There's a moment in every security professional's career when they realise the game has fundamentally changed. Mine came last Tuesday at 3:47 PM, watching my colleague Erich argue with an AI agent about expense policy while simultaneously being phished by what I'm 87% certain was another AI agent pretending to be from IT.
We’ve spent decades building security models around a simple premise: humans work here, threats exist out there, and our job is to build bigger walls between the two. It was comforting, like believing that eating standing up doesn't count toward your daily calorie intake. We knew it wasn't true, but it made the spreadsheets easier to fill out.
Then, AI walked into the office without knocking. It’s a reboot of the classic 2010 iPad launch, where executives demanded connection to the corporate network, heralding the age of "Bring Your Own Disaster".
The Uncomfortable Truth About Your Workforce
The truth is, organisations no longer employ just humans.
Your workforce now includes Peter from Accounts Payable, his three AI assistants (two approved, one very much not), the recruitment algorithm, and whatever that thing is Jenny in Marketing has hooked up to Slack because "it saves time”.
And they're all making decisions.
The boundaries have dissolved like my faith in perimeter security circa 2015. Who is responsible when Peter's AI hallucinates a clause into a vendor agreement? Who gets fired when the chatbot leaks customer data because someone asked nicely?
Traditional security loves clean lines: User/Admin, Inside/Outside. It’s binary thinking for a world that has gone full analogue. The modern workplace operates in the blur.
We have created a workforce that's part human, part silicon… but the problem is entirely ours to manage.
Punishment Doesn’t Change Culture
In many ways, modern organisations are run like Alcatraz. Someone clicks a phishing link? Discipline them. Someone uses unapproved AI? Write them up.
Punishing people for being human is like shouting at water for being wet. It may provide emotional release for about eight seconds, but it’s futile. You cannot discipline your way to security. And you definitely can't punish an AI agent into making safer decisions.
So, what happens when your workforce is 60% human, 40% AI, and rising?
Managing the Shadow AI Problem
Shadow AI is exploding not because employees are malicious, but because they are practical. The approved AI is usually slow, restrictive, and designed by people who think "user-friendly" is a type of malware. Meanwhile, the free version of ChatGPT is right there, works instantly, and doesn't require a ticket to IT that will be resolved sometime in Q3 2027.
We need to view the workforce as a single, unified entity—a complex adaptive system where humans and AI agents share context and risk. Here is how we handle the hybrid reality:
1. Govern the workforce not the components that create governance frameworks that apply to any decision-maker, regardless of whether they're carbon-based or cloud-hosted. If Peter can't email customer data to his personal Gmail, neither can his AI assistant.
2. Design for the blur and assume you won’t have perfect visibility. Use real-time behavioral monitoring and anomaly detection that works across human and machine activity.
3. Build culture, not compliance. You teach a child to cross the road by explaining traffic lights, not by screaming at them every time a car drives past. The same applies here. You cannot train culture into an AI model, but you can design systems where humans and AI operate within a framework that makes security intuitive.
4. Measure what matters. If half your workforce is using shadow AI, that's not a compliance failure; it's a signal that your approved solutions aren't fit for purpose. Listen to the data.
The question isn't whether your workforce will become more hybrid, it already is. The question is whether your security model will evolve to match it, or whether you'll keep building walls around a perimeter that dissolved years ago.
The workplace has changed. We need to design security that works with human nature instead of against it.
