A CISO’s take: Enterprise copilot risks with Jim Alkove and Ramy Houssaini

What are the biggest “watchouts” and overlooked risks of deploying AI copilots in an enterprise? And what emerging best practices are we seeing from successful examples? These were some of the big questions tackled by Oleria CEO Jim Alkove and Ramy Houssaini, Chief Cyber Solution Officer at Cloudflare, in a recent LinkedIn Live event. Their conversation went beyond the surface-level tips, identifying some crucial considerations for organizations navigating this rapidly evolving landscape.

Here are three key takeaways from the conversation:

Beyond automation into a new phase of workforce automation

Organizations have moved far beyond simple automation in their applications of AI copilots. These tools are being deployed across enterprises to shape decisions, assist with coding, surface organizational insights, improve productivity, and create unique customer experiences. Moreover, Jim and Ramy discussed how we’re in a phase of exploring what AI copilots are capable of — but haven’t fully developed an understanding of their competence.  

"The headline for me is that we introduced co-pilots without fully vetting their license to fly."
- Ramy Houssaini

For example, the orchestration capabilities between agents are opening unprecedented opportunities. But this also creates constant risks of bias drift and hallucination that require continuous monitoring. 

For regulated industries like financial services and healthcare, establishing clear operational boundaries for copilots is essential. Organizations need to define precisely what an AI copilot can and cannot do — and implement proper segregation of duties to prevent single points of failure in critical processes. 

Conventional identity management can’t keep up in the AI era 

Jim and Ramy talked about what they see as a systemic failure in identity management across multiple environments: Despite massive technological changes, identity governance models and tooling have remained stagnant for years.  

We are now in the middle of the transition from the cloud era to the AI era — and that transition demands a complete rethinking of security governance models. Organizations must move beyond siloed approaches where development, data management, and security operate as separate functions. This outdated model fails to address the interconnected nature of AI systems, which demand integrated security approaches that evolve as rapidly as the technology itself. 

“That model is a static model that just no longer resonates with the construct of the AI era."
- Ramy Houssaini 

Stop throwing more money at a flawed approach 

The paradox of enterprise security is that spend keeps on increasing (more tools, more staff, more time), but it’s not slowing the increase in either the frequency or costs of breaches. Jim and Ramy traded anecdotes that showed how spending money to add more layers to the identity security stack doesn’t guarantee better identity security outcomes. Despite substantial investments by even large enterprises, many organizations lack effective identity programs. 

 Rather than just adding more layers around a fundamentally outdated core approach, organizations need to rethink their approach to identity management to adapt to the rapid evolution of AI tools like ChatGPT and enterprise copilots.  

This means organizations must step back, thoroughly assess their current identity programs, and implement modern tools that provide deep understanding of access patterns across systems.

"Investment doesn't equal outcome. And so just because you've been spending money on identity doesn't mean that you have a great identity program."
- Jim Alkove

Where do CISOs go from here?

It’s (past) time for a significant "uplift" in capabilities. What's needed isn't incremental change but a comprehensive transformation: rethinking infrastructure, tooling, and governance structures to prepare for the AI-driven future. 

As Jim noted, organizations need to understand "who has access to what, how they got it, and what they're doing with it" to eliminate the estimated 90-95% of access that exists in most organizations today that no one is really using and just adds risk.  

Ready to learn more?

Watch the complete recording of this discussion to gain deeper insights into securing your organization's AI copilot deployments. 

Watch the replay