You don’t need a title to lead on AI risk

When your organization adopts a new AI tool, who do you expect to manage the risk? If your answer is “the security team” or “the CISO,” you may be giving up more influence than you realize.

I spent several years researching how technology leaders integrate generative AI into cybersecurity operations. One of the clearest findings surprised me with its simplicity: the organizations that managed AI risk well were not the ones with the most sophisticated tools. They were the ones where the most people were in the conversation.

What the research actually found

Across the organizations I studied, the leaders who navigated AI implementation successfully did not treat it as a purely technical problem. They built what some called an “AI leadership community” — a cross-functional group that included legal, HR, compliance, risk management, and IT. Every new AI use case ran through that group before it touched production.

The reasoning was practical, not political. AI tools create risks that cut across organizational boundaries. When an AI system ingests data, the question of where that data goes is not just an IT question — it is a legal question, a privacy question, and an HR question. When an AI tool produces an output used in a business decision, validating that output requires domain knowledge the security team may not have.

One leader I interviewed put it plainly: bringing together stakeholders from every part of the organization made their team more agile, not less. Decisions that might otherwise take weeks could be made quickly because the right people were already in the room.

The risks everyone should understand

You do not need to be a cybersecurity expert to have a meaningful voice in AI risk conversations. What you do need is a basic understanding of what can go wrong. Research consistently surfaced three concerns that non-technical team members are well-positioned to spot and raise:

1. Data exposure. AI tools process the data you give them. If that data includes personal information, client records, or proprietary details, you need to know where it is going. Asking “what data will this tool access, and who else can see it?” is a question anyone can ask — and one that organizations often fail to ask early enough.
2. Unvalidated outputs. AI tools can produce confident-sounding answers that are simply wrong. In cybersecurity contexts, a false positive flagged by an AI system still requires a human to investigate it. In any context, decisions made on AI-generated information should be verified before acting on them. If your team is using AI to draft communications, summarize data, or inform decisions, someone needs to check the work.
3. Unauthorized use. Research identified “shadow AI” — employees using AI tools that the organization has not approved — as a significant and growing risk. If people on your team are using AI tools to do their jobs faster, that is worth knowing. It is also an opportunity: the right response is not to ban the tools but to understand how they are being used and build appropriate guardrails around them.

Four things you can do right now

Leadership on AI risk does not require authority over AI decisions. It requires curiosity, clear communication, and a willingness to raise the questions others are not asking. Here is where to start:

1. Ask about the data. The next time your team considers a new AI tool, ask what data it will use and where that data will be stored or processed. You do not need to know the technical answer yourself — you just need to make sure someone does.
2. Advocate for cross-functional input. If AI decisions in your organization are being made entirely within the IT department, say something. Legal, HR, and compliance colleagues bring perspectives that IT teams genuinely need. Suggest a broader conversation — even informally.
3. Model good habits with AI tools. If you use AI tools in your own work, demonstrate what responsible use looks like: verify outputs before sharing them, do not input sensitive information into tools that have not been cleared for it, and be transparent with your team about what AI assisted you with and what it did not.
4. Create space for honest conversation. People who are using AI tools outside of official channels are often doing it because they are trying to do their jobs well, not because they want to create risk. If you are a manager or team lead, make it safe for people to tell you what tools they are using. You cannot manage risks you do not know about.

AI risk management is not a role reserved for security professionals with specialized credentials. It is a shared responsibility — and the research is clear that organizations perform better when they treat it that way.

You already have what it takes to contribute: domain knowledge, relationships across the organization, and the ability to ask a good question at the right time. The question is whether you will use it.

Try it this week: Identify one AI tool your team uses — or is considering. Ask these three questions: What data does it access? Who has reviewed it for risk? Is everyone using it doing so in a consistent, approved way? You may find the answers are clear. You may find they are not. Either way, asking is the first step.