Two years on from when AI was named the most notable word by Collins dictionary, ‘AI slop’ has taken the title in 2025. This is an indication in itself of just how much the technology has evolved in recent times. It’s gone from being known as the next biggest thing, to ‘sloppy’.
New AI models are launched weekly, copilots are embedded into core business platforms and board decks are filled with promises of efficiency, insight and transformation. The conversation around AI has never been louder.
And yet, beneath the noise, something more fragile is emerging. For all the enthusiasm around adoption, far less attention has been paid to potential consequences of the speed of AI adoption. Who is accountable when an AI system makes a decision? How is that decision reached, validated or challenged? What happens when a model behaves unpredictably, or when sensitive data is exposed in ways no one fully anticipated?
In 2026, the era of open-minded and often misdirected AI optimism will fade and, in its place, will emerge what I believe is the defining challenge of the next phase of AI adoption. The accountability gap.
From experimentation to explanation
Over the past few years, organisations have largely treated AI as an experimental layer. Typically introduced to increase productivity, save time or reduce costs, tools have been trialled within teams, embedded into workflows and sometimes deployed at speed, often under pressure to keep pace with competitors. It’s common for innovation to move quickly and for governance to try and keep pace. This is what we’re seeing when it comes to AI – more tools, greater functionality, but with it far more expansive third-party risk.
As it becomes operational rather than exploratory, the expectations around it change. Systems that influence security decisions, customer interactions, financial outcomes or access to services can no longer be explained away as pilots or proofs of concept. They require deeper explanation and justification as to how they are being used, and how they are being used securely.
Explaining how an AI-driven outcome was reached, what data informed it and what assumptions support it is fundamentally different from showcasing that a tool exists. In many organisations today, that explanatory chain is incomplete or missing altogether. With governance and security tools largely playing catch-up to defend against new technologies, we need to establish what is being rolled out, what security gaps they potentially open and who is responsible for navigating implementation effectively.
This is what we mean by the accountability gap.
Security in an AI environment
Nowhere is this gap more concerning than in security. AI is already deeply embedded in threat detection, anomaly analysis and automated response. For example, generative AI is being used to analyse control data, explain why risk has changed and make suggestions as to what to fix or prioritise, which whilst effective is also responsible for widening the threat landscape itself by introducing new forms of risk.
In this new and continually adapting age of AI and largely due to the lack of guardrails, something going wrong is almost an inevitability. When it does, we can expect the scrutiny to go beyond whether a firewall failed, or a patch was missed to focus more intently on whether the organisation understood and governed the behaviour of its own systems from the outset through to implementation. Perhaps it will take a high-profile incident caused by AI to make the industry stand up and take note?
As is their responsibility, regulators are beginning to pay close attention to these changes. Across jurisdictions, there is a growing expectation that organisations must be able to demonstrate control over AI-driven processes, particularly where security and personal data are involved. This is not about banning AI or slowing innovation, it’s about ensuring that its use is defensible, auditable and aligned with existing legal and ethical frameworks. Innovation and security should be built together. In 2026, “we didn’t know” will cease to be an acceptable answer.
Who is really accountable?
One of the most persistent misconceptions around AI and its security is that accountability sits primarily with IT or security teams. Of course these teams play a critical role, advising on the guardrails that should be put in place, but they cannot and should not carry responsibility alone.
AI decisions increasingly affect business strategy, risk exposure and organisational reputation. They shape how all departments engage prospects, customers and other stakeholders. They have a huge influence on brand reputation, financial growth and business growth, all of which are board-level concerns.
True accountability means that boards understand where AI is deployed, what decisions it influences and what controls are in place to govern it. It means being able to articulate who owns the risk when automated systems are used, and how that ownership is exercised in practice.
This does not require every board member to become a technologist, but what it does require is collective responsibility to lead from the top to enforce policies and support the guardrails put in place by security experts. Just as financial oversight cannot be delegated entirely to accountants, AI governance cannot be confined to technical specialists. It’s time for all board members to engage in AI risk, understanding it to protect operations and brand reputation.
Controls, monitoring and the myth of set-and-forget
Another uncomfortable truth is that many AI systems are treated as static once deployed. Models are trained, integrated and then largely left alone, aside from occasional updates in an approach that is becoming increasingly untenable.
The intelligence aspect of AI means that, by definition, it is dynamic. In other words, the threat landscape evolves, data patterns shift and, with it, criminals adapt their tactics. Without continuous monitoring, security tools can produce outputs that appear confident but are increasingly misaligned with reality.
Effective governance requires ongoing scrutiny so all organisations must be able to demonstrate how models are monitored, how performance drift is detected and how interventions are triggered. This is as much a cultural challenge as a technical one. It demands a mindset that views AI as a living component of the organisation rather than a one-off investment.
The accountability gap widens when no one is tasked with asking whether an AI system is still fit for purpose.
The hype might fade, but accountability will not
There’s no doubt that AI will continue to become more deeply embedded in organisational life than ever before next year, but the shift we expect to see, and encourage, is the emphasis being placed on transparency.
Stakeholders will ask harder questions, regulators will expect clearer answers and customers and partners will demand assurance that decisions to implement automation tools are being made responsibly and securely. And for good reason.
By embedding clear ownership, robust controls and continuous oversight, AI tools will be able to be used with confidence. Each member of the board taking responsibility and holding one another accountable to the roles they play will be key to ensuring the use of AI tools is bringing value and not just increasing vulnerability.
As with the internet boom in the early 2000s, new technologies emerge, make a big splash and then quickly become part of the furniture. But whilst new technologies will always come and go, accountability will always remain.
Join our LinkedIn group Information Security Community!
