CIOs Outrank CISOs as AI Security Leaders

Enterprises’ spending is shifting markedly, trending toward AI supply chain security. 

In fact, that’s now their No. 1 investment priority (at 31%), according to Acuvity’s 2025 State of AI Security report, making for one of the biggest changes in spending patterns in decades.

The move is being led overwhelmingly by CIOs, who have taken first place in security ownership (29%), well above company CISOs, who now rank fourth (14.5%). 

“The CIO generally, in an enterprise, holds a bigger responsibility across multiple different facets,” said Acuvity CEO Satyam Sinha, and the chief security officer is evaluating risks from application use and security attacks.

So why this positioning for who handles AI security? Mostly because it’s still so new. 

“The adoption is ahead of the strategy,” he said. “We’ve seen disruptive technologies in the past. We’ve seen cloud come out, we’ve seen SaaS [software as a service] come out, but there was a slight bit of a difference there.”  

A company would adopt cloud technology as a team decision, Sinha said, but AI is more of a prosumer approach: “Your friend told you about a tool, you go try out that tool, you get instant gratification.” 

“If you look at the adoption of AI itself, it comes under the purview of CIO,” Sinha said. “There are two facets almost every time we adopt a new technology: One is that of governance, and the other one is of security.” 

Companies have to ask themselves how they want to adopt AI, their safety policies, and all the other governance questions; usually, security implementations come later. That, Sinha said, is why CIOs are typically helming AI at the beginning of adoption. 

“I still do believe that as the organizations mature, as they understand these risks better, the security implementation will end up residing with the CISOs,” said Sinha. “Right now, there’s a lot of research going on: What AI are we using? How are we going to do this? What are the policies around it? That’s why it’s finding a place with the CIO at the moment, from an ownership standpoint, but we do expect that to transition in the future.” 

But no matter where a company puts its AI ownership, Sinha pointed out, it’s important to note that AI poses more risks than ever. And enterprises aren’t necessarily ready to handle that: Only 30% of companies have optimized AI governance, and almost 40% don’t have any managed or optimized governance at all.

At the same time, 50% expect to lose data through their AI tools. 

“Even when there’s a lot of adoption happening with AI and there are risks associated with it, it’s not very clear to people: What are these new risks?’” Sinha said. “There’s a massive gap between the adoption and having the right guardrails in place … Out of the top five security priorities, we believe AI security will start rising up and become one of the more important things in the years to come.”