There is a “state change” in motion across security. With advances in AI and frontier models, the ways we protect and defend our applications are evolving at machine speed—and CISOs, along with their respective security organizations, are under tremendous pressure to keep up.
To thrive in the current climate, CISOs need to accelerate their use of AI to detect and remediate risks faster than AI-powered attacks can occur. And they must employ AI to perform vulnerability management, security operations, resiliency circuit breaking, among other tasks key to defending their organizations.
Released this week, our 2026 State of Application Strategy Report explores some of the emerging application, API, and AI trends reshaping CISO responsibilities.
Here are three priorities CISOs can’t afford to delay based on our survey of IT decision makers from around the globe:
1. Know how AI and automation are impacting your infrastructure.
The majority of application portfolios (55%) are now AI-enabled, according to F5 research, with AI experiments finding their way into production. Moreover, 67% of organizations use AI to accelerate automation. In fact, the volume of machine-generated traffic will soon exceed human traffic.
The move to AI and AI-supported automation is happening quickly. Yet most IT environments aren’t designed for agility amidst these rapid changes—presenting a huge challenge for security leaders.
“The rapid rise of AI and automation demands that CISOs adapt by prioritizing visibility, control, and simplicity across their increasingly complex hybrid multicloud infrastructures.”
AI systems introduce new types of runtime behavior inside the environment. Applications call models. Agents invoke tools. Automation systems generate continuous API activity. Models interact with other services to retrieve data, trigger workflows, or execute operational actions. These interactions create entirely new communication paths inside enterprise infrastructure, which CISOs must address.
As a first step, CISOs must know where AI and automation live in their infrastructure. And once AI app and automation traffic, routings, and endpoints are known, they need to be analyzed for vulnerabilities so the right preventive and policy controls can be applied.
2. Manage AI models and inference as a core part of your infrastructure.
Inference is now the dominant AI activity for most organizations, according to our research, with the average enterprise now using seven AI models to power their inference engines.
As enterprises reap the incredible predictive capabilities that AI inference offers, the underlying infrastructure has gotten a lot more complicated.
Our research found that 52% of organizations are chaining or orchestrating multiple AI models. This, in turn, brings new security risks such as routing manipulation, data exfiltration through model chains, and inconsistent policy enforcement across models.
In addition, 90% of organizations will soon route inference through shared infrastructure. While shared infrastructure has its economic advantages, it increases security and performance risks.
All of this is adding to the complexity CISOs are already grappling with. To obtain the visibility and discovery they need, security teams must treat model routing and the inference layer as integral parts of their infrastructure, applying the same observability and controls as they currently do with application routing and security.
Similarly, they must realize that the security boundary has moved from the models themselves to the inference path. As a result, inference traffic must be delivered, inspected, authenticated, and governed like any other critical app interaction.
3. Find ways to simplify management of your infrastructure.
Amid these rapid changes, 35% of organizations say their infrastructure is not ready to support AI workloads, according to our research. Discussions about AI readiness often focus on performance: access to GPUs, adequate compute capacity, storage throughput, and networking bandwidth. While those concerns are real, it’s not all about capacity. For CISOs, it’s also a security architecture issue and the ability to efficiently implement and enforce controls as AI adds another layer of complexity.
AI workloads increase the potential blind spots. To improve their AI readiness, security leaders must simplify their sprawling environments—and that requires a unified approach.
Without a unified platform that can observe and manage these connections, CISOs will lack the controls to respond in an efficient and strategic manner. The result will be a reactive cycle in which they struggle to implement the right policies, detect fraud and attacks, and remediate vulnerabilities as they’re discovered.
Navigating AI security challenges
The rapid rise of AI and automation demands that CISOs adapt by prioritizing visibility, control, and simplicity across their increasingly complex hybrid multicloud infrastructures.
With AI security as an additional layer that’s fully integrated with existing application and API operational security workflows, CISOs will have the flexibility and agility they need to protect their organizations, while leveraging AI as a strategic business advantage.
The F5 Application Delivery and Security Platform (ADSP) helps security leaders simplify complex environments by combining traffic management, security, and observability in one platform.
With F5 ADSP, CISOs can apply AI policies consistently across all environments from one place, rather than configuring each system separately. They can monitor AI systems in real time—including apps, APIs, and AI-enabled components—through a unified operational view. And they can consolidate governance workflows by integrating delivery, security, and AI oversight into a single platform.
Learn more about AI security insights and trends by reading the full 2026 State of Application Strategy Report.
About the Author
Michael is responsible for the enterprise‑wide strategy and execution to operate the company with security and resiliency at its core. He leads F5’s Security, Risk, and Digital Operations organizations, driving end‑to‑end operational trust for customers, partners, and employees. Montoya joined F5’s executive leadership team in October 2025 after serving on F5’s Board of Directors from 2021 to 2025. Prior to F5, Montoya was Chief Operating Officer at BlueVoyant and previously served as Chief Information Security Officer at Equinix and Digital Realty. He spent more than a decade at Microsoft in global leadership roles, including Chief Cyber Security Officer, regional CIO/CISO for EMEA and Asia, and a global leader for Datacenter Operations.
More blogs by Michael MontoyaRelated Blog Posts
Three moves CISOs can't afford to delay
F5’s Chief Technology Operating Officer discusses findings from this year’s F5 State of Application Strategy Report—and what CISOs must do to get ahead of these trends.
Three forces reshaping security leadership: Distributed AI inference, threat evolution, and hybrid multicloud
F5’s 2026 State of Application Strategy Report has landed. See the latest AI trends rapidly altering the security landscape.
F5 Report 2026: AI inferencing has arrived, complicating an already complex IT landscape
Newly released F5 research shows the majority of enterprises are taking AI inference in-house, with the average company now using seven AI models.
Lessons we are learning from our security incident
F5 CISO Christopher Burger answers common questions from customers surrounding the recently disclosed security incident.
Inference: The most important piece of AI you’re pretending isn’t there
Scaling AI means scaling inference. Learn why inference servers are critical for managing performance, telemetry, and security in production AI workloads.
How does SecOps feel about AI? Part 2: Data protection
F5 conducted a comprehensive sentiment analysis of security professionals on Reddit about their thoughts on AI.