CISOs Debate Human Role in AI-Powered Security

APPLICATION SECURITY СLOUD SECURITY CYBERSECURITY OPERATIONS CYBER RISK NEWS CISOs Debate Human Role in AI-Powered Security The idea of a "human in the loop" in AI deployment was challenged during a security executive panel at the RSAC 2026 Conference this week. Alexander Culafi,Senior News Writer,Dark Reading March 23, 2026 5 Min Read SOURCE: ROBERT HYRONS VIA ALAMY STOCK PHOTO RSAC 2026 CONFERENCE – San Francisco – Do AI deployments need a "human in the loop" or will people merely slow things down? That was a key question during an RSAC 2026 Conference panel in which security executives from Google Cloud, Vodafone, and PayPal discussed evolving AI use cases and how to safely deploy it in one's environment. In the panel titled "From Threat to Strategy: The CISO's Playbook for the AI Revolution," The Wall Street Journal's James Rundle asked Google Cloud chief operating officer (COO) and president of security products Francis deSouza, Vodafone global chief information security officer (CISO) Emma Smith, and PayPal senior VP and CISO Shaun Khalfan how security leaders can best adapt to the new AI landscape. The trio also discussed the role of humans in AI-powered security. For as many problems as the "AI revolution" hopes to solve, the introduction of LLM-powered security products has introduced and/or exacerbated other issues in the security landscape.  Related:Trivy Supply Chain Attack Targets CI/CD Secrets Thanks to the high security standard needed to secure AI tools (lest they leak sensitive corporate documents and the like, thanks to a prompt injection), the shared data security model between AI vendor and customer remains something of a mess. AI advances outside the security organization, such as vibe coding, have also created challenges; an organization may lean too hard onto AI generated code without the right humans in the loop, making the CISO's job more complex. It must also be noted that many organizations have yet to find success in their AI security deployments, according to studies. Google's AI presence speaks for itself, as 50% of its code is AI generated with developer assistance. Vodafone security analysts are using it to automate various workflows and conduct other tasks, like making board executive summaries of technical subject matter — and Khalfan said PayPal is using AI to help detect fraud in its billion transactions per month.  Loading... Smith said Vodafone began implementing AI when the company realized it was moving slower than AI would enable, and concluded that it would take a top-down approach from leadership to integrate it correctly. As in, everyone needs to be on the same page for how to implement AI technology in a safe, ethical, responsible way.  Vodafone's solution has been AI Booster, a centralized machine learning platform leveraging Google's technology that's designed to help deploy AI and ML models at scale. It includes a central, reusable codebase that allows it to deploy established use cases quickly via pre-trained models and custom tools, and tracks how successful these processes have been, business-wise.  Related:AI Conundrum: Why MCP Security Can't Be Patched Away Smith said Vodafone did that for business reasons, in part to track the value of different initiatives, but it also gives her privacy engineering team a framework to do interventions on each use case and ensure the proper guardrails are in place.  Humans on vs. in the Loop One surprising note came in discussing the idea of placing a "human in the loop" — the concept that AI tools should include humans at some steps or even every step in order to ensure accuracy of an LLM's output. Although humans are part of the process, deSouza said that human-led defenses are often too slow to stop things like agent-led cyberattacks, and, as such, Google is moving toward agent-led defense.  Smith agreed. "I totally agree that a human in the loop is not scalable if we think about our traditional security controls, the ones that rely on human behaviors are the ones that we don't rely on the most," she said. "Let's face it, we rely on the ones that are technical and automated and that we can prove over time. A human in the loop is not the solution for the long term, certainly on scaled operations, and I also worry that it will give a boring job to the human in the loop."  Related:GlassWorm Malware Evolves to Hide in Dependencies Instead, organizations should think about ways to get a human "on the loop" to get insights from AI, rather than controlling or overseeing the tools, because "it's just not going to scale," Smith said. She added that Vodafone has built a heat map that looks at the confidence in an AI's outcome and potential risk outcome. For very high risk impact use cases, Vodafone likely wouldn't pursue such an approach unless there was a big business benefit, "and then it would absolutely have a human in the loop." The Importance of Data Security and Collaboration Khalfan followed Smith by emphasizing the importance of putting everything one does in a data security wrapper. While PayPal is a proponent of the engineering and technological benefits of AI tooling, he added that "it's just as important to have a risk and compliance wrapper around it." "When we think about our key AI principles, it's data and security. It's privacy, it's transparency, it's explainability," he said. "As we wrap everything we're doing in these principles, it helps us keep this anchor of all of the efforts that we're making." An example of this is that PayPal's AI model teams rank them in tiers based on data sensitivity, establishing use cases, and then establishing what controls need to be in place to protect any sensitive data stored within. These controls are intended to protect the models against tampering and prompt injections. It means accounting for the many identities that AI agents will need.  Part of this too, Khalfan said, involves collaborating with the larger ecosystem, such as the Coalition for Secure AI (CoSAI), an industry-wide initiative that aims to facilitate collaboration between stakeholders and ensure more secure AI deployments. It offers a wide range of white papers and documentation based on multiple different workstreams.  Alexandra Rose, director of government partnerships and the Counter Threat Unit at Sophos, tells Dark Reading that safe AI deployment is about encouraging curiosity and innovation while ensuring security.  "I think it's important that security is not the world of no," she says. "It's how do we get to yes, and how do we get to a yes in a way that that we're protected?" RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 APPLICATION SECURITY 'IngressNightmare' Vulns Imperil Kubernetes Environments by Jai Vijayan, Contributing Writer MAR 24, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE