By Vivek Menon / 22 May 2026 / Topics: Artificial Intelligence (AI) , Generative AI , Cybersecurity
Shadow AI agent risk is operational risk. That distinction matters because operational risk doesn't belong to the CISO — it belongs to the COO, the CMO, the CFO, and every business unit leader whose team is building or deploying agents. Vivek Menon, who holds a dual mandate as CISO and head of enterprise data at Digital Turbine, draws a clear line: When an agent takes an action that no human has reviewed, the risk has left the security function entirely.
The conversation traces a three-stage evolution that happened faster than most organizations anticipated. Shadow IT was a procurement risk — people choosing their own tools. Shadow AI was an information risk — data exfiltration, IP loss, employees asking questions of models without guardrails. Shadow agent risk is something different. Agents have agency. They act autonomously. And the window between shadow AI and shadow agents collapsed in three to six months.
Vivek builds his governance architecture to the EU AI Act — the strictest available standard — even though Digital Turbine is a U.S.-based public company. His reasoning: If an incident happens, traceability built to that standard is defensible with auditors. He also references the NIST AI Risk Management Framework and is pursuing ISO 42001 certification for AI readiness. The goal is for incidents to meet three criteria — survivable, auditable, explainable — because the question is when, not if.
On measuring AI adoption, Vivek offers a contrarian metric: Look at how you're hiring. If headcount is growing in operations, FP&A, and technology without new AI competencies attached to those roles, adoption isn't working. Capacity should be addressed through AI. Companies that get this right will maintain or reduce headcount while increasing AI competency across the organization.
Security leaders and business unit leaders will walk away with a clear framework for shared AI agent accountability, a regulatory strategy that works across 10 jurisdictions, and a practical test for whether your organization's AI adoption is producing real results.
If you liked this episode, share it with a colleague.
Have a topic you’d like us to discuss or question you want answered? Drop us a line at jillian.viner@insight.com
Vivek Menon
CISO and Head of Enterprise Data, Digital Turbine
Audio transcript:
A full transcript of this conversation will be available shortly.
Marketing Manager, Insight
As marketing manager for the Insight brand campaign, Jillian is a versatile content creator and brand champion at her core. Developing both the strategy and the messaging, Jillian leans on 10 years of marketing experience to build brand awareness and affinity, and to position Insight as a true thought leader in the industry.
CISO and Head of Enterprise Data, Digital Turbine
Subscribe to our podcast today to get automatic notifications for new episodes. You can find Insight On on Amazon Music, Apple Podcasts, Spotify and YouTube.
