AI Can Help If You Can Trust It.

When we work through cybersecurity maturity assessments with CISOs, the biggest challenges we help them confront are often not technical. They know their environments. They have a long wish list. What they benefit from is business-specific prioritization and identification of ‘quick wins’ that validates the best use of (inevitably scarce) resources.

This hasn’t changed. Yet lately, we’ve found ourselves helping CISOs use enterprise AI tools to redefine ‘quick wins’: Projects that would have been too resource-intensive, that now become conceivable with AI-enabled tools.

However, even within officially sanctioned tools, adopting AI tools introduces a whole new set of risks. In the process of supporting tool adoption for specific use cases, we are evolving new ways to identify the “right” balance between efficiency, innovation, and risk mitigation.

How CISOs Can Evaluate AI Tradeoffs

When fine-tuning SIEM alerts, there is a constant tension between “receiving too many alerts to triage” and “missing something critical.” A similar tension between signal and noise applies when evaluating AI tools for risk and compliance workflows. Tuning to the appropriate level of “false negatives” and “false positives” requires an understanding of both the risk and the context in which the tool is being used.

Consider the risks of AI as analogous to the real problems the SOC team wants to surface through the SIEM. For AI, a non-exhaustive selection of these risks includes: 

• Agentic overreach - When AI tools exceed intended boundaries or make autonomous decisions beyond their scope
• Hallucinations - False or fabricated information presented as fact
• Black box decisions - Outputs that cannot be traced or explained
• Model drift - Degradation in accuracy or performance over time

Take the example of hallucinations. In some scenarios, a ‘false negative’ for hallucination (where baseless claims go undetected) would be disastrous. Consider the well-publicized news articles about lawyers embedding cases that do not exist into their court filings. Or, similar to examples we’ve seen in practice, consider an AI tool reviewing logs. Every month, a database scan runs and returns the same satisfactory result. Even when the log for the result does not materialize one month, the tool fills in the expected pattern and reports that the database scan completed, rather than alerting on a potential concern.

On the flip side, ‘false positives’ for hallucination may prompt human intervention, validating information where the tool was accurate in the first place. Just like a SOC analyst overwhelmed with alerts, tuning the AI tool to require constant validation risks eliminating the efficiency gains that justified the use of AI in the first place.

Navigating this tradeoff requires the same pragmatic, context-driven approach we use when prioritizing cybersecurity pillars in maturity assessments. For each AI use case in security and compliance, assess:

• False negatives (undetected risks) – What is the business impact if the AI misses a critical issue? Consider regulatory penalties, security breaches, or audit failures.
• False positives (excessive alerts) – What is the minimum time savings needed to justify implementation? If validation takes 80% of the original process time, is it really worth it?

How One CISO Used AI to Prioritize Audit Resources

One CISO identified a backlog project: External auditors had expanded the scope of their audit over time, to include hundreds of hours expended on systems that the CISO’s team considered low risk. Yet the team did not have a defined rationale or approach to justify excluding the system from scope. They also did not have resources available to fully audit the systems internally.

Could their newly-adopted enterprise AI system help?

Coalfire worked with the team to mindfully approach the project and balance the CISO’s desire to innovate with a conservative stance on risk.

We started by identifying the risk of ‘false negatives’, or in other words, what could go wrong because of using an AI tool for the assessment? Examples included:

• Agentic overreach: The risks outweighed the benefits. Connecting to critical systems would introduce risks that themselves would need to be assessed and audited.
• Hallucinations: Significant risks. If the tool misrepresented evidence, risk increased either by inviting additional scrutiny by external auditors noticing discrepancies, or by reducing needed scrutiny of critical systems.

Then we considered the risk of ‘false positives.’ What considerations constrained the amount of oversight to build into the tool?

• The potential to trim excessive costs from external audits created a bound on the appropriate investment.
• The team’s competing critical deadlines, typically with higher priorities, limited the availability of resources to perform any validation.

Coalfire’s recommended approach to balancing the risks included:

• Address the risk of hallucinations through traceability logs and checkpoints. This improves the efficiency of oversight checks, but requires human validation to be effective.
• Assign a confidence level that accounts for missing, conflicting, or incomplete artifacts.  Ensure the traceability log documents how artifacts influence this confidence score.
• Define thresholds where a system’s inherent risk is high enough to justify maintaining the current level of auditing regardless of control maturity. For these systems, no reduction in oversight should occur. And for systems where AI recommends no changes and the risk is low, add minimal human-in-the-loop validation at least for the initial project.
• Frame the tool as strictly supporting the team, not creating standalone decisions. This use case supports audit functions, so every decision must have accountability, with documented sign-off. To the extent that the risk of the decision justifies further review, leverage the traceability tools to ensure the risk assessment and recommendation aligns with risk tolerance and actual system characteristics.

This example shows how AI can help teams tackle labor-intensive priorities that were previously out of reach. A project once seen as too resource-consuming became a quick win with the right AI support.

Responsible AI Adoption through Risk-Aware Exploration

Artificial intelligence offers new ways to augment these teams and help move work forward. But as with any new technology, AI comes with new challenges to overcome. By thinking through the known risks and how they may interact with the specific task at hand, CISOs can identify the right tools and the right risk mitigations.

CISOs need their teams to work through pilot projects to explore both the capability of the tools and to understand how AI-related risks materialize in practice. Just as a SIEM requires tuning over time, based on the actual alert frequency and risk tolerance, teams need to begin adopting AI tools to gain data points that will inform decisions on appropriate levels of oversight.

Over time, this approach enables teams to adopt AI in a way that’s defensible, efficient, and tailored to their unique risk landscape. And in the process, redefine “quick wins” to include a wider variety of backlog projects.

At Coalfire, we design AI workflows that balance speed with accountability. Just as our maturity assessments help CISOs prioritize what matters most, we advise our clients on systems that make sense for your business model and align with your risk tolerance. Whether you are piloting a small process or exploring a more systemic AI integration, these principles remain the same. 

If you are exploring how to integrate AI into your risk or compliance functions, we can help you build the right foundation. Let’s talk.