The Elephants in the Technology Room - Part 2

Artificial Intelligence & Machine Learning , CISO Trainings , Litigation The Elephants in the Technology Room - Part 2 Why Technical Leaders Are Walking Away and What We Can Do to Fix It Krishna Bagla • May 4, 2026     Share Post Share Get Permission Image: Shutterstock Chuck Norton was only a few months into his role as CISO at a major state university when he realized he'd made a terrible mistake, not because the job was difficult but because he'd just watched another security leader face criminal prosecution and understood that he had absolutely no legal protection if the same thing happened to him. See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready? When he asked his employer to put indemnification protections in his contract, they gave him verbal assurances but refused to put anything in writing, which led to a stark realization that he later described it as "being stuck at the confluence of being accountable for everything and having authority over nothing." Norton left in April 2025 and now works as a senior technical security adviser for a risk management firm, which represents exactly the kind of talent drain organizations can't afford but have created through impossible role design. A January analysis captured the concern, noting that the biggest cyber risk in 2026 won't be ransomware but rather the personal liability imposed on technology executives by regulatory regimes, and a February 2026 CIO analysis found that accountability boundaries remain blurred because "CIOs own platforms and data, CISOs own cyber defense, but business leaders own outcomes," which creates situations where technical leaders are accountable for enterprise risks without authority to control the business decisions that create those risks. When Regulators Targeted Individual Execs The regulatory environment fundamentally changed when the U.S. Securities and Exchange Commission charged SolarWinds and its CISO in October 2023 with fraud for allegedly misleading investors about cybersecurity risks, which represented the first time regulators sought to hold a CISO personally accountable not just for breach response but for how security posture was communicated to stakeholders. Most charges were subsequently dismissed, and the SEC dropped remaining litigation in November 2025, but technical leaders across all disciplines suddenly understood that their communications about risk could expose them to federal scrutiny regardless of good-faith belief in accuracy. A December 2025 analysis found that "liability is widening and it is no longer just about the CISO," with accountability spreading to CIOs, CTOs and other technical executives who make decisions about artificial intelligence deployment, data governance, cloud architecture and technology strategy that can create enterprise-level risks. Lexology reported in February that regulators moved from policy-based expectations to outcome-based accountability, which means boards are now directly responsible for cyber incidents and failed recovery, and this accountability flows downstream to technical leaders who must deliver outcomes while operating within constraints they didn't set and can't change. CIOs, CTOs and the New CAIO Role A February 2026 CIO analysis found that technology is no longer evaluated as an enabler or cost center but assessed as a direct driver of enterprise outcomes with explicit accountability for value realization, risk, resilience and speed of execution, which means CIOs face personal accountability for business results that depend on factors they don't fully control. Just as infrastructure and security leaders were grappling with unprecedented liability, organizations created a new C-suite role facing remarkably similar challenges. According to IBM's 2025 global study, 26% of organizations now have a chief AI officer, up from 11% two years earlier, but the role often comes with enterprisewide accountability for AI strategy and risk while actual decision-making authority remains fragmented across existing C-suite leaders and business units. Organizations creating CAIO positions struggle to define decision rights that determine whether the CAIO has authority to stop AI projects that fail governance reviews or simply advise and hope people listen. Three Practical Frameworks to Fix This Organizations serious about fixing the accountability-authority mismatch need to implement three specific frameworks that align responsibility with power while protecting individuals from unreasonable personal liability. Framework 1: Implement Technology Leadership RACI Matrices A September 2025 analysis from Cyber Sierra found that the solution lies in implementing a distributed risk ownership model using RACI Matrices that define responsible, accountable, consulted and informed roles for every technology decision, under which multiple people can be responsible for doing work, but only one person should be accountable for each activity. This approach prevents the diffusion of accountability that currently plagues most organizations and creates documentary evidence of who owned which decisions when regulators or plaintiffs come asking questions. For a CISO facing personal liability, the RACI matrix must clearly specify which activities the CISO is accountable for versus activities where the CISO is merely consulted, because if a business unit decides to deploy a new AI tool after the CISO provides guidance but isn't given authority to approve or reject, the RACI matrix documents that the business unit leader is accountable for that decision and its consequences. The same principle applies across all technical leadership roles where CIOs need clarity about which infrastructure decisions they're accountable for versus which business units own; CTOs need documentation of which product architecture decisions fall within their authority versus what product managers decide; and CAIOs need explicit boundaries around which AI deployments they can approve, reject or merely advise on without enforcement power. Framework 2: Negotiate Personal Indemnification Agreements in Writing Woodruff Sawyer's analysis for 2025-2026 makes clear that technical leaders can be held personally liable for actions affecting their company, which means executives across CIO, CISO, CTO and CAIO roles need indemnification agreements in place to protect personal assets in the event of third-party suits or regulatory actions. The indemnification agreement must specify several key provisions: first, the organization agrees to indemnify the executive for claims arising from actions taken within the scope of professional duties; second, the organization will advance defense costs immediately rather than requiring the executive to pay and seek reimbursement; third, the organization can't terminate or modify the indemnification without the executive's consent even if the executive leaves the company; and fourth, the indemnification survives any merger, acquisition or change of control that might otherwise eliminate the protection. Looking at actual indemnification agreements filed with the SEC, we see language establishing clear contractual protections that apply regardless of changes in corporate structure, which provides the written guarantees that verbal assurances never deliver. Framework 3: Align Insurance Coverage Across Multiple Policies Woodruff Sawyer's guidance emphasizes the importance of understanding both D&O and cyber coverage, making sure brokers are aware of what is and is not covered in each policy so there are no gaps. A 2026 Global CISO Leadership Report recommends that organizations "mandate combined D&O plus indemnification policies and consider personal liability insurance for technical leaders managing high-risk domains," noting that "increasing regulatory scrutiny and personal liability exposure make this an existential requirement," but the same logic applies to CIOs managing enterprise technology strategy, CTOs making product architecture decisions, and CAIOs governing AI deployment. The practical implementation requires requesting written confirmation from insurers specifying which policy responds to specific scenarios, including SEC investigations, shareholder derivative suits, regulatory fines and third-party liability claims, because many policies contain exclusions that shift coverage responsibility between policies in ways that leave gaps that expose individual executives to personal financial risk. The Bottom Line Technical leaders across CIO, CISO, CTO and CAIO roles are walking away because organizations have designed jobs in which failure is inevitable and personal liability is concentrated on individuals who lack authority to prevent the problems they're accountable for solving. Organizations that implement these frameworks won't just protect their current technical leaders but will position themselves to attract the experienced professionals they desperately need, because talented people with options increasingly refuse positions where accountability exceeds authority and personal liability exists without corresponding protection. This article is part of "The Elephants in the Technology Room," a seven-part series examining unspoken organizational crises destroying IT and cybersecurity teams in 2026. Part 1 covered the cost of organizational silos. Part 3 will cover vendor lock-in and the risk of a single point of failure.