Who Owns AI Risk? Rethinking Governance in the Age of Autonomous Systems

As organizations increasingly adopt AI agents, digital workers, and tools like Microsoft 365 Copilot, traditional models of ownership and accountability are breaking down. When AI systems generate content, make recommendations, or take action, it becomes unclear who is responsible for the outcomes.

This session explores how AI is reshaping governance, risk ownership, and decision accountability in modern workplace environments. It examines the growing gap between technical implementation and organizational responsibility, where engineering teams build systems, security teams identify risks, and business leaders rely on AI-driven outputs without clear ownership models.

Drawing on real-world experience in cyber risk and IT governance, this session provides practical approaches for defining ownership, assigning accountability, and establishing governance structures that support AI adoption without introducing unmanaged risk.

Attendees will leave with actionable strategies to clarify ownership, improve accountability across teams, and govern AI-driven systems in a way that enables both innovation and responsible use.

From Copilot to Control: Building Governance for AI-Driven Workplaces

As organizations rapidly adopt tools like Microsoft 365 Copilot, AI agents, and digital workers, many are discovering that traditional governance models are not equipped to manage AI-driven environments.

This session explores how organizations can establish governance frameworks that provide control, accountability, and visibility across AI-enabled workflows without slowing innovation. It examines key challenges such as data access, prompt-based interactions, decision accountability, and the rapid expansion of AI capabilities across business functions.

Drawing on practical experience in governance and cyber risk, the session outlines how to implement governance structures that align with Microsoft AI ecosystems while supporting secure and scalable adoption. Attendees will gain insight into how to move from reactive controls to proactive governance that enables organizations to confidently deploy AI technologies.

AI Is “Working as Designed”: Governing Risk in the AI-Native Workplace

As organizations rapidly adopt AI technologies such as Microsoft 365 Copilot, AI agents, and digital workers, a new challenge is emerging: systems are often “working as designed,” yet still introducing significant risk.

In the AI-native workplace, traditional governance and risk management approaches struggle to keep pace with autonomous decision-making, evolving data usage, and increasing reliance on AI-driven workflows. Security teams identify risk, engineering teams confirm functionality, and governance teams are left without clear frameworks to bridge the gap.

This session explores how organizations can effectively govern AI in modern workplace environments without slowing innovation. Drawing on real-world governance and cyber risk experience, it examines how AI systems introduce new categories of risk, including data exposure, decision accountability, and operational dependency.

Attendees will learn how to design governance frameworks that align with AI-driven technologies such as Microsoft 365 Copilot and AI agents, improve collaboration between security, engineering, and business teams, and establish practical controls that enable safe and scalable AI adoption.

The Governance Program Your Board Thinks You Have vs. The One You Actually Need

There's a gap in most organizations that nobody talks about openly: the governance program that gets presented to the board and the one that actually exists. Polished dashboards, green metrics, and clean audit reports — while underneath, controls are manual, risk visibility is limited, and the program is one incident away from exposure.
This session is a candid look at why that gap exists and how to close it. Drawing on experience designing and rebuilding governance programs across healthcare and financial services, we'll examine the structural reasons GRC programs stall at compliance theater — and what it takes to build programs that generate real risk intelligence, not just audit artifacts.
We'll cover the three shifts every maturing governance program must make: from reactive to predictive, from compliance-led to risk-led, and from siloed to operationally integrated. Attendees will walk through a practical maturity model, learn which KRIs and KPIs actually signal risk versus vanity metrics that look good in a slide deck, and see how to bring engineering, security, and compliance teams into a unified governance operating model.
Whether you're building a program from scratch or inheriting one that needs an overhaul, this session gives you the language, the framework, and the roadmap to close the gap — and make your governance program as strong as the one your board believes you already have.

You Vetted the Vendor. Did You Vet the Model?

Organizations have spent years building third-party risk management programs — vendor questionnaires, SOC 2 reviews, contract reviews, annual reassessments. But those programs were built for a world where the third party was a company. Today, the third party is also a model.
When your organization integrates an LLM API, deploys an AI-powered SaaS tool, or connects an agentic workflow to a vendor's AI backend, you're not just onboarding software. You're inheriting risk from training data you can't audit, model updates you won't be notified about, and prompt injection vulnerabilities your questionnaire has never asked about.
This session delivers a practical AI vendor assessment framework that GRC teams can use today. Using examples from manufacturing and healthcare environments, we'll walk through the questions your vendor questionnaires are missing, how to map AI supply chain risk to NIST SP 800-161 and ISO 27001, and what a mature AI vendor risk program actually looks like.
Attendees will leave with five questions to add to every AI vendor assessment immediately — and a framework for building a repeatable AI supply chain risk process from the ground up.

