{"slug": "cios-tear-down-the-wall-between-resilience-and-data-security", "title": "CIOs: tear down the wall between resilience and data security", "summary": "CIOs must break down organizational silos between resilience and data security as AI exposes long-ignored vulnerabilities, according to IT executives from Fidelity Investments and EY. Surveys show half of cyberattacks involve non-human identities and nearly half of business-sponsored AI projects leak data, underscoring the need for convergence.", "body_md": "For years, resilience and data security operated in separate [organizational silos](https://www.cio.com/article/4176051/8-it-modernization-traps-cios-must-avoid.html?utm=hybrid_search). The resilience team focused on keeping systems running, while the security team focused on keeping data safe. They attended different briefings, reported through different chains of command, and, in most enterprises, barely spoke to each other. AI is making that model no longer viable.\n\nSteve MacIntyre, SVP and product lead for data security and analytics, and cloud security at Fidelity Investments, and Wim Geurden, EY’s chief architect of enterprise technology, are two IT executives who manage some of the most complex data environments. Both recently spoke at the VeeamON event in New York and put great emphasis on how the convergence of resilience and data security is no longer a future trend but an immediate operational necessity, driven, accelerated, and exposed by AI.\n\nAI isn’t introducing new security vulnerabilities so much as it’s making long-ignored ones glaringly visible. “We gave out a few licenses for Copilot, and two days in, someone from the legal team I work with said we have an AI problem,” said MacIntyre about Fidelity’s early Microsoft 365 Copilot pilot. Another member of his team did a search and said AI found all the PowerPoints that were on SharePoint he used about four jobs ago. So it wasn’t an AI problem. “AI just searches everything you have access to and surfaces it in a meaningful way,” said MacIntyre. “Everybody thinks they have an AI problem, but what it shows is areas that must improve.”\n\nGeurden encountered the same phenomenon at EY. “We found it about six months before Copilot was launched,” he said. “All kinds of data started surfacing in every location.” EY’s first response was to shut down unlicensed AI access entirely. “There was no lifecycle management and we didn’t know when sites were last accessed,” he added. The next phase involved using AI to label and classify the vast repositories of unstructured data EY had accumulated over decades, because, he said, it’s unfathomable that humans do it. “Especially with turnover every four years, you can’t keep training people at a 400,000-employee scale,” he continued.\n\nThe implication for CIOs is if you haven’t audited your unstructured data, you already have an AI security problem. You just need to turn on the tool that will expose it.\n\nThe urgency isn’t a hypothetical one. A recent [BCG CISO survey](https://www.bcg.com/publications/2025/ai-creates-cyber-risks-can-resolve-them) found that half of cyberattacks over the past six months involved non-human identities, meaning adversaries are already deploying AI agents to conduct attacks. The same survey found that nearly half of business-sponsored AI projects resulted in unintended data leakage. These aren’t shadow IT experiments but sanctioned and approved deployments that leaked data because the [underlying governance](https://www.cio.com/article/4128980/the-struggle-for-good-ai-governance-is-real.html?utm=hybrid_search) and access controls weren’t in place before the AI was turned on.\n\nThe problem is likely to worsen before it improves. Another study, this time by [ZK Research](https://zkresearch.com/), found that 65% of respondents believe [AI adoption](https://www.cio.com/article/4146658/autonomous-ai-adoption-is-on-the-rise-but-its-risky.html?utm=hybrid_search) is outpacing their ability to govern it. Additionally, 89% of decision makers expressed concern about AI agents inheriting excessive access, underscoring a critical risk to data integrity and security. All these data point to a world where AI creates a fundamentally new operating model, where companies need to rethink how they address the risks and why the traditional separation between resilience and security must end.\n\nResilience without data governance means you can recover your systems, but not trust the data within them. Security without resilience planning means your controls may be sound on Tuesday, but nonexistent after a Wednesday incident. The organizations getting this right treat data as a first-class asset with its own governance lifecycle, rather than an afterthought attached to applications.\n\nBased on what MacIntyre and Geurden say, here are three concrete principles for CIOs to build integrated resilience and a strong security posture for the AI era.