A "modern" security program is no longer defined by the tools on a checklist or the policies in a binder. It’s defined by whether it can continuously adapt to the environment it’s meant to protect. As technology evolves in real time, security has to evolve with it. A truly modern approach focuses on reading signals, anticipating change, and adjusting before yesterday’s assumptions turn into today’s blind spots.

John Sapp, VP of Information Security and CISO at Texas Mutual Insurance Company, has spent more than 35 years managing digital risk at scale. His career spans senior security leadership roles at Accenture, Oracle, and McKesson, giving him a long view on how the discipline has evolved. It's a perspective that's especially relevant in the era of mainstream AI adoption, where unlike static software, AI evolves with every prompt and forces security leaders to rethink playbooks built for a far more predictable world.

"Traditional software is static. AI evolves with every prompt. Every prompt is a new instruction, and that fundamentally changes how you think about securing it," says Sapp. For many, that new reality is prompting a change in the security mission from a defensive stance to an enabling posture focused on the responsible use and secure adoption of AI.

• The exposure equation: AI is already too embedded in day-to-day work to be meaningfully blocked. Instead, Sapp advocates for leaders to shift their thinking toward exposure management. "I realized my own framework had to evolve from threat and vulnerability management to overall exposure," he explains. "It’s not about a single vulnerability. It’s about the combination of threat intelligence, the conditions in your environment, and whether an attack path has already been proven viable. When that happens, it’s a test run. It shows the attack is feasible and ready to be scaled. That’s the exposure."

• Read the fine print: Sapp shares a real-world story that shows what "exposure" means in practice: a hidden dependency his team discovered during an AI risk assessment, the kind traditional security tools aren’t designed to find. "We discovered a tool was using DeepSeek as a subprocessor. Its privacy policy states that user data resides in the People’s Republic of China. That isn’t a vulnerability," Sapp notes. "The exposure comes from how the tool is used. If it places company data in a jurisdiction we don’t allow, it has to be blocked, but that risk only becomes visible through proper assessment."

• Compliance is calling: What was once a best practice is now becoming a legal requirement in some jurisdictions. That legal precedent helps elevate the conversation beyond choice, positioning strong AI governance as a compliance mandate. "Here in Texas, we have the Texas Responsible AI Governance Act now. In order to have safe harbor, you have to be able to demonstrate that you're compliant and aligned with the NIST AI Risk Management Framework."

But at the end of the day, the responsibility lands squarely on security leaders to make sense of a system that keeps changing after it’s deployed. CISOs are expected to define guardrails, assess risk, and enable business use of AI without the benefit of stable rules, complete visibility, or proven playbooks. "As security leaders, we must make imperfect choices, knowing they will be judged with perfect hindsight. The role requires the psychological toughness to operate with that reality," says Sapp.

Ultimately, Sapp frames the CISO role as a business enabler, not a gatekeeper. The job isn’t to block ambition, but to translate it into architectures that make risk visible, controlled, and survivable. "If our CEO wants to jump off a five-story building, my job isn’t to say no. It’s to enable the business to do what it wants to do, securely," he concludes. "The first step is clarifying the requirement: does she just want to jump, or does she want to jump and land safely? If she wants to land safely, then the architecture includes a harness and a bungee to control the flight and the landing."