Search for content, post, videos

AI Is Not the Risk – Your Decision-Making Is

Why the biggest threat in the AI era isn’t the technology, it’s what we stop doing when we trust it.

Picture this: a security team runs its weekly alert triage. The AI-powered SIEM has already categorized, prioritized, and color-coded everything. Green means safe. Red means urgent. The analyst glances at the dashboard, confirms what the AI suggests, closes the tickets, and moves on. Fast. Efficient. Clean.

Three months later, a breach. Not through some exotic zero-day. Through a series of alerts that were flagged green. The AI wasn’t broken. It did exactly what it was designed to do: pattern-match based on historical data. But the threat was new. It didn’t match the old patterns. And nobody questioned the green light, because why would you? The machine said it was fine.

Here’s the uncomfortable truth: the AI didn’t fail. The decision-making did. Or rather, the absence of decision-making did. Because somewhere along the way, we stopped deciding and started accepting.

I’ve spent years helping organizations navigate compliance frameworks, from ISO/IEC 27001 to DORA and beyond, and here’s what I keep seeing: the tools get smarter, but the decisions don’t. We upgrade our technology and downgrade our judgment. We automate the process and forget to engage the brain. And now, with AI becoming embedded in everything we do, this gap between capability and critical thinking is wider than ever.

This article isn’t anti-AI. Far from it. AI is one of the most powerful tools we’ve ever had. But a tool is only as good as the person wielding it. And right now, too many of us are letting the tool wield us.

We’ve Always Blamed the Tool

Let’s be honest with ourselves for a moment. Blaming technology for security failures is not new. We’ve been doing it for decades. When firewalls were the hot thing, every breach was a “firewall problem.” When cloud adoption exploded, it was the cloud’s fault. When remote work became the norm, we pointed at VPNs and home routers. And now? Now it’s AI.

The pattern is always the same: a new technology arrives, we adopt it enthusiastically, something goes wrong, and we blame the technology. We rarely stop to ask whether the real issue was how we used it, or more precisely, how we decided to use it.

I remember a project early in my career where an organization had invested heavily in a state-of-the-art intrusion detection system. The technology was solid. But nobody had defined clear escalation procedures. Nobody had trained the team on what to do when the system flagged something ambiguous. So when a real incident occurred, the alert sat in a queue for 72 hours because it didn’t look “urgent enough” to the person glancing at the dashboard. The tool worked perfectly. The decision-making around it was nonexistent.

We love to say that humans are the weakest link in cybersecurity. And the numbers back it up: roughly 95% of incidents trace back to human error. But here’s what’s interesting: AI doesn’t change that statistic, it just adds a new flavor to it. Instead of clicking on a phishing link, now the error is trusting an AI output without verification. Instead of misconfiguring a firewall, now it’s accepting an AI-generated policy without reading it. The mechanism is different, the root cause is the same: a human who didn’t engage their judgment.

And that’s actually good news because if the problem is human, the solution is human too. We don’t need better AI, we need better decisions.

The Cognitive Shortcuts AI Exploits

Here’s where it gets interesting, and a little uncomfortable. AI doesn’t just sit there waiting for us to make mistakes. It actively makes certain mistakes easier to make. Not deliberately, of course, but by design. Because AI is fast, confident, and polished, it triggers cognitive shortcuts that we’re already prone to.

I like to think of AI as a mirror with a megaphone. It reflects us, but louder. It amplifies our strengths: speed, synthesis, creativity, but it also amplifies our weaknesses: overconfidence, laziness, confirmation bias, and the tendency to simplify what should remain complex.

Let me walk you through the traps I see most often in cybersecurity contexts.

Automation Bias: “The Machine Said So”

This is the big one. Automation bias is our tendency to favor suggestions from automated systems over our own judgment, even when we have evidence to the contrary. In a security operations center, this looks like an analyst who stops questioning alerts because the AI has been right 99 times out of 100. But that 100th time? That’s the breach and the analyst didn’t catch it because they’d stopped looking.

Think about it in everyday terms. You’re driving with GPS, the GPS tells you to turn left into what is clearly a dead-end street. Most people hesitate, some even follow the GPS anyway. Now imagine that dynamic playing out with security decisions that affect an entire organization. That’s automation bias in action.

Delegation Without Accountability

AI makes it incredibly easy to delegate without realizing you’ve done it. You ask the AI to draft a risk assessment. It produces something that looks professional, reads well, and covers the right topics, so you submit it, but did you actually assess the risk? Or did you outsource your judgment to a language model and put your name on it?

This is the compliance trap I warned about in my previous work: you can be “compliant” on paper and completely vulnerable in operations. AI makes this gap even wider because the paper looks even better now. The policy is well-written. The assessment is thorough. The documentation is impeccable. And none of it reflects reality, because nobody actually thought about it. They just accepted what the machine produced.

Speed Over Depth

AI gives answers in seconds and that speed is intoxicating, but speed and depth are often in tension. When you get an instant answer, your brain registers it as “done.” You move on. You don’t sit with the question. You don’t explore the edges. You don’t ask “what if?”

In cybersecurity, “what if?” is everything. What if this alert is a false negative? What if this vendor’s risk profile has changed? What if this policy doesn’t account for a scenario we haven’t seen yet? These are the questions that prevent breaches. And they’re exactly the questions that AI’s speed encourages us to skip.

