AI security vs AI governance: clarifying the hiring decision

As AI moves from pilot projects into core operations, hiring conversations becoming more pointed: Do we need AI security, AI governance, or both?  And can existing teams cover the risk AI introduces?

The reality is that neither discipline is entirely new. Both draw heavily on existing security and privacy capability.  The challenge is that AI behaves differently enough to expose gaps that only become visible once systems are live, embedded and relied upon.
For most organisations, the question is not whether existing teams are capable, but where their limits are.

AI security vs AI governance are extensions, not replacements

AI security and AI governance are not replacements for cyber security and data privacy. They extend them, shaped by how AI systems behave, scale and fail.

Traditional cyber security protects defined systems from known threat categories. AI security, however, deals with a different risk profile. For example, a customer-facing chatbot may be manipulated into disclosing data it should not share. A model may retain sensitive information in ways that are difficult to audit. particularly where machine learning models process large volumes of data, A third-party AI tool may behave unpredictably when exposed to unfamiliar inputs.

Data privacy, meanwhile, ensures personal data is collected, processed, and stored lawfully. AI governance extends this into more complex territory: where personal data may be embedded within trained models, where AI supports automated decision‑making, and where organisations must evidence how systems operate in practice under GDPR and the EU AI Act.

These overlaps explain why many organisations initially assume existing teams can absorb AI risk. In reality, it is the differences that force a rethink.

How organisations are extending existing teams

The market pattern is clear: most are not building new functions from scratch but extending what already exists. Privacy teams, in particular, have become a natural home for early AI governance.  According to the IAPP-EY Professionalizing Organizational AI Governance report, 57% of privacy functions have already taken on AI governance responsibilities. That figure reflects a practical reality.

Privacy teams already manage regulatory relationships, data mapping, and impact assessments, all of which translate directly into AI governance and AI risk management requirements. A DPO conducting Data Protection Impact Assessments under GDPR is already doing work that maps directly onto AI impact assessments under the EU AI Act.

On the security side, the pattern is similar.  ISC2 published guidance in April 2026  integrating AI security concepts across its existing certifications, including CISSP, signalling a shift towards expanding existing capability rather than creating a new discipline.  Strong security leaders are being asked to expand into AI‑specific risk assessment, vendor due diligence and incident response planning.

In practice, this often means redefining roles rather than creating entirely new ones, with existing teams taking on oversight of AI systems and AI-driven workflows.

A scaling fintech, for example, using an off-the-shelf AI tool in its onboarding process does not need a dedicated AI governance team. Instead, it needs its data protection lead to understand the additional AI-specific compliance obligations, and its security function to assess how that tool could fail in practice.

Where new roles become necessary

Not everything can be repurposed.  As AI adoption deepens, certain risks demand specialist focus. The  IAPP AI Governance Profession Report 2025  found that 77% of organisations are actively building AI governance programs, rising to nearly 90% among those already deploying AI. Yet, a third cite a lack of qualified AI governance professionals as a barrier to making those programs work.

This reflects a market where demand is moving faster than supply, particularly as organisations scale AI adoption and introduce more complex AI systems into real-world operations.  Deloitte’s 2026 State of AI in the Enterprise survey  reinforced the point: only one in five companies has a mature governance model for autonomous AI agents. The roles emerging to fill that gap sit between disciplines that have traditionally been separate.

AI governance leads who combine regulatory literacy with enough technical fluency to assess how AI systems actually behave, including how outputs are generated and monitored in real-world use cases.

AI security specialists, often from adversarial testing or application security backgrounds, focus on how models can be manipulated, exposed, or misused, particularly in high-risk or customer-facing AI applications.

Increasingly, companies are hiring AI governance officers for the first time, positioned as counterparts to, or extensions of, DPO responsibilities under the EU AI Act, responsible for conformity assessments, transparency documentation, and human oversight for higher-risk systems. In larger organisations, particularly financial services, insurance, and professional services, these are becoming dedicated headcount. At mid-market organisations, responsibility is more often shared through formal AI governance committees.

For organisations deciding whether and how to hire, guidance on how to hire for AI governance can help bring clarity to role designand expectations.

The hiring mistake to avoid

Two extremes consistently cause problems.

Organisations that assume existing capability covers everything will miss AI-specific risks their teams have never been tested against. Those that treat AI governance as an entirely new function, and delay hiring until they can afford a dedicated team,
allow gaps to widen as AI use accelerates.
In practice, the most effective approach sits between the two.

The strongest teams are doing both: extending what they have while investing selectively in the expertise that existing professionals cannot reasonably be expected to develop on the job. For many, that starts with a clearly scoped role, often anchored around an AI governance officer job description template, before deciding whether security‑specific hires are also required.

What this means for hiring in 2026 and beyond

Three dynamics are shaping what comes next.

First, the EU AI Act’s high-risk system obligations take effect from August 2026, creating a hard compliance deadline that will accelerate hiring decisions across every organisation deploying AI in regulated contexts.

Second, the convergence of privacy and AI governance is producing a new kind of senior professional, combining elements of data protection, AI risk, and technology advisory.  Organisations that structure their teams around that convergence rather than against it will hire more effectively.

Third, the frameworks are maturing. ISO/IEC 42001, the NIST AI Risk Management Framework, and the OWASP Top 10 for LLM Applications are giving organisations a shared language for AI risk, making it easier to define what good looks like in a hire.

The discipline is still settling. But the direction of travel is clear, and organisations that act early will be better positioned to respond to both regulatory and operational change.