BylinesArtificial IntelligenceCyber Safety

AI-Driven Development Is Coming: Here’s How CISOs Can Prepare Today

The Imperative for Securing AI-Driven Workflows Has Never Been Greater

A GitLab survey of Singapore’s C-level executives (think CISOs and the like) shows that 90% expect agentic AI (Artificial Intelligence) to become the standard in software development within three years. Yet, 89% also recognise that its adoption will introduce unprecedented security challenges.

The survey results underscore the balancing act required by CISOs to enable AI adoption without exposing their organisations to new risks. With 94% of executives in Singapore planning to boost AI investment in software development over the next 18 months, the pressure to secure AI-driven workflows has never been greater.

The Complexity of Agentic AI Governance

Most security leaders in Singapore recognise the key risks associated with agentic, including cybersecurity threats (53%), data privacy and protection (49%), and governance challenges (44%). These risks are constantly evolving, with their boundaries and definitions closely interconnected.

Establishing a governance model for AI is required for organisations to evolve their security strategy alongside emerging AI risks. However, doing so is not straightforward, with AI crossing many technology and security domains from data governance to identity and access management. Nevertheless, almost half of those surveyed admitted their organisation has not implemented regulatory-aligned governance (50%) nor internal policies (46%) for AI.

The lag in AI governance stems from legitimate industry-wide challenges, making it difficult for leaders to identify the most effective places to invest their time and effort. The non-deterministic nature of agents causes them to behave in unexpected ways, which has been proven to disrupt existing security boundaries. Furthermore, security complexity is increasing with the introduction of universal protocols, such as Model Context Protocol and Agent2Agent, which simplify data access and enhance agent interoperability to build ecosystems.

But these challenges cannot stop security leaders and CISOs from prioritising AI governance. If you’re awaiting comprehensive best practices for this dynamic technology, you’ll be playing a perpetual game of catch-up. Any organisation that avoids AI adoption altogether will still be exposed to AI risk through vendors and shadow AI usage in their environment.

Preparing Singapore’s CISOs for Software’s Agentic Future

The time to prepare for AI agents is now, and CISOs can start by establishing AI observability capable of tracking, auditing, and attributing agentic behaviours across environments. Here are a few steps CISOs can take today to reduce AI risk and improve governance:

Establish Identity Policies That Attribute Agent Actions

As AI systems proliferate, tracking and securing these non-human identities becomes just as important as managing human user access. One way to achieve this is through composite identities, which link an AI agent’s identity with that of the human user directing it. So, when an AI agent attempts to access a resource, security can authenticate and authorise the agent and clearly attribute activity to the responsible human user.

Adopt Comprehensive Monitoring Frameworks

Operations, development, and security teams need ways to monitor the activities of AI agents across multiple workflows, processes, and systems. It’s not enough to know what an agent is doing in a codebase. Organisations also need to be able to monitor their activity in both staging and production environments, as well as in the associated databases and any applications they access.

Upskill Technical Teams

A culture of security now requires AI literacy. 41% of survey respondents in Singapore acknowledged a widening AI skills gap. This gap is likely to grow unless technical leaders like CISOs prioritise upskilling teams to understand model behaviour, prompt engineering, and how to critically evaluate model inputs and outputs.

Understanding where models are performant versus where their use is suboptimal helps teams avoid unnecessary security risk and technical debt. For example, a model trained on anti-patterns will perform well at detecting those patterns but will not be effective against logic bugs it has never encountered before. Teams should also recognise that no model can replace human expertise. If the model performs suboptimally in an area a security engineer or developer is less familiar with, they will not be able to identify the security gaps the model has left behind.

CISOs should consider dedicating a portion of learning and development budgets to continuous technical education. This fosters AI security expertise in-house, allowing newly minted AI champions to educate their peers and reinforce best practices.

Balancing AI Risks with Opportunities in Singapore

When AI is monitored and used in the right way, executives confirm that it improves security. In fact, 41% of respondents ranked security as the top area where AI can add value for software development. AI used as an accelerant, not a replacement for expertise, can democratise security knowledge across development teams by automating routine security tasks, providing smart coding recommendations, and offering valuable security context directly within developers’ workflows.

For example, AI can provide explanations for vulnerabilities, allowing developers to fix issues more quickly without waiting for security to provide the same context. The net result of capabilities like these is improved security outcomes, reduced risk, and greater understanding for enhanced collaboration between developers and their security peers.

In Singapore, the organisations best positioned to succeed won’t be those that resist AI, nor those that rush into adoption. Success will depend on embedding security into AI strategies from the outset. Even if these measures are not yet perfect, establishing strong foundational controls now allows teams to adapt as the environment evolves. With most local executives expecting agentic AI to become standard within three years, the countdown has already begun. Leaders who steer their teams toward the right use cases won’t just contain risk; they’ll secure a competitive edge.

Josh Lemos

Chief Information Security Officer at GitLab

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *