Over the last few years, Vaishali Mutalik, CISSP has watched cybersecurity teams quietly undergo one of the most significant role shifts of their careers – not because of a new regulation or a major breach, but because AI quietly entered the operational core of security work. Few have correctly anticipated how deeply it would reshape accountability, audits and workforce roles.

AI Month: The Impact Of AI-Driven Cybersecurity Tools on Workforce Roles, Regulatory Accountability and Resilience - Vaishali Mutalik, CISSPDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

In my role working closely with highly regulated organizations and emerging AI governance requirements, I’ve seen firsthand how AI-driven cybersecurity tools are changing not just how we defend systems, but also who is accountable when things go wrong.

Early on, many teams considered AI as a means to reduce workload. For example, phishing simulations became automated, vendor risk assessments moved to AI scoring models and anomaly detection engines began flagging issues faster than human analysts ever could. On paper, this looked like progress. In practice, it introduced a new kind of risk that wasn’t immediately obvious: the erosion of human ownership.

When Oversight Was Lacking

I was party to one incident during a regulatory readiness assessment, when a client proudly demonstrated their AI-based human risk-scoring dashboard. The numbers looked impressive: risk trending down, completion rates up. But, when we asked why certain employees were repeatedly flagged as high risk, no one on the security team could explain the behavioral or contextual drivers behind the scores. The model knew something was wrong, but the people responsible for governance didn’t. The moment was a turning point for me. It reinforced a pattern I now see repeatedly: AI increases speed and scale, but it also widens the accountability gap if teams don’t adapt their roles alongside the technology.

As AI became embedded across security operations, the real shift wasn’t technological but human, the same accountability gap surfaced in vendor risk management. Security teams found themselves moving beyond running tools to actively interpret, question and own AI-driven decisions. In audits, regulators showed little interest in how advanced the models were; instead, they asked who understood the logic behind the decisions and who was accountable for them.

That same challenge surfaced in vendor risk management, with continuous AI-based risk scoring replacing annual checklists. When vendor risk scores suddenly spiked due to external intelligence, confusion spread: Procurement panicked, business owners doubted the data and security teams struggled to explain signals they hadn’t fully contextualized. The lesson was clear: without clear human ownership and narrative, AI creates noise, not confidence.

AI and the Regulated World

This is especially critical in regulated environments, where “the system decided” is not an acceptable answer. AI doesn’t sign compliance declarations. People do. What works and what I now strongly advocate, is embedding human checkpoints into AI workflows – not to slow things down, but to make decisions defensible. My teams that paired AI insights with documented analyst review, contextual notes and escalation logic were far more resilient during audits and incidents. They didn’t just detect risk; they could also explain it.

Resilience is no longer about preventing every incident. It’s about demonstrating control, intent and informed decision-making, even when AI is deeply embedded in operations. The most mature teams I work with treat AI as a powerful junior analyst: fast, tireless, but never permitted to work unsupervised.

Advice to Others

If there’s one takeaway I’d share with peers, it’s this: adopting AI in cybersecurity isn’t a tooling decision, it’s a governance decision. Our workforce roles, accountability structures and regulatory narratives must evolve alongside the technology. Otherwise, we risk building systems that are intelligent but untrustworthy.

AI will continue to reshape cybersecurity. The professionals who thrive will be those of us who don’t just deploy it, but own its outcomes.

Vaishali Mutalik, CISSP, has over 30 years’ experience across cybersecurity, information security governance, compliance, risk management and enterprise technology. She has led strategic security initiatives for organizations across multiple sectors and developed AI-enabled cybersecurity platforms focused on human risk management and vendor ecosystem security.

For You, By You: Join Us and Build ISC2's AI Security Certification

As cybersecurity professionals evolve and adapt their skillset and job functions because of AI, ISC2 has announced the development of a new AI security certification to recognize and benchmark AI skills and competence within the cybersecurity workforce.

The AI security certification development process presents an opportunity for cybersecurity professionals to input into the process and help define parameters for the certification.

This is your moment to play a defining role at the foundation of this new certification:

  • Contribute to identifying the knowledge, skills and abilities necessary to securely design, implement and manage AI systems
  • Creating questions for a pilot exam
  • Participate in publicly available pilot exams to help ensure it accurately validates a candidate capabilities

For more information about the ISC2 AI security certification program and how to contribute to the various development activities taking place, go to https://www.isc2.org/new-ai-certification.

Related Insights