The CISO role keeps getting heavier

Personal liability is becoming a routine part of the CISO job. In Splunk’s 2026 CISO Report, titled From Risk to Resilience in the AI Era, 78% of CISOs said they are concerned about their own liability for security incidents, up from 56% last year. The role carries personal exposure alongside operational accountability, and that shift is influencing how security leaders approach risk, documentation, and board communication.

The mandate continues to grow. Nearly all respondents said AI governance and risk management fall under their responsibility. Oversight of generative and other AI systems has joined established duties in detection, response, compliance, and reporting. Many CISOs are responsible for setting internal guardrails around how AI tools are used, what data they can access, and how outputs are reviewed before use in production environments.

“CISOs operate in the eye of the storm, at the center of constant transformation. Role responsibilities expand, threats evolve, and AI accelerates everything. This expanded mandate brings an exceptional level of pressure and personal accountability. We are not just managing technology. We are managing risk, talent, and the digital resilience that drives critical business outcomes,” said Michael Fanning, CISO, Splunk.

This expansion is unfolding in a demanding threat environment. Most CISOs described attacker sophistication as a significant challenge, reinforcing the need to sustain strong detection and response programs as responsibilities broaden. Security leaders prioritize visibility across cloud and on premises systems, disciplined investigation cycles, and coordination among security, IT, and engineering teams.

Detection priorities meet AI adoption

Detection and response functions remain central to strategy. Programs focus on broad monitoring coverage, structured investigation workflows, and automation that reduces manual review steps. Threat monitoring and incident response anchor security operations planning.

AI is entering production workflows in defined ways. 40% of CISOs said they are already using generative AI within their security functions. In many organizations, these tools assist analysts with reviewing large volumes of events, summarizing findings, and identifying patterns across data sources. AI is integrated into existing processes with defined oversight and review practices.

Risk management expands alongside adoption. Data leakage and unsanctioned use of AI tools rank among the primary concerns tied to generative systems. Security teams are extending policies to address internal experimentation and third party AI services, and they are clarifying how sensitive information can be used in prompts and model interactions. Governance frameworks are developing in parallel with technical implementation.

Workforce strain and executive expectations add pressure

Operational expansion continues under staffing pressure. 45% of CISOs sensed moderate burnout among their employees. Sustained alert volumes, investigation demands, and ongoing architectural change contribute to workload intensity across security operations centers.

High alert volumes and false positives require significant analyst time for triage and validation. Automation initiatives support analysts by handling repetitive tasks and standardizing portions of the review process. Security leaders aim to improve signal quality and maintain analyst focus on complex investigations.

CISOs anticipate ongoing gaps in key roles. Current teams are taking on additional responsibilities related to AI governance and regulatory requirements.

Executive alignment and ROI remain difficult to quantify

Executive expectations introduce additional complexity. 85% cited “Low cybersecurity fluency among non-technical executives” as an obstacle to collaboration. Security leaders translate technical findings into business language that informs funding decisions, remediation timelines, and risk acceptance discussions.

Measurement of return on investment remains constrained. 41% said they cannot correlate ROI directly to risk mitigation and remediation activities. Security leaders rely on operational indicators such as incident reduction and detection speed when communicating program value to boards and senior leadership.

Leadership expectations influence remediation planning and impact modeling. Security teams report pressure around vulnerability remediation timelines and projections tied to potential revenue impact from an attack. These dynamics shape prioritization, budgeting, and communication across departments.