Michael Montoya, Chief Technology Operations Officer, F5, warns that AI is reshaping security at machine speed, pushing CISOs to gain visibility into AI traffic, secure inference paths, and simplify sprawling infrastructure to stay ahead of accelerating AI‑driven threats.
There is a “state change” in motion across security. With advances in AI and frontier models, the ways we protect and defend our applications are evolving at machine speed—and CISOs, along with their respective security organisations, are under tremendous pressure to keep up.
To thrive in the current climate, CISOs need to accelerate their use of AI to detect and remediate risks faster than AI-powered attacks can occur. And they must employ AI to perform vulnerability management, security operations, resiliency circuit breaking, among other tasks key to defending their organisations.
Our recently released 2026 State of Application Strategy Report explores some of the emerging application, API, and AI trends reshaping CISO responsibilities.
Here are three priorities CISOs can’t afford to delay based on our survey of IT decision makers from around the globe:
1. Know how AI and automation are impacting your infrastructure.
The majority of application portfolios (55%) are now AI-enabled, according to F5 research, with AI experiments finding their way into production. Moreover, 67% of organisations use AI to accelerate automation. In fact, the volume of machine-generated traffic will soon exceed human traffic.
The move to AI and AI-supported automation is happening quickly. Yet most IT environments aren’t designed for agility amidst these rapid changes—presenting a huge challenge for security leaders.
AI systems introduce new types of runtime behaviour inside the environment. Applications call models. Agents invoke tools. Automation systems generate continuous API activity. Models interact with other services to retrieve data, trigger workflows, or execute operational actions. These interactions create entirely new communication paths inside enterprise infrastructure, which CISOs must address.
As a first step, CISOs must know where AI and automation live in their infrastructure. And once AI app and automation traffic, routings, and endpoints are known, they need to be analysed for vulnerabilities so the right preventive and policy controls can be applied.
2. Manage AI models and inference as a core part of your infrastructure.
Inference is now the dominant AI activity for most organisations, according to our research, with the average enterprise now using seven AI models to power their inference engines.
As enterprises reap the incredible predictive capabilities that AI inference offers, the underlying infrastructure has gotten a lot more complicated.
Our research found that 52% of organisations are chaining or orchestrating multiple AI models. This, in turn, brings new security risks such as routing manipulation, data exfiltration through model chains, and inconsistent policy enforcement across models.
In addition, 90% of organisations will soon route inference through shared infrastructure. While shared infrastructure has its economic advantages, it increases security and performance risks.
All of this is adding to the complexity CISOs are already grappling with. To obtain the visibility and discovery they need, security teams must treat model routing and the inference layer as integral parts of their infrastructure, applying the same observability and controls as they currently do with application routing and security.
Similarly, they must realise that the security boundary has moved from the models themselves to the inference path. As a result, inference traffic must be delivered, inspected, authenticated, and governed like any other critical app interaction.
3. Find ways to simplify management of your infrastructure.
Amid these rapid changes, 35% of organisations say their infrastructure is not ready to support AI workloads, according to our research. Discussions about AI readiness often focus on performance: access to GPUs, adequate compute capacity, storage throughput, and networking bandwidth. While those concerns are real, it’s not all about capacity. For CISOs, it’s also a security architecture issue and the ability to efficiently implement and enforce controls as AI adds another layer of complexity.
AI workloads increase the potential blind spots. To improve their AI readiness, security leaders must simplify their sprawling environments—and that requires a unified approach.
Without a unified platform that can observe and manage these connections, CISOs will lack the controls to respond in an efficient and strategic manner. The result will be a reactive cycle in which they struggle to implement the right policies, detect fraud and attacks, and remediate vulnerabilities as they’re discovered.
Navigating AI security challenges
The rapid rise of AI and automation demands that CISOs adapt by prioritising visibility, control, and simplicity across their increasingly complex hybrid multicloud infrastructures.
With AI security as an additional layer that’s fully integrated with existing application and API operational security workflows, CISOs will have the flexibility and agility they need to protect their organisations, while leveraging AI as a strategic business advantage.