AIUC-1
ResearchDr. Keri Pearlson & the AIUC-1 Consortium
Jun 18, 20266 min read

Whitepaper: 2026 - Engineering a Culture of AI Security

Whitepaper: 2026 - Engineering a Culture of AI Security

Executive briefing for Security Leaders on building an organizational culture of AI security, presented by Dr. Keri Pearlson (MIT Sloan School) & the AIUC-1 Consortium

Download the full whitepaper

AI security is rarely treated as a cultural problem. Most organizations manage AI risk with technical controls, and do very little about the risks that people introduce: shadow AI, blind trust in hallucinated output, unintentional IP leakage and more. Closing that gap requires building a culture of AI security.

Culture is what guides employees when no rule applies

Building a culture of AI security runs on a sequence, as captured in Dr. Keri Pearlson's foundational framework: managerial mechanisms and external pressures shape the values, attitudes, and beliefs an organization holds, and those in turn drive how people behave.

AI Security Culture Framework

Dr. Keri Pearlson’s framework around building a culture of AI Security

Behaviors that Leaders Must Drive Today

Across the AIUC-1 Consortium, security leaders kept returning to the same five behaviors:

1. Mitigate shadow AI. Employees reach for unsanctioned tools because they are fast and available, and the approved path is often slower. The target is twofold: use approved pathways, and when they don't work, surface the gap early rather than bypassing governance in silence.

2. Clarify what is AI-generated. Knowing whether a document, analysis, or line of code came from a person or a model tells reviewers what kind of error to look for. Regulation is moving the same way - the EU AI Act requires providers to mark synthetic outputs as machine-readable.

3. Verify outputs before using or sharing it. Validation is how accountability is exercised, especially where output touches customers, finances, or regulatory obligations.

4. Upload data carefully. Inputs to public tools may be retained, reviewed by humans, or used to train future models. Employees need clear rules on what data can go into which tools, and when redaction or an approved enterprise environment is required.

5. Report suspected AI concerns. Share the failures as well as the wins. Most data exposures and shadow-AI incidents are discovered first by the person who caused them, which only surfaces when reporting doesn't feel like self-incrimination.

Values, Attitudes and Beliefs to Drive these Behaviors

When asked what beliefs would produce those behaviors, Consortium leaders rallied around three:

1. Security cannot do this alone. Legal, compliance, and risk teams all have a role to play. Ownership of AI risk must be assigned, not assumed, and with clear accountability for governance, monitoring, and incident response.

2. The speed of change makes everyone part of the solution. AI is evolving faster than most organizations can absorb and introducing more risk along the way. Every employee needs to stay aware of new exposures and the mitigations that manage them.

3. Trust must be cultivated, not assumed. As systems change constantly, the strongest cultures build trust continuously rather than treating it as a one-time achievement. Employees must stay curious, vigilant, and willing to challenge assumptions as the tools evolve.

Five practices to build the culture

We surface five practices security leaders can adopt now to engineer a culture of AI security:

1. Model the behavior you want. Culture follows what leaders do, not what they mandate. Leaders set the tone by visibly practicing secure AI use, and talking about it openly with their teams.

2. Recognize and reward secure behavior. Visible recognition leads to imitation. Make good practice visible and it spreads faster, peer to peer.

3. Launch an AI ambassadors program. Culture forms locally, not only through mandates. Train local champions to carry security-first habits into every team.

4. Embed AI security in expectations and reviews. Security becomes durable when it's expected, not merely encouraged. Tie secure AI use to everyday norms and formal OKRs, scoped to the role rather than applied as a blanket standard.

5. Establish AI Centers of Excellence. Make the secure path the default path through vetted tools, clear guidance, and safe spaces to experiment.

Building AI security is now everyone's job, not the security team's alone. As AI risk scales with capability, the organizations that pull ahead won't treat security as a checklist of controls - they'll wire it into the culture, at every level.

Download the full whitepaper

Latest articles

Research
Whitepaper: 2026 - Defending at Machine Speed After Mythos

Whitepaper: 2026 - Defending at Machine Speed After Mythos

Executive briefing for CISOs and Security Leaders on preparing the SOC for a post-Mythos world, presented by over 120+ members of AIUC-1 Consortium

Read more
Research
Whitepaper: Setting the standard for agentic development

Whitepaper: Setting the standard for agentic development

More than half of all LLM tokens now go to writing code - and coding agent adoption is growing rapidly across the enterprise. In this whitepaper, co-authored with Lovable, we show how AIUC-1 addresses the unique risks of agentic development

Read more
Research
Looking ahead: Consortium feedback shaping the Q3-2026 update

Looking ahead: Consortium feedback shaping the Q3-2026 update

Over 200 peer-review comments were exchanged in the Q2 2026 update of AIUC-1. Many were implemented in the update, while other areas required more work and were carried forward as priority areas for the Q3 update.

Read more