Crossing the AI security chasm with the SANS AI security maturity model

Most security leaders I talk to know they have an AI problem. They've seen the board questions, read the reports, maybe even drafted a policy. But when they start measuring where they stand — not plans or roadmaps, but actual current state — the gap between awareness and operational capability comes into focus.

The 2026 Verizon DBIR quantifies the scale: 45% of employees are now regular AI users on corporate devices (up from 15% the prior year), with 67% using personal accounts. Push data further shows that 38% of file uploads to AI tools come from those shadow accounts rather than approved organizational ones — and the DBIR shows what's going into them: of 858,000+ DLP events targeting GenAI applications, the most common data types were source code (28%), structured data (14%), and documents and PDFs (23% combined).

The average organization now has 16 unique AI apps, 17 AI browser extensions, and 17 AI OAuth integrations in active use, most unapproved. Shadow AI was the third most common non-malicious insider action in the DBIR, up 4x year over year.

These statistics expose an attack surface and unmanaged risks at a high level. But the real problem is that most organizations can't produce a basic inventory of which AI tools are in use, let alone demonstrate controls around any of them. 

That gap between awareness and capability is where most organizations are stuck. And understanding why they're stuck requires a framework for what progress actually looks like.

A model for measuring what most organizations already feel

Chris Cochran's SANS AI Security Maturity Model, published earlier this year, provides a framework for addressing this gap. It defines five stages of AI security maturity across three pillars:

• Protect AI: Defending against AI-enabled threats like adversarial attacks, prompt injection, compromised browser extensions, and AI agents operating with unchecked permissions.

• Utilize AI: Using AI to strengthen security operations by using AI-powered detection and triage, behavioral analytics, and automated response playbooks.

• Govern AI: Managing how the organization adopts and uses AI tools. Things like acceptable use policies, shadow AI discovery, data classification, access controls, and risk assessment. This is the pillar that gets the most attention in boardroom conversations today, driven in part by regulatory pressure.

How an organization invests across these three pillars, and whether it invests across all of them, determines whether it advances toward maturity in this area or stalls out at the early steps.

The SANS AI maturity model outlines 5 stages that organizations must progress through in order to reach an optimal security posture:

• Stage 1 (Unaware / Ad Hoc) is where employees are freely using AI tools with no oversight, no inventory exists, