The End of the Road for the CISO?

Agentic AI is not just transforming cybersecurity. It is collapsing it into a broader function. The Chief Information Security Officer (CISO) role will soon cease to exist as we know it today.

The CISO occupies an unenviable and arguably untenable role. In theory it is indispensable and central to organisations but in practice, it is marginalised. I increasingly hear from boards and from CISOs themselves that the role as currently constructed, is not working. Cybersecurity is treated as expensive insurance, structurally disconnected from the real engines of growth. Even after a ransomware plague, sustained regulatory pressure, and an unbroken decade of high-profile breaches, the CISO remains neglected, underfunded, and measured largely by nothing bad happening.

Security is converging into the broader issue of whether autonomous operations can be trusted, governed, and controlled.

Many CISOs have already made the shift toward strategic governance. But even that elevated version of the role is now being absorbed into a broader function.

Security on the Wrong Side of Transformation

Boards are no longer primarily focused on protecting the business. They are focused on reinventing it before competitors do. Across every sector, investment is flowing aggressively toward AI-driven transformation, automation, and operational acceleration.

Cybersecurity, in its traditional form, increasingly finds itself perceived as a hindrance. The function is widely considered to be too slow, too siloed, and too tethered to a defensive mindset which is designed for a world that is rapidly disappearing. Agentic AI is seen by most business decision makers as offering unprecedented opportunities to gain competitive advantage through speed, agility and innovation. Security professionals rightly see risk at a time when their businesses are chomping at the bit to let agentic AI rip through their organisations. Where leadership sees opportunity, the CISO’s function too often sees exposure. This tension is becoming structurally unmanageable, and the organisations I speak with know it.

AI Is Absorbing Cybersecurity From Within

The disruption is not only external. AI is beginning to consume large parts of cybersecurity itself. Vulnerability discovery, threat detection, triage, policy analysis, and security analytics, workflows that once required substantial operational teams, are being accelerated or partially automated by AI agents.

The most compelling evidence of where this is heading comes from Anthropic’s Claude Mythos. Revealed in early April 2026, Mythos is not a dedicated security tool. It is a general-purpose frontier model whose cybersecurity capabilities emerged, in Anthropic’s own words, as a downstream consequence of general improvements in code, reasoning, and autonomy. That is a significant admission. Nobody designed Mythos to do this. It arrived at these capabilities on its own.

In testing, Mythos identified thousands of high-severity zero-day vulnerabilities across every major operating system and web browser. The scale of what it found exposed something the industry has long preferred not to confront directly, which is the appalling underlying state of global cybersecurity infrastructure. Decades of accumulated technical debt, under-investment, and reactive security practice laid bare by a single model in a matter of weeks.

Anthropic considered the risks of public release significant enough that it declined to make Mythos generally available, instead launching Project Glasswing. This controlled initiative gives early access to several organisations including AWS, Apple, Google, Microsoft, JPMorgan Chase and Nvidia, with the explicit goal of patching critical vulnerabilities before hostile actors could exploit the same capabilities.

But Mythos also points toward where defensive security is heading. Tools with these capabilities will not remain the preserve of a handful of technology giants. They will plug into agentic frameworks that can identify vulnerabilities and remediate them in real time, autonomously and continuously, without waiting for a human analyst to triage a ticket. The time between detection and response, historically measured in hours or days, collapses to seconds. That is a structural shift in how security operates.

This represents the dissolution of cybersecurity as a clearly bounded operational domain. Some key functions that once defined the CISO’s remit are being absorbed into wider enterprise platforms, embedded in AI-assisted layers that operate continuously and at a scale no human team can match.

The New Battlefield: Operational Trust

As autonomous systems begin to interact with infrastructure, applications, customers, employees, suppliers, and other AI agents with limited human intervention, the nature of risk transforms fundamentally. Identity is rapidly becoming the control plane for both humans and machines.

This shift is already visible in the regulatory landscape. In financial services, DORA in Europe and CPS 230 in Australia are pushing organisations away from narrow security thinking toward broader operational resilience models covering third-party risk, business continuity, governance, and identity. In the United States, the SEC and Federal Reserve are increasingly focused on systemic risk, operational accountability, and continuity. Responsibility for governing autonomous systems is spreading across operations, legal, risk, data, and architecture teams. It is not sitting inside a single security function.

From an enterprise risk perspective, board attention is shifting quickly toward a central question. How can autonomous operations be trusted, governed, and controlled without leadership losing visibility over its own decision-making and operational behaviour?

The CISO Role Will Collapse into Governance

It is important to be clear that AI transformation will not eliminate the concerns that cybersecurity addresses. Those concerns become more acute, not less, and the focus will shift to the speed with which we address them.

The residual CISO function will be much more centred around governance and risk management. It will further converge with other enterprise risk roles to set parameters, deploy governance frameworks, and determine risk appetite. This function will decide which autonomous decisions require human authorisation and which can be delegated entirely to machine judgment. It will establish accountability frameworks for agent-to-agent interactions, govern machine identities at scale, and ensure that enterprise AI operates within ethical, legal, and operational boundaries that boards and regulators can understand and defend.

Increasingly, this governance mandate is extending into organisational resilience. Boards have largely accepted that breaches and disruptions are inevitable. They want to know how quickly the organisation can recover and keep functioning. This issue pulls the evolving CISO role deeper into business continuity, supply chain risk, and operational recovery, areas that were once considered outside the security leader's remit.

The hands-on operational security leader who manages SOC teams, directs threat-hunting, and runs incident response is a figure whose function is being automated away in real time. The security leaders that a excel will be those who understand that their value lies not in operational execution but in defining the rules of engagement for systems that will increasingly govern themselves.

The residual CISO role is one of governance, setting the parameters within which machines are permitted to act autonomously.

The End of the Standalone Function

The boundaries between cybersecurity, IT operations, resilience, governance, risk, and AI management are already collapsing.

Cybersecurity will not disappear. The discipline of protecting organisations from adversarial action, system failure, and operational risk remains as important as ever. But it will stop existing as a standalone function with its own budget, its own reporting line, and its own seat at the table defined by operational security work. Residual cybersecurity activities will fall into a broader discipline centred on governance, resilience, identity, and machine oversight.

Several organisations I have spoken with already understand this and are restructuring accordingly, seeking competitive advantage by moving faster into the agentic world and positioning themselves to govern an increasingly machine-led environment.

The end of the road for the CISO, as we know the role today, is not theoretical. For most organisations, it is already underway