Beyond Observability: Securing the Non-Deterministic Enterprise

944981pwpadmin

July 3, 2026
Beyond Observability: Securing the Non-Deterministic Enterprise

Insight

Beyond Observability: Securing the Non-Deterministic Enterprise

𝗪𝗵𝘆 𝗔𝗜 𝗶𝘀 𝗳𝗼𝗿𝗰𝗶𝗻𝗴 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗹𝗲𝗮𝗱𝗲𝗿𝘀 𝘁𝗼 𝗿𝗲𝘁𝗵𝗶𝗻𝗸 𝘃𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆, 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝗰𝗼𝗻𝘁𝗿𝗼𝗹

A few weeks ago, I was sitting at an AI conference listening to a discussion about AI Zero Trust. The speaker was talking about autonomous agents, dynamic trust scoring, continuous verification and policy-driven AI interactions.

Everyone around me seemed fascinated. I was smiling to myself.

Not because I disagreed. Because it reminded me of a problem I was wrestling with nearly twenty years ago.

Back then, I was a CISO in a large telecommunications environment. We were seeing a new wave of malware spread across enterprise networks.

The behaviour looked almost worm-like. One compromised system became five. Five became fifty. Fifty became a very long night for everyone involved.

At the time, our visibility was terrible.

• I had firewalls.

• I had routers.

• I had IDS signatures.

What I didn’t have was evidence. I couldn’t easily answer:

• What changed?

• Where did it start?

• How was it moving?

• Which systems were likely next?

The network was effectively a black box. That frustration led me down a path that many younger practitioners may never have experienced.

I became fascinated with technologies such as Lancope and Skybox.

Some readers may remember terms like NBAD and NBDPA.

Back then, these technologies felt almost futuristic. Instead of capturing every packet, which was technically difficult and painfully expensive, they analysed flow telemetry.

• SFlow.

• JFlow.

• NetFlow.

The idea was simple.

Look for behaviour rather than individual events.

At the same time, Skybox allowed us to ingest routing and firewall configurations and identify what we called “Red Paths” – potential exploitation paths through the environment.

For the first time, I could see relationships. Not perfect relationships. Not complete relationships. But enough to stop flying blind.

Suddenly, the network was no longer a mystery. It wasn’t perfect. It required a lot of manual effort. A lot of tuning. A lot of assumptions. Yet it changed the way I thought about security forever, because I realised something important.

You don’t need perfect visibility. You need enough visibility to make good decisions.

𝗙𝗮𝘀𝘁 𝗙𝗼𝗿𝘄𝗮𝗿𝗱 𝗧𝘄𝗲𝗻𝘁𝘆 𝗬𝗲𝗮𝗿𝘀

Fast forward to today and I find myself thinking about those experiences more often than I expected.

Except this time the problem is bigger. Much bigger.

Cloud changed infrastructure. SaaS changed ownership. Digital transformation accelerated complexity and AI introduced something we have never had to deal with at scale before: non-deterministic behaviour.

The difference is subtle, but profound. The environments we were trying to understand twenty years ago were complicated, but largely deterministic.

Traffic entered through known pathways. Applications lived in predictable locations. Ingress and egress points were tightly controlled. Identities changed slowly. Relationships between systems evolved over months and years, not hours and days.

Even when things were messy, they were still understandable.

• You could build models.

• You could establish baselines.

• You could identify anomalies.

Most importantly, you could reasonably predict how the environment would behave tomorrow.

AI changes that equation entirely. The same prompt can generate different outcomes. The same agent can make different decisions based on context.

The same workflow can evolve over time as models, data and integrations change around it. That isn’t a bug. That is precisely why AI is valuable.

Yet it creates a challenge security teams have never faced before at this scale.

For decades, we have built security programs around understanding patterns. Now we are being asked to secure systems that are intentionally designed to behave differently.

Think about that for a moment.

Traditional behavioural analytics assumes stable behaviour. Traditional anomaly detection assumes known baselines. Traditional deep packet inspection assumes observable traffic.

AI challenges all three assumptions simultaneously.

This is one of the reasons I smile when I hear discussions about AI Zero Trust. Not because the concept is wrong. Far from it.

Identity-centric security, continuous verification and granular policy controls will all play an important role in the future. The problem is that many organisations are still trying to answer much simpler questions.

• What AI systems are we actually using?

• Who owns them?

• What data are they accessing?

• What decisions are they making?

• Which identities are they operating under?

• Can we explain why an action occurred?

Before we talk about Zero Trust for AI, we first need to understand what we are trusting and that brings us to what I believe is the most important lesson for security leaders in the next few years.

The future is not perfect visibility. The future is auditability.

𝗔𝘂𝗱𝗶𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗜𝘀 𝘁𝗵𝗲 𝗡𝗲𝘄 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆

If the future is not perfect visibility, then what should we optimise for?

My answer is surprisingly simple. Auditability.

For years, security teams focused on prevention. Then we shifted towards detection. The AI era introduces a third requirement. Accountability.

When an AI system takes an action, organisations need to be able to answer a few fundamental questions:

• What happened?

• Why did it happen?

• Which identity performed the action?

• What data was involved?

• Which systems were touched?

• Can we reconstruct the decision path?

Those questions may sound simple.

In practice, they are becoming some of the hardest questions in modern technology environments. The good news is that we do not need to solve every AI problem tomorrow.

The answer is not another panic-driven technology project. The answer is bringing AI considerations into our design thinking from the start.

𝗙𝗿𝗼𝗺 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗼𝗻𝘁𝗿𝗼𝗹𝘀 𝘁𝗼 𝗗𝗲𝘀𝗶𝗴𝗻 𝗣𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀

One of the biggest mistakes I see organisations making is treating AI governance as a compliance exercise. The conversation often starts with:

• “What does the regulator require?”

• That is a reasonable question.

• It just shouldn’t be the first question.

• The first question should be:

• “What could go wrong and how would we know?”

Once you understand that, regulatory requirements become much easier to map into architecture. In reality, most emerging AI regulations are asking for variations of the same thing:

• Accountability

• Transparency

• Explainability

• Appropriate controls

• Human oversight

• Risk management

Those principles are not new. We have been dealing with them for decades.

The implementation is what changes. Rather than treating governance as a separate workstream, leading organisations are starting to embed these requirements directly into architecture patterns.

Before an AI solution goes into production, they are asking:

• Who owns it?

• What data does it use?

• What decisions can it make?

• What systems can it access?

• What level of human review is required?

• How do we audit its actions?

Those questions are rapidly becoming as important as availability, performance and resilience.

𝗧𝗵𝗲 𝗥𝗶𝘀𝗲 𝗼𝗳 𝗔𝗰𝗰𝗼𝘂𝗻𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗯𝘆 𝗗𝗲𝘀𝗶𝗴𝗻

The phrase “secure by design” has become popular in recent years. I suspect we are about to see another concept emerge.

Accountable by design.

Not because regulators demand it. Because organisations need it.

The future AI estate will include:

• Models

• Agents

• Agentic workflows

• Copilots

• MCP integrations

• Autonomous decision engines

The complexity will continue to increase. Trying to inspect every action will become impossible. Trying to understand every prompt will become impossible. Trying to predict every outcome will become impossible.

What remains possible is ensuring every significant action can be traced, understood and explained. That becomes the foundation of trust.

𝗧𝗵𝗶𝘀 𝗜𝘀 𝗡𝗼𝘁 𝗮 𝗖𝗜𝗦𝗢 𝗣𝗿𝗼𝗯𝗹𝗲𝗺

There is another shift happening that I believe is equally important. Historically, security teams often positioned themselves as the owners of cyber risk. That model is becoming increasingly difficult to sustain.

AI is not just changing technology. It is changing business processes. It is changing customer engagement. It is changing product development. It is changing decision making.

The implications extend far beyond the security function. Which means responsibility must extend as well. The most mature organisations I am seeing are not creating AI security programmes. They are creating AI operating models.

Security is one participant. Legal is another. Risk is another. Technology is another.

The business itself becomes accountable. That is a very different mindset and I suspect it will become one of the defining characteristics of successful organisations over the next decade.

𝗧𝗮𝗸𝗶𝗻𝗴 𝗕𝗮𝗯𝘆 𝗦𝘁𝗲𝗽𝘀

Whenever a major technology shift arrives, our industry has a tendency to jump straight to the destination. AI Zero Trust. Autonomous governance. Self-defending systems. Autonomous SOC.

Interesting concepts. Potentially important concepts. But many organisations are still trying to establish the basics.

That is perfectly okay.

• Start with inventory.

• Understand your data.

• Map your identities.

• Establish ownership.

• Create audit trails.

• Build governance.

• Develop repeatable patterns.

Then evolve. Pragmatism has always been one of the most underrated skills in cybersecurity.

The AI era does not change that. If anything, it makes it more important than ever.ting here…

Article by Your Name

Pretium lorem primis lectus donec tortor fusce morbi risus curae. Dignissim lacus massa mauris enim mattis magnis senectus montes mollis taciti accumsan semper nullam dapibus netus blandit nibh aliquam metus morbi cras magna vivamus per risus.

Leave a Comment