Around 60% to 70% of companies remain unaware of AI-specific security risks. Most are managing AI exposure with traditional security methods designed for a different era, while delegating the decision to security teams, waiting for the right budget, or simply moving on to the next use case. The breach will not wait for the organization to be ready.
Jimmy Malhan, technical CEO and founder of Pretense, has spent his career at the intersection of engineering leadership and AI security. His argument is that AI security is not a technical problem that leadership eventually inherits. It is a leadership problem from day one. “Security should be part of the backbone,” Malhan insists. “The same way you set up network infrastructure before deploying any application, security is foundational, not optional.”
AI Never Sleeps. Security Has to Match That Reality
There is a reason organizations historically deprioritized continuous security monitoring: human workers take breaks. The attack surface contracted when the office closed. AI has eliminated that buffer. Systems operating 24 hours a day, 7 days a week create a continuously active attack surface, and organizations that treat security as something to tighten after a breach has been detected are already operating behind the threat.
The distinction Malhan draws is between detection and prevention. Most security tools available today identify vulnerabilities after the fact: exposed passwords, known weaknesses, and suspicious patterns that have already materialized. By the time a CEO discovers that source code has been quietly processed through external AI tools for months, retroactive recovery is largely illusory. Products that claim to repair historical exposure are, in Malhan’s direct assessment, gimmicky. The only approach with real return on investment (ROI) is prevention at the front end, before sensitive data ever leaves the organization’s control. His own product, Pretense, currently in patent-pending status, operates on this principle, intervening before a security incident occurs rather than diagnosing it afterward.
Compliance Is Not a Speed Bump. It Is a Shield
The EU AI Act compliance deadline arrives in August 2026, with fines of up to 7% of global revenue for non-compliant organizations, plus additional per-user financial penalties running into the thousands of dollars. For organizations with millions of users, the exposure is material. Malhan argues that the compliance conversation has been framed incorrectly. Governance is not a mechanism that slows AI adoption. It is the structure that allows adoption to continue safely as use cases expand.
The profit leakage from a security breach is as real as data leakage, and in many cases, more immediate. Shadow AI compounds the problem. In three out of four enterprises, employees are using unauthorized AI tools, often through personal accounts when corporate access is not provided.
When something goes wrong, the blame cascades down to the most junior person in the chain – an intern, a junior developer, a new hire – rather than surfacing the leadership decision that allowed the gap to exist in the first place. Malhan believes the blame culture leads to noise rather than solutions. The productive question is not who is at fault. It is what a preventive structure should have been in place before the incident occurred.
As AI shifts from assisting engineers to acting autonomously, the hardest question on any CEO’s desk is whether the organization will invest in prevention before problems surface or rely on root cause analysis after they do. Root cause analysis has its place. It helps ensure a specific failure does not recur. But it remains a reactive tool applied to damage already done. Prevention at the foundational layer is the only approach that addresses the problem before it incurs a cost.
Follow Jimmy Malhan on LinkedIn or visit Pretense for more insights on AI security leadership, enterprise AI governance, and building the prevention-first frameworks that protect organizations in an AI-native world.
