When You Turn On AI, Who Owns the New Signals?

Turning on generative and agentic AI floods the enterprise with alerts, logs, and telemetry. Here's how to decide what's cybersecurity's job — and what isn't.

Share
When You Turn On AI, Who Owns the New Signals?
Cybersecurity owns whether AI can safely act; product owns whether it acts correctly.

Turn on AI, and the signals start pouring in.

The moment an enterprise activates generative and agentic AI — ChatGPT, Copilot, internal agents, MCP servers — it starts generating a flood of new alerts, logs, and telemetry. Some of it is unmistakably cybersecurity's problem: prompt injection, credential abuse, over-permissioned tools, rogue agent behavior. But a lot of it isn't. Hallucinations, model misfires, answer quality, workflow accuracy — those are real problems that belong to product and AI governance, not the SOC.

The question I keep hearing from security leaders is where that line sits. Most aren't looking to stand up a separate "AI security" team — they want to embed the security of AI into the cybersecurity organization they already have. But that only works if everyone agrees on what cyber owns, what product owns, and what governance owns, before the signal volume becomes unmanageable.

These slides are how I think through it: from where most enterprises actually are today, to a clean ownership boundary, to the enforcement point that makes AI activity visible (the AI gateway), to the hard problem of detecting rogue agents, and finally to the vocabulary and MCP architecture decisions that quietly determine your blast radius.

One line I keep coming back to: cybersecurity owns whether AI can safely act; product owns whether it acts correctly.

This deck works through five questions I hear constantly:

  • Is securing AI wholly cyber's job, or only where cyber risk lives?
  • Should cyber build its own AI gateways and guardrails, or partner with product teams?
  • Can anything actually detect rogue agentic activity today?
  • Do we share a common taxonomy — agent, sub-agent, orchestrator, tool?
  • What's leading practice for spinning up and isolating MCP environments?
1 · Maturity — Most enterprises sit in one of three buckets, and the security work changes completely depending on which one you're in.
2 · Ownership — The honest answer to "is this cyber's job?" is mostly yes for security risk, mostly no for AI quality — and here's where I draw the line.
3 · Gateway — Instead of every user and agent talking straight to every model, route it through one control point that can see and enforce.
4 · Gateway flows — Concretely, that's where "don't send that" and "don't hardcode that" stop being rules people remember and start being enforced automatically.
5 · Audit trail — The biggest payoff today is boring but decisive: every AI action finally leaves evidence the SOC can query.
6 · Rogue scenarios — "Rogue" rarely means malware — it's an over-permissioned, hijacked, or buggy agent drifting from its normal baseline.
7 · Detection — There's no "AI EDR" yet; the signals exist but sit scattered across identity, cloud, SIEM, and gateway logs.
8 · Agent stack — "We have 300 agents" tells you nothing until you name the layer — and identity and accountability wrap all of them.
9 · MCP — MCP servers are privileged middleware, not plugins: start narrow, one job and one identity each, or you're building a blast radius.