Is Your Board Asking the Wrong AI Question?

Most boards are asking, "How mature are we in AI?" That's not the wrong question. It's just the second question. The first one, the one that determines whether the answer means anything, is: What do we actually see in our AI environment right now?

Three things happened this past week that make that distinction urgent:

• Anthropic's AI model autonomously discovered a 27-year-old security vulnerability that had survived decades of expert review, found in hours, not months.

• An AI analytics company called Anodot was breached, and attackers used its existing access to steal data from over a dozen organizations connected through the Snowflake cloud platform. No direct breach was required.

• Oracle announced tens of thousands of layoffs while accelerating its investment in AI infrastructure. And Salesforce, which reduced its customer support workforce by nearly half, expecting AI agents to fill the gap, is now walking that back. Executives acknowledged they overestimated what AI could handle and are working to rehire those workers. Salesforce was added, as of this writing.

The thread running through it all: we are scaling AI faster than we are scaling the governance around it. That gap is where the liability lives.

Maturity Without Visibility Is Just a Score

Security maturity frameworks, from NIST, ISO, and CIS, to name a few, are built on a foundational assumption: that you know what exists in your environment, how it's being used, and that accountability is in place. For years, those assumptions held. Environments were predictable. Assets were known.

AI has changed that. Any employee can install an AI tool today, connect it to business data, and automate a workflow without IT involvement, a security review, or leadership awareness. Not out of carelessness. Out of efficiency. I've seen this firsthand in previous roles: when you actually inventory what's running across an environment, you find AI tools that were never approved, browser extensions operating on corporate credentials, and applications that never went through any vetting process. Most organizations are measuring AI maturity on top of that incomplete picture.

The Snowflake Breach Is a Governance Story

The recent wave of data theft affecting Snowflake customers is being reported as a cybersecurity incident. It's also a governance failure, and boards should read it that way.

Anodot is an AI-powered analytics platform. To deliver its value, it requires deep, direct access to customer data environments. When attackers breached Anodot, they didn't need to break into any of the affected organizations; they used the credentials Anodot already held. Snowflake's platform authenticated what appeared to be a legitimate connection and granted access. More than a dozen companies lost data, and none of them were watching that door.

This is the third-party risk question boards are not asking clearly enough: it's not just which vendors have you assessed; it's what access those vendors have been granted, and who is accountable for monitoring it?

The Investment Gap Has a Governance Consequence

KPMG's AI Quarterly Pulse Survey found that 62% of business leaders cite workforce skills gaps as their top barrier to AI ROI. Organizations are investing heavily in AI infrastructure, the tools, the compute, the models. The people responsible for governing those investments and accountable when something goes wrong are not keeping pace.

The Salesforce and Oracle situations illustrate this from different angles. Oracle cut tens of thousands of employees while accelerating AI spend. Salesforce cut nearly half its customer support team, expecting AI to handle the load, and is now trying to rehire those workers after the technology fell short. The board-level question in both cases is the same: as your organization scales AI capability, is the governance scaling with it?

What Boards Should Be Asking From Leadership

These are the questions you should be able to get clear answers to from your leadership team. If you can't, that's the finding.

• Can you show me which AI tools are actually in use, including those used through third-party vendors?

  • Not what's been approved. What's actually running.

• Who is accountable when an AI tool or integration causes a breach or compliance failure?

  • If the answer requires a long explanation, accountability isn't clear enough.

• How quickly can your team detect and respond to a risk that enters through an AI integration?

  • The Snowflake situation moved fast. Slow governance is a liability.

• Is the pace of your AI investment matched by the pace of your governance investment?

  • KPMG's data says most organizations are out of balance. Where does yours stand?

Maturity scores built on incomplete visibility give boards a false sense of security, and false security is more dangerous than acknowledged risk. Before your board asks how mature your AI program is, make sure you can answer the question underneath it.

Sources

1. Anthropic — Project Glasswing & Claude Mythos Preview (April 7, 2026) https://www.anthropic.com/glasswing

2. Anthropic Red Team — Mythos Preview technical details (April 7, 2026) https://red.anthropic.com/2026/mythos-preview/

3. BleepingComputer — Snowflake customers hit in data theft attacks after SaaS integrator breach (April 7–9, 2026)

https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/

4. KPMG — AI Quarterly Pulse Survey Q4 2024

https://kpmg.com/us/en/articles/2025/ai-quarterly-pulse-survey.html

5. Wipfli — Salesforce failed to replace thousands of workers with AI (February 2026)

https://www.wipfli.com/insights/articles/salesforce-failed-to-replace-thousands-of-workers-with-ai-what-can-your-business-learn