Secure by Design: The Missing Link Between AI Pilots and Production Success

Adam Khan—Vice President of Global Security Operations and Office of the CTO for Barracuda—explains what the missing link between AI pilots and production success lies.

Organizations are racing to bring generative AI (GenAI) into their operations, but many are learning that experimentation is the easy part. The real challenge is converting pilots into sustained, measurable business value. A Project NANDA report underscores the gap: “Despite $30–40 billion in enterprise investment into GenAI, 95 percent of organizations are getting zero return. Just 5 percent of integrated AI pilots are extracting millions in value, while the vast majority remain stuck with no measurable P&L impact.”

Those numbers are sobering, but the research also highlights an important insight: the gap isn’t caused by model quality or regulatory hurdles. It comes down to approach. Many organizations can get a model to produce output. Far fewer can make it operate safely, reliably, and consistently inside the business.

A proof of concept can show that a model works under controlled conditions. What it cannot prove is whether that performance will hold once the system is connected to live data, real users, and real security pressures. GenAI has a way of exposing operational weaknesses that previously went unnoticed. When teams move fast without tightening controls, those cracks can quickly widen.

Why AI Pilots Stall

Most stalled AI initiatives share a common pattern. The organization moved quickly to experiment, but not as deliberately to operationalize. It often starts with urgency. A leadership team sees competitors announcing AI capabilities and feels pressure to respond. A pilot launches and connects to a workflow, and the results look promising at first. Then the harder questions surface:

• Who owns this system once it moves beyond the demo?
• What data is it actually touching?
• What happens when the output is wrong?

Many teams don’t answer those questions early enough because they worry they’re falling behind in the race to implement AI. Their strategy becomes “we need to deploy GenAI.” The better approach is to define the business problem and the desired outcome, then work backward into design and controls. That will help clarify what the system should and should not do, who is accountable for it in production, and how to manage risk as more people start using it. It also forces the organization to address whether it has the internal expertise to configure, monitor, refine, and manage those systems once they’re live.

Secure by Design

Security often enters the conversation too late. You don’t want to focus solely on proving the concept and demonstrating efficiency gains without also examining how the data is protected and who can access it. By that point, the architecture is already in place, and adding guardrails becomes more complicated. Bring security into the design phase. Determine where sensitive data lives, how it moves through the system, and who needs visibility into it, and do this early on.

Effective oversight is just as important as implementing access controls. Logging inputs and outputs from the beginning makes it easier to spot anomalies. Validation layers become especially important when AI influences financial decisions, customer communications, or operational changes. A second layer of review, whether automated or human, will help prevent a small error from becoming a larger incident.

None of this will slow innovation. In fact, it will do the opposite. When teams build guardrails early, they can iterate with more confidence because they understand how risk is being managed. That confidence is often what separates the small percentage of organizations that extract real value from the much larger group that still experiments without measurable returns. GenAI does not just change how organizations operate. It also changes how quickly things can go wrong.

Bad Guys Use AI, Too

It’s critical to recognize that attackers use AI and automation to streamline reconnaissance and move laterally once they gain a foothold in your environment. The time between the initial compromise and the infliction of damage is shrinking, making response planning more important than ever.

That fact requires security teams to assume that some controls will fail at some point. The goal of preventing all attacks is outdated and unrealistic. The mindset should shift to how quickly they can detect suspicious or unusual behavior, isolate affected systems, and limit the blast radius.

This is another area where operational discipline and specialized knowledge intersect. Tools surface alerts, but people should be responsible for determining whether those signals indicate an incident they need to address. AI’s role is to help triage and analyze at scale, while humans configure workflows, validate outputs, and decide when to intervene.

Organizations that acknowledge this dynamic tend to build resilience in different ways. They do not view AI as a one-time deployment. They treat it as a system that requires continuous supervision, adjustment, and occasional course correction. That approach does not eliminate incidents, but it significantly reduces their potential impact.

The Real Differentiator: Structure Unlocks AI’s Transformative Potential

The companies extracting measurable value from AI aren’t just the ones experimenting most aggressively. They’re the organizations that recognize AI as a force multiplier for their security capabilities. When paired with proper structure and governance, AI transforms security teams from reactive responders into proactive guardians of digital infrastructure. This creates unprecedented opportunities: AI empowers companies to analyze threat patterns at machine speed, enables real-time behavioral analysis across thousands of endpoints simultaneously, and frees security teams from routine monitoring so they can focus on strategic threat hunting and incident response planning.

Companies succeeding with AI security implementations view structure not as a constraint, but as the foundation that allows AI to reach its full potential. When organizations define clear outcomes, embed security considerations from day one, and ensure proper expertise guides implementation, they can iterate faster, deploy more confidently, and scale more effectively. This disciplined approach enables them to explore advanced use cases such as predictive threat modeling, autonomous incident containment, and intelligent vulnerability prioritization, because they’ve built an operational foundation that safely supports these capabilities.

The future belongs to organizations that embrace AI as a collaborative partner while maintaining human oversight of critical decisions. Companies that master this balance will find themselves at the forefront of a security revolution, protecting their digital assets with capabilities that seemed like science fiction just a few years ago. The key to unlocking this potential isn’t moving faster but building smarter, with structure as the catalyst that turns AI pilots and experiments into transformative business capabilities.