Executives are losing confidence in their ability to protect their businesses. The Risk and security outlook report from ServiceNow found that nearly half of leaders in organizations surveyed report very low to moderate confidence in their security and risk posture.
Against this backdrop, we sat down with ServiceNow Chief Information Security Officer Ben de Bont to get his take on the state of AI security and how organizations can defend their businesses from dangers ahead.
AI is collapsing the distance between risk and response. When systems, identities, and workflows are deeply interconnected, disruption doesn’t stay contained; it cascades across the business at machine speed. That means leaders have less margin for error—and less time to respond.
Social engineering—especially deepfakes. It’s the easiest way in. You can have excellent controls on the back end, but if someone can convince a human to give up credentials or access, those controls don’t matter. Deepfakes and AI-driven impersonation are making that front door easier to open, and I still think many organizations underestimate just how big that risk is.
It usually comes down to misaligned visibility. CISOs and security teams see AI-driven risk escalating very quickly. Boards and CFOs often see something different—[they’re] either underestimating exposure or overestimating readiness. When leaders aren’t operating from a shared view of risk, decisions diverge. A common framework, shared metrics, and workflow-level insight help close that gap.
Because every new identity is a new access point. It’s no longer just employees and customers. It’s AI agents, bots, service accounts, and nonhuman identities—and they’re multiplying fast. Each one needs to be governed with the same rigor as a human user. Without centralized identity governance, organizations lose their ability to contain risk as AI adoption accelerates.
They introduce a new class of risk. Agents can act continuously, make decisions, and access data at scale. So the CISO role shifts from just managing access to governing behavior. AI agents need clear permissions, defined intent, and continuous oversight. Treat them as high-privilege identities from day 1. Identity becomes the control plane that lets organizations innovate without losing control.
Because human-only response models can’t keep up with AI-speed threats. Autonomous security allows organizations to detect, prioritize, and respond in real time. When done right—grounded in strong governance and clear guardrails—autonomy doesn’t replace human judgment; it amplifies it. The future of resilience is platform-led, not tool-led.
First, acknowledge that uneven AI adoption is a risk in itself. As AI becomes embedded across the enterprise, risk management becomes a leadership discipline, not just a technical one. Visibility and governance determine whether organizations absorb disruption or amplify it.
Second, align executives around a shared, real-time view of AI risk. And third, move from static controls to workflow-based governance—making risk visible, measurable, and actionable across the business. Focus on resilience, not perfection.
We’re just getting started with what AI can do for defense. Yes, attackers tend to adopt new technology first—but those same tools give organizations the ability to move faster, see more clearly, and respond at scale. When AI is used thoughtfully, with the right governance, it can turn risk from a source of uncertainty into a competitive advantage.
Find out how ServiceNow helps put AI to work for risk and security.