Here’s a real-world parallel: you wouldn’t let a junior analyst sign off on your risk register alone. You’d review their work, you’d challenge their assumptions, you’d ask hard questions, so why do we give AI a free pass? Is it because the output looks more polished than what a junior analyst would produce? Probably, but looking polished and being correct are two very different things.

From Accepting to Deciding

So what do we actually do about this? The answer isn’t to stop using AI. That ship has sailed, and besides, AI is genuinely useful. The answer is to shift from a posture of acceptance to a posture of decision. It’s a subtle but critical distinction.

Accepting means taking what the AI gives you and moving on. Deciding means taking what the AI gives you, questioning it, stress-testing it, and then making a conscious choice about what to do with it. The output is the starting point, not the conclusion.

Here are the habits I’ve found most effective, both for myself and for the teams I work with.

The Challenge Reflex

Every AI output gets at least one hard question before acceptance. Not a rubber-stamp review. A real question. “What did you not consider?”, “What assumption is this based on?”, “What would change if this input were different?” It sounds simple, but it’s surprisingly hard to maintain when the AI’s answer looks clean and confident. Building this reflex takes practice. It’s like learning to brake before a curve instead of during it: counterintuitive at first, essential once it becomes habit.

The “So What?” Test

Before acting on any AI output, ask: “So what?” What does this actually change in our risk posture? What decision does this enable? If you can’t answer that clearly, the output is noise, not signal. I’ve seen teams generate beautifully formatted AI reports that nobody acts on. The report exists. The risk remains. That’s not security. That’s theater.

Ownership Loops

Someone signs off, a human, with a name, not “the AI recommended it.” Every AI-assisted decision should have a clear owner who takes responsibility for the outcome. This isn’t about blame; it’s about accountability. When you know your name is on a decision, you pay attention, you think twice, you engage your judgment. The moment we allow “the AI said so” to become an acceptable justification, we’ve abdicated the very thing that makes us valuable.

Compliance Is Not a Substitute for Thinking

I’ve spent my career in compliance, and I’ll be the first to tell you: passing an audit does not mean you’re secure. Frameworks like ISO/IEC 27001, DORA, the AI Act, and ISO/IEC 42001 are essential. They give structure. They create a common language. But structure without judgment is a filing cabinet, not a defense. You can check every box and still get breached if nobody is actually thinking about the risks behind the checkboxes.

The same principle applies to AI governance. Yes, adopt frameworks. Yes, document your AI usage. Yes, conduct risk assessments. But don’t let the process replace the thinking. Governance should be alive, iterative, and grounded in reality, not a static binder that collects dust between audits.

Building a Decision-Making Culture, Not an AI Culture

Individual habits matter, but if the organization around you rewards speed over scrutiny, those habits won’t survive long. The real transformation has to happen at the cultural level.

As a CISO, your job in the AI era isn’t to become an AI expert. It’s to protect the quality of human decision-making across the organization. That’s the mission. Everything else is a supporting act.

What does that look like in practice?

  1. Reward the people who challenge AI outputs, not just the people who produce the fastest deliverables. If someone on your team slows down to question an AI-generated risk assessment and catches a flaw, that’s the behavior you celebrate. That’s the behavior you want to replicate.
  2. Make “the AI said so” an unacceptable justification in post-incident reviews. When something goes wrong, the conversation should center on human decisions: who reviewed it, what questions were asked, where the judgment gap was. The AI is a tool. The human is the decision-maker. Keep that distinction sharp.
  3. Rethink your training programs. Most organizations are investing heavily in “how to use AI tools.” That’s necessary but insufficient. The bigger investment should be in “how to think critically when AI is in the room.” Teach your teams to spot automation bias. Train them to question confident-sounding outputs. Help them understand that the polish of an AI response is not evidence of its accuracy.
  4. Build governance that breathes. AI evolves too fast for annual reviews. You need short feedback loops: test, control, review incidents, measure drift, and update rules. Iterative, traceable, accountable. A governance framework that sits in a binder and gets reviewed once a year is not governance, it’s wishful thinking.
  5. Lead by example. If you’re a CISO or a security leader, your team watches how you interact with AI. If you accept AI outputs without question, they will too. If you challenge, verify, and own your decisions, they’ll learn to do the same. Culture flows from behavior, and behavior flows from the top.

The Question That Changes Everything

Let’s go back to our opening scenario. Same team. Same AI-powered SIEM. Same weekly triage. But this time, the analyst doesn’t just glance at the dashboard. She pauses. She picks three green-flagged alerts at random and digs in. She asks the AI why it classified them as low risk. She compares the reasoning against what she knows about the current threat landscape. One of the three doesn’t add up. She escalates. It turns out to be the early signal of a coordinated attack.

The AI didn’t catch it. But the human did, because she was deciding, not just accepting.

That’s the shift. Not away from AI. Toward better judgment alongside AI. The technology will keep getting more powerful. The models will keep getting more capable. The outputs will keep getting more polished. And that’s precisely why the human element matters more than ever, not less. Because the better the tool looks, the harder it is to question. And the harder it is to question, the more important it is that we do.

AI is not the risk. Your decision-making is. And the good news? That’s the one thing you can actually control.

So, here’s my challenge to you. The next time AI gives you an answer, before you accept it, before you forward it, before you build on it, ask yourself one question:

“Am I deciding, or am I just accepting?”

That single question is worth more than any tool you’ll ever deploy.

Leave a Reply

Your email address will not be published. Required fields are marked *