\n\n**Know what you have before you deploy what you want. **“Get a handle on what’s actually important for the business and the use cases, and then get a handle on your data,” said MacIntyre. “If you can marry those two, you can make risk-based decisions on where to apply the work.” This means completing a data asset inventory — not just a list of systems, but a clear understanding of where data resides, who owns it, who has access, and whether that access has been reviewed. At Fidelity, this means tying AI use cases to approved projects so every agent or model deployment is matched to a registered business need. This is easier said than done, however, as the data within most organizations is messy. But getting a handle on data is a mandatory step toward AI success.\n\n**Build governance that moves at the speed of the threat.** MacIntyre also acknowledged that [GRC](https://www.cio.com/article/3984527/how-to-establish-an-effective-ai-grc-framework.html?utm=hybrid_search) has historically been a slow, human-driven process, and AI is breaking that model. “They’re trying to figure out how to build automation, how to use AI to help the GRC function get aligned to this, because it’s moving at light speed,” he said. The answer isn’t simply to hire more compliance staff, but automate the monitoring, labeling, and control verification functions that humans can’t perform at AI scale.\n\n**Solve the agent identity problem now before regulators force you to.** Both MacIntyre and Geurden flagged AI agent identity as one of the most unresolved and most consequential challenges in enterprise AI governance. Geurden described agents triggering [unexpected SAP licensing costs](https://www.cio.com/article/4143424/what-happens-if-saps-s-4hana-roadmap-doesnt-suit.html?utm=hybrid_search) as a first signal. MacIntyre raised the regulatory stakes in that he needs to be able to go backward. “I need to be able to say an agent took that action on that data set because a customer asked it to do it,” he said. That audit trail, from human intent to agent action to data record, doesn’t yet exist cleanly in most enterprises. And building it isn’t optional. In financial services and regulated industries, it’s a matter of when not if regulators demand it.\n\nMacIntyre offered a useful frame for the CIO community in that the AI governance challenge is structurally similar to the cloud transition, and enterprises that went through that migration have hard-won lessons that apply now. “When the explosion of AI happened, it didn’t just affect security and the attackers,” he said. “It also impacted the business, increasing velocity, and the ability to innovate and move faster. So we have to be there and be able to safely enable that for them.”\n\nThe instinct to block AI entirely will fail, just as blocking cloud adoption failed a decade ago. Business units will find workarounds. The job of the CIO and CISO, therefore, is to channel that velocity through governed, instrumented, and recoverable infrastructure.\n\nGeurden’s framing from EY’s audit practice added a useful warning about overconfidence. Three years ago, the firm tested whether AI could pass the CPA exam. It could, easily, but the team quickly discovered that for complex professional judgment questions, the model assigned roughly equal probability to multiple answers. “At which point, you can’t build a control structure because you have to check everything it does,” he said. That discovery slowed EY’s AI rollout in the audit practice and arguably saved them from a much larger exposure. The lesson is that capability and trustworthiness aren’t the same thing, and closing that gap requires exactly the kind of integrated data governance and resilience architecture that most enterprises have yet to build.\n\nAI has knocked down the wall between resilience and security, and CIOs who rebuild it will spend the next three years reacting to incidents. But those who build a unified data trust architecture will be the ones empowering the business to move fast with confidence, and that’s a position all CIOs should strive to be in.", "url": "https://wpnews.pro/news/cios-tear-down-the-wall-between-resilience-and-data-security", "canonical_source": "https://www.cio.com/article/4179381/cios-tear-down-the-wall-between-resilience-and-data-security.html", "published_at": "2026-06-19 10:00:00+00:00", "updated_at": "2026-06-19 10:12:08.895147+00:00", "lang": "en", "topics": ["ai-safety", "ai-policy", "ai-infrastructure", "artificial-intelligence", "ai-ethics"], "entities": ["Fidelity Investments", "EY", "Microsoft 365 Copilot", "VeeamON", "BCG", "ZK Research", "Steve MacIntyre", "Wim Geurden"], "alternates": {"html": "https://wpnews.pro/news/cios-tear-down-the-wall-between-resilience-and-data-security", "markdown": "https://wpnews.pro/news/cios-tear-down-the-wall-between-resilience-and-data-security.md", "text": "https://wpnews.pro/news/cios-tear-down-the-wall-between-resilience-and-data-security.txt", "jsonld": "https://wpnews.pro/news/cios-tear-down-the-wall-between-resilience-and-data-security.jsonld"}}