Governing the Ungovernable: Building Risk Frameworks for Agentic AI in the Enterprise

Agentic AI systems — autonomous models that browse the web, execute code, and take independent action — are already inside enterprise environments. But the governance programs designed to manage AI risk were built for a simpler era: models that respond, not models that act.

This session exposes the five critical governance gaps that emerge when agentic AI enters your environment: agent identity, action scope, auditability, third-party agent risk, and change velocity. Using real-world scenarios drawn from healthcare and financial services, attendees will see exactly where traditional GRC frameworks fall short — and what a modern control overlay looks like in practice.

We'll map the gaps to existing frameworks (NIST AI RMF, NIST CSF 2.0, ISO 27001) and show practitioners and security leaders alike which controls transfer, which need updating, and which you'll need to build from scratch.

Attendees will leave with a practical governance framework they can apply immediately — whether they're building a new AI risk program or retrofitting an existing one for the agentic reality ahead.

What Engineers Should Know About Audit Season

Security audits and compliance reviews are often seen by engineering teams as disruptive events that slow development and introduce additional process requirements. At the same time, governance and security leaders are responsible for demonstrating accountability, risk management, and regulatory alignment.

This session explores how engineering teams can better prepare for audit and compliance activities while maintaining development velocity. Rather than approaching audits as last-minute events, organizations can build governance practices that integrate naturally into engineering workflows.

Drawing on practical governance and risk management experience, the session examines common gaps that appear during audits, why these gaps occur, and how engineering and governance teams can collaborate to address them before they become findings.

Attendees will gain practical strategies for preparing systems, documentation, and processes for security and compliance reviews without disrupting modern development practices.

Target Audience:
Software engineers, DevOps teams, security professionals, and governance practitioners.

Session Level:
Beginner to intermediate.

Preferred Duration:
30–45 minutes with optional Q&A.

Prior Delivery:
New session available for conference delivery.

From Compliance to Resilience: The Future of Cyber Risk Leadership

For many organizations, cybersecurity governance and risk management are still viewed primarily through the lens of compliance. While regulatory requirements and security frameworks are important, leading organizations are increasingly recognizing that risk management must evolve beyond checklist-driven compliance to support operational resilience.

This session explores how cyber risk leadership is evolving and how organizations can move from reactive compliance programs to proactive governance strategies that strengthen resilience, accountability, and long-term security posture.

Drawing on practical governance experience, the talk examines how risk leaders can align governance frameworks with modern technology environments, support innovation while maintaining strong security controls, and elevate cyber risk conversations to the executive level.

Attendees will gain insight into how organizations can transform governance and compliance programs into strategic capabilities that strengthen both security and business performance.

Target Audience:
Security leaders, GRC professionals, technology executives, and governance practitioners.

Session Level:
Intermediate to advanced.

Preferred Duration:
30–45 minutes with Q&A.

Prior Delivery:
New session developed for upcoming conference submissions.

Building Governance That Actually Works

Many governance and compliance programs fail not because the frameworks are wrong, but because they are implemented in ways that do not align with how modern technology teams actually work.

Organizations often adopt governance models that look strong on paper but struggle to function in fast-moving engineering environments. The result is friction between development teams, security leaders, and governance functions, where compliance requirements are viewed as obstacles rather than operational safeguards.

This session explores why governance initiatives frequently break down in practice and how organizations can design governance programs that support both operational efficiency and risk oversight. Drawing on real-world governance experience, the talk highlights practical approaches for aligning governance with modern engineering workflows, improving accountability across teams, and building governance structures that are sustainable over time.

Attendees will gain insight into how governance leaders can move beyond checklist-driven compliance and build governance programs that genuinely strengthen security, resilience, and organizational trust.

Target Audience:
Technology leaders, security professionals, GRC practitioners, and engineering managers.

Session Level:
Intermediate.

Preferred Duration:
30–45 minutes with optional Q&A.

Prior Delivery:
New session available for upcoming conference submissions.

When Security Says “High Risk” and Developers Say “But That’s How It’s Supposed to Work”

Security teams and developers often share the same goal: building reliable, secure systems. Yet in many organizations these teams frequently find themselves in frustrating conversations about risk.

A security team flags a vulnerability as “high risk,” while the developer who built the system responds with a familiar explanation: “But that’s how it’s supposed to work.”

Both perspectives can be technically correct. Developers are focused on functionality, performance, and delivering features. Security teams evaluate the same system through a completely different lens that considers exploitability, data exposure, threat actors, and potential business impact. When those perspectives collide, communication breaks down and teams struggle to move forward.

This session explores why these conversations happen and why security and engineering teams often interpret the same system behavior in very different ways.

Through practical examples and real-world inspired scenarios, we will walk through how common development patterns can introduce security concerns even when the system behaves exactly as designed. We will examine how security teams assess risk, why certain issues escalate quickly, and how misunderstandings about threat models and system behavior create friction between teams.

Rather than focusing on tools or frameworks, this talk focuses on the human and organizational side of DevSecOps. Attendees will gain insight into how security teams evaluate risk, why some vulnerabilities become major incidents while others do not, and how developers and security professionals can collaborate earlier in the development lifecycle.

By understanding how both sides approach security challenges, teams can move beyond friction and build stronger partnerships that lead to more resilient software systems.

The Hidden Life of a Security Bug: What Happens After Developers Fix It

Developers fix bugs every day, but very few ever see what happens when a small security issue turns into a company-wide problem.

Inside modern organizations, a vulnerability does not stop at a pull request or a patch. It can trigger incident investigations, security reviews, risk assessments, compliance reporting, and conversations with executive leadership. A single overlooked line of code can cascade into regulatory exposure, service outages, or customer trust issues.

This session explores the lifecycle of a security bug after it leaves the developer’s workstation. We will walk through a real-world inspired scenario that shows how a vulnerability moves through an organization, from detection to investigation to risk evaluation. Along the way we will explore how security teams think about risk, how incidents are analyzed, and how technical issues are translated into business impact.

Rather than focusing on specific tools or programming languages, this talk focuses on the often invisible connection between everyday engineering decisions and enterprise cybersecurity risk.

Attendees will learn how vulnerabilities evolve into incidents, how organizations prioritize and respond to security issues, and how developers can reduce risk earlier in the development process without slowing innovation.

By the end of this session, developers will gain a clearer understanding of how their work impacts the broader security posture of the organizations they build software for.

Governance in the Age of AI: Policies That Protect and Scale

AI tools are now embedded into everyday workflows, yet most organizations lag in governance, privacy, and compliance oversight. This session unpacks the real-world challenges of AI adoption from a governance perspective. Attendees will learn how to establish policies, enforce usage guidelines, and align AI practices with ISO 27001 and NIST frameworks. Drawing from active policy development and governance leadership, the presentation highlights actionable steps to reduce risk, improve compliance posture, and balance innovation with accountability.

Audit Season Is Coming: What Developers Should Know

Most developers rarely think about audits while writing code. Yet in many organizations, the systems engineers build are eventually reviewed by security teams, auditors, regulators, and compliance programs.

When that moment arrives, technical decisions that once seemed minor suddenly become important questions about access control, logging, change management, deployment practices, and operational risk. The systems that work perfectly in production are now evaluated through a completely different lens.

This session explores what actually happens when engineering environments are examined during security and compliance audits.

We will walk through the types of questions auditors ask, the evidence organizations are expected to produce, and how common development practices such as CI/CD pipelines, infrastructure configuration, code repositories, and deployment processes are evaluated during audits. Attendees will gain insight into why certain practices raise red flags and how organizations demonstrate that their systems are secure, well-governed, and operating as intended.

Rather than focusing on specific compliance frameworks, this talk focuses on the real-world intersection between software engineering and governance. Developers will learn how everyday engineering decisions influence audit outcomes and how teams can design systems that are both scalable and audit-ready.

By understanding what auditors actually look for, developers can avoid common pitfalls, reduce friction with security teams, and build systems that stand up to both production demands and compliance scrutiny.

“It’s Working as Designed”: When Security Flags Risk and Engineering Pushes Back

Modern technology organizations move quickly, but speed often exposes friction between engineering teams and security and governance functions. Developers are focused on building reliable systems and shipping features, while security and risk leaders are responsible for identifying vulnerabilities, enforcing controls, and protecting the organization.

This session explores the real-world tension that occurs when security flags something as high risk and engineering teams respond with, “It’s working as designed.” Rather than framing this as a conflict, the discussion focuses on why these misunderstandings happen and how organizations can translate risk into operational context that engineers understand.

Drawing from practical governance and cyber risk experience, the session examines common scenarios where engineering priorities and security concerns collide. It will highlight how governance leaders can design frameworks that align with modern development practices, improve collaboration between security and engineering teams, and create shared accountability for risk.

Attendees will leave with practical strategies for bridging the gap between developers, security teams, and governance leaders while maintaining both innovation and security within modern technology environments.

Target Audience:
Developers, DevOps engineers, security professionals, GRC practitioners, and technology leaders responsible for balancing engineering velocity with security and risk management.

Session Level:
Intermediate. The session is designed to be accessible to technical and non-technical audiences working in engineering, security, or governance roles.

Preferred Session Duration:
30–45 minutes with optional Q&A.

Session Format:
Conference presentation with real-world governance and cyber risk scenarios. The talk focuses on practical strategies for improving collaboration between engineering teams, security functions, and governance leaders.

Technical Requirements:
Standard presentation setup with projector and microphone.

Prior Delivery:
This session is a new talk developed for upcoming conference submissions and has not yet been delivered publicly.