CISOs are finding themselves more involved in AI teams, often leading the cross-functional effort and AI strategy. But there aren’t many resources to guide them on what their role should look like or what they should bring to these meetings.
We’ve pulled together a framework for security leaders to help push AI teams and committees further in their AI adoption—providing them with the necessary visibility and guardrails to succeed. Meet the CLEAR framework.
If security teams want to play a pivotal role in their organization’s AI journey, they should adopt the five steps of CLEAR to show immediate value to AI committees and leadership:
- C – Create an AI asset inventory
- L – Learn what users are doing
- E – Enforce your AI policy
- A – Apply AI use cases
- R – Reuse existing frameworks
If you’re looking for a solution to help take advantage of GenAI securely, check out Harmonic Security.
Alright, let’s break down the CLEAR framework.
Create an AI Asset Inventory
A foundational requirement across regulatory and best-practice frameworks—including the EU AI Act, ISO 42001, and NIST AI RMF—is maintaining an AI asset inventory.
Despite its importance, organizations struggle with manual, unsustainable methods of tracking AI tools.
Security teams can take six key approaches to improve AI asset visibility:
- Procurement-Based Tracking – Effective for monitoring new AI acquisitions but fails to detect AI features added to existing tools.
- Manual Log Gathering – Analyzing network traffic and logs can help identify AI-related activity, though it falls short for SaaS-based AI.
- Cloud Security and DLP – Solutions like CASB and Netskope offer some visibility, but enforcing policies remains a challenge.
- Identity and OAuth – Reviewing access logs from providers like Okta or Entra can help track AI application usage.
- Extending Existing Inventories – Classifying AI tools based on risk ensures alignment with enterprise governance, but adoption moves quickly.
- Specialized Tooling – Continuous monitoring tools detect AI usage, including personal and free accounts, ensuring comprehensive oversight. Includes the likes of Harmonic Security.
Learn: Shift to Proactive Identification of AI Use Cases
Security teams should proactively identify AI applications that employees are using instead of blocking them outright—users will find workarounds otherwise.
By tracking why employees turn to AI tools, security leaders can recommend safer, compliant alternatives that align with organizational policies. This insight is invaluable in AI team discussions.
Second, once you know how employees are using AI, you can give better training. These training programs are going to become increasingly important amid the rollout of the EU AI Act, which mandates that organizations provide AI literacy programs:
“Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems…”
Enforce an AI Policy
Most organizations have implemented AI policies, yet enforcement remains a challenge. Many organizations opt to simply issue AI policies and hope employees follow the guidance. While this approach avoids friction, it provides little enforcement or visibility, leaving organizations exposed to potential security and compliance risks.
Typically, security teams take one of two approaches:
- Secure Browser Controls – Some organizations route AI traffic through a secure browser to monitor and manage usage. This approach covers most generative AI traffic but has drawbacks—it often restricts copy-paste functionality, driving users to alternative devices or browsers to bypass controls.
- DLP or CASB Solutions – Others leverage existing Data Loss Prevention (DLP) or Cloud Access Security Broker (CASB) investments to enforce AI policies. These solutions can help track and regulate AI tool usage, but traditional regex-based methods often generate excessive noise. Additionally, site categorization databases used for blocking are frequently outdated, leading to inconsistent enforcement.
Striking the right balance between control and usability is key to successful AI policy enforcement.
And if you need help building a GenAI policy, check out our free generator: GenAI Usage Policy Generator.
Apply AI Use Cases for Security
Most of this discussion is about securing AI, but let’s not forget that the AI team also wants to hear about cool, impactful AI use cases across the business. What better way to show you care about the AI journey than to actually implement them yourself?
AI use cases for security are still in their infancy, but security teams are already seeing some benefits for detection and response, DLP, and email security. Documenting these and bringing these use cases to AI team meetings can be powerful – especially referencing KPIs for productivity and efficiency gains.
Reuse Existing Frameworks
Instead of reinventing governance structures, security teams can integrate AI oversight into existing frameworks like NIST AI RMF and ISO 42001.
A practical example is NIST CSF 2.0, which now includes the “Govern” function, covering: Organizational AI risk management strategies Cybersecurity supply chain considerations AI-related roles, responsibilities, and policies Given this expanded scope, NIST CSF 2.0 offers a robust foundation for AI security governance.
Take a Leading Role in AI Governance for Your Company
Security teams have a unique opportunity to take a leading role in AI governance by remembering CLEAR:
- Creating AI asset inventories
- Learning user behaviors
- Enforcing policies through training
- Applying AI use cases for security
- Reusing existing frameworks
By following these steps, CISOs can demonstrate value to AI teams and play a crucial role in their organization’s AI strategy.
To learn more about overcoming GenAI adoption barriers, check out Harmonic Security.
