability, and organizational guardrails for AI-enabled systems. Participants also discussed the challenge of deploying AI responsibly while both the technology and associated risks continue evolving rapidly.

Throughout the day, governance was consistently framed as an operational enabler rather than a barrier to innovation. Strong governance frameworks help reduce unmanaged risk, limit unsanctioned “shadow AI” usage, and create clearer accountability as AI systems become more autonomous.

Discussions also reinforced that organizations do not need to eliminate all AI-related risk before moving forward. They do, however, need realistic guardrails, defined ownership, and repeatable processes that align AI use with operational priorities.

Looking Ahead

The conversations throughout the forum reflected an industry actively working through a period of rapid change.

Attendees shared practical lessons, operational concerns, and emerging approaches to integrating AI into security environments responsibly. While perspectives varied across sectors and organizations, there was broad agreement that AI is already influencing how organizations assess threats, process intelligence, manage risk, and make operational decisions.

The challenge now is ensuring that adoption keeps pace with governance, workforce readiness, and the human judgment required to operate effectively in high-consequence environments.

The Security Foundation thanks all OSAC and DSAC members who participated in this important discussion and contributed to the trusted exchange of ideas that made the forum possible.

This Topical Forum was conducted under Chatham House Rules to encourage open and candid discussion among participants.