Executive Summary

A new benchmark report from the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) and research firm IANS indicates a major shift in the priorities and concerns of cybersecurity leaders. According to the 2026 CISO Benchmark Report, Artificial Intelligence (AI) has become the number one source of friction and risk for CISOs in the retail and hospitality sectors, surpassing long-standing threats like ransomware. While organizations are embracing AI to enhance security capabilities, they are simultaneously struggling with the significant risks it introduces, primarily data leakage, insider threats, and a lack of mature governance frameworks. This dual nature of AI as both a tool and a threat is reshaping security strategy, budgets, and the role of the CISO.

Regulatory Details

While not a regulatory document itself, the report reflects the pressures CISOs face in a landscape shaped by evolving compliance and risk management expectations. The findings highlight a proactive shift as security leaders grapple with governing a transformative technology ahead of formal, widespread regulation.

Key concerns from the report that intersect with compliance include:

• Data Leakage: 71% of CISOs cited AI as a top concern. The use of public AI models with sensitive corporate data (e.g., customer PII, strategic plans, source code) creates a significant risk of data leakage, which could violate data protection regulations like GDPR and CCPA.
• Insufficient Governance: The rapid, often decentralized adoption of AI tools by business units without proper security oversight creates a shadow IT problem, making it difficult to enforce security policies and maintain compliance.
• Insider Risk: Employees may intentionally or unintentionally misuse AI tools, leading to data exposure or the creation of insecure code.

Affected Organizations

The report's findings are most relevant to organizations within the Retail and Hospitality industries. However, the trends identified are broadly applicable to any sector grappling with the rapid adoption of AI. The survey included over 200 CISOs, representing a significant cross-section of these consumer-facing industries.

Compliance Requirements

While explicit "AI compliance" laws are still emerging, CISOs must adapt existing frameworks to govern AI use. The report implies a need for organizations to develop and implement a robust AI governance program that includes:

1. Acceptable Use Policy (AUP): A clear policy defining how employees can and cannot use public and private AI tools. This should explicitly prohibit entering sensitive or confidential company data into public AI models.
2. Data Classification: Strong data classification policies are essential to identify what information is too sensitive for use with external AI services.
3. Secure AI Integration: For organizations building their own AI tools, this involves implementing security throughout the Machine Learning Operations (MLOps) lifecycle, including securing data pipelines, protecting models from theft or poisoning, and ensuring the secure deployment of AI-driven applications.
4. Vendor Risk Management: A process for vetting and approving third-party AI tools and services before they are used within the organization.

Implementation Timeline

The report suggests an immediate and ongoing need for action. Unlike a regulation with a fixed deadline, the risks from AI are present now. Organizations should prioritize the following:

• Immediate (0-3 months): Develop and communicate an initial AI Acceptable Use Policy. Discover and inventory all AI tools currently in use across the organization.
• Short-term (3-9 months): Implement technical controls, such as Data Loss Prevention (DLP) policies and browser extensions, to monitor and block the submission of sensitive data to public AI websites. Begin vendor risk assessments for major AI tools.
• Long-term (9+ months): Develop a comprehensive AI governance framework, integrate AI risk into the overall enterprise risk management program, and explore the use of private, internal AI models for sensitive use cases.

Impact Assessment

The rapid, ungoverned adoption of AI has significant business and operational impacts:

• Increased Attack Surface: AI tools, especially those integrated into business processes, create new targets for attackers.
• Intellectual Property Loss: The leakage of proprietary algorithms, marketing strategies, or product designs into a public AI model can cause irreparable competitive damage.
• Budget and Resource Strain: While overall security budgets are seeing modest increases (from 0.57% to 0.75% of revenue), CISOs are expected to manage the vast new risk landscape of AI without a proportional increase in funding or headcount. The focus is on using AI for productivity gains rather than expanding teams.
• Expanding CISO Role: The CISO's responsibilities are expanding beyond traditional cybersecurity to include AI governance, product security, and broader business risk management, requiring a new set of skills and a deeper integration with business strategy.