CIO Pulse Videos

All News Deals Social Blogs Videos Podcasts Digests

CIO Pulse AI Leadership

Enterprise AI: Shadow AI and Agentic Risk - CIO Advice

•May 17, 2026

CXOTalk

CXOTalk•May 17, 2026

Why It Matters

Unchecked shadow AI threatens data security, compliance, and operational stability, forcing CIOs to redesign governance and testing frameworks to protect enterprise value.

Key Takeaways

•AI agents proliferate across enterprises, creating unmanaged “shadow AI”.
•Traditional testing and governance models no longer suffice for autonomous agents.
•CIOs must implement sandboxed environments and token‑level monitoring.
•New capabilities needed: context engineering, agent identity, and explainability.
•Balancing risk with value requires continuous regression testing and ethical checks.

Summary

The video tackles the surge of AI agents inside large enterprises, coining the term “shadow AI” to describe unsanctioned, autonomous tools that bypass traditional IT controls. Tim Crawford and data‑scientist Anthony Scriffin argue that CIOs now face a paradigm shift: every layer—from application development to data stewardship—must accommodate agents that can code, access credentials, and act without human oversight. Key insights include the inadequacy of legacy regression testing, the need for sandboxed environments, and the importance of token‑level monitoring to track data ingress and egress. They stress emerging disciplines such as context engineering, agent identity management, and explainability, while warning that foundation models constantly evolve, making static safeguards obsolete. The discussion is peppered with vivid analogies—social media’s democratizing voice now mirrored by AI’s “vibe‑coding” for non‑developers—and concrete examples like OpenAI’s Claude, Amazon Q, and SAP’s dual‑work tools. Tim cites Steve Daffron’s reminder that “the most fundamental thing in data science is counting things,” illustrating how unchecked AI can over‑count or leak PII without proper provenance and guardrails. Ultimately, the speakers urge CIOs to blend old governance principles—consistent experience, permissible use, provenance—with new capabilities: adversarial testing, ethical sentiment checks, and automated audit trails. Only a hybrid approach can contain risk while unlocking AI’s strategic value for the organization.

Original Description

AI agents are entering enterprise AI faster than CIOs can govern them. Line-of-business users are vibe-coding their own tools, agents are operating with employee credentials, and foundation models are changing under running systems.

In CXOTalk episode 919, Anthony Scriffignano, PhD, a prominent data scientist, and Tim Crawford, a strategic advisor to CIOs at the world's largest companies, examine what enterprise AI governance, shadow AI, and agentic risk require of technology leaders today. The discussion grounds the AI agent conversation in practical decisions: what to keep from established IT governance, what is genuinely new, and where the CIO role must evolve.

YOU'LL LEARN:

✅ Why traditional regression testing breaks when foundation models, training data, and environments all change at once

✅ How shadow AI and vibe-coding by non-developers expand the threat paradigm beyond the enterprise perimeter

✅ Why HR-style policies do not transfer to AI agents, and what changes when super-agents call sub-agents through an orchestration layer

✅ Specific controls for shadow AI: sandboxes, token counting, personal Identifying Information (PII) guardrails, and watching for value leaving the organization

✅ Red, blue, and green teaming for autonomous agents, including why red teams need a defined target list, not a license to break things

✅ The three governance layers CIOs must now reconcile: user role-based access controls (RBAC), agent governance, and knowledge governance, across ServiceNow, Salesforce, and SAP

✅ When human in the loop is meaningful and when it becomes theater, including the limits of audited-sample review at machine speed

✅ How the transformational CIO mindset differs from the traditional one, and why business depth is now the prerequisite skill

⏱️ TIMESTAMPS

0:00 AI agents are running wild: framing the problem

3:11 From automation to autonomy: how CIOs should reframe risk

5:21 What old governance disciplines still apply, and what is new

6:12 Shadow AI, vibe coding, and the limits of control

9:11 Practical controls: sandboxes, token counting, PII guardrails

11:53 Why HR policies do not work for AI agents

15:24 Regression testing for misuse and misadventure

18:43 The aspiring CIO: traditional vs. transformational mindset

21:07 Disciplined red, blue, and green teaming

23:30 When mandatory automation becomes the only option

32:03 Human in the loop: meaningful or theater?

34:09 What AI governance actually looks like in practice

38:10 New roles: context engineers, AI FinOps, and value frameworks

40:30 Talent and jobs inside IT: what changes

🔔 Subscribe for weekly conversations with the world's top business and technology leaders.

📩 Get the CXOTalk newsletter: https://newsletter.cxotalk.com

💬 Read the show notes: https://www.cxotalk.com/episode/cio-playbook-agentic-ai-in-the-enterprise

🎙️ ABOUT CXOTALK

CXOTalk features unfiltered conversations with C-suite executives from major companies about AI, digital transformation, and business strategy. Hosted by Michael Krigsman.

Episode 919

#cxotalk #ShadowAI #AIAgents #AIGovernance #AgenticAI #CIO #EnterpriseAI #DigitalTransformation #AIRisk #CIOLeadership

Comments

Want to join the conversation?

Loading comments...