Cyber CEO: AI governance should not repeat cybersecurity’s accountability mistakes
Walter Haydock, founder of AI security and governance company StackAware, says the rush to govern artificial intelligence risks repeating a familiar cybersecurity mistake: treating business risk as a compliance problem owned by the wrong people.
Speaking on the Cyber Focus podcast with McCrary Institute Director Frank Cilluffo, Haydock said companies deploying AI systems — especially AI agents — need clearer lines of accountability for how those systems act, what risks organizations accept and who is responsible when something goes wrong.
“The question of who is accountable for a given outcome is a critically important one,” Haydock said.
That question is becoming more urgent as organizations move beyond AI experimentation and begin embedding autonomous systems into business processes. Haydock said AI agents intensify long-running cybersecurity and IT problems, including the use of automated accounts or systems that act without a clearly identified human owner.
“I think it’s a bad practice to have these types of things where no one’s name is associated with it because it creates those type of accountability problems,” Haydock said.
As AI agents gain more authority inside organizations, Haydock said companies will need systems that can trace what they did, why they did it and whether the action stayed within acceptable risk.
“We are going to need to treat artificial intelligence agents as an unpredictable actor,” Haydock said. “We’ll need to have audit trails, of course, for agent actions. We’ll need to have reasoning traces where an agent will document why it took a certain action.”
But Haydock’s central argument is not that cybersecurity teams should own AI risk. “The framework I use is that business leaders are risk and system owners,” Haydock said. “They are ultimately accountable. They make the final decisions.”
Cybersecurity, privacy, legal and ethics teams still have a critical role, he said, but as advisors and implementers — not as the ultimate owners of business risk. “Where companies really tie themselves in knots is when they merge the risk advisor and risk owner role,” Haydock said.
He pointed to cybersecurity as a cautionary example, arguing that chief information security officers can be placed in untenable positions when they are treated as accountable for enterprise-level decisions or public filings they do not control.
“The CISO is not the Chief Financial Officer. He’s not the CEO,” Haydock said. “He should not be approving or disapproving SEC filings.”
Haydock said policymakers face a related risk: writing AI rules that reward compliance activity rather than better outcomes.
“When the government hard codes in supposed best practices, they end up creating perverse incentives where companies are focused very closely on checking the box and not necessarily on getting the good outcome,” Haydock said.
For Haydock, the lesson for AI governance is to make accountability explicit: executives should own risk decisions, advisors should help manage them and policy should focus on harms avoided — not boxes checked.
For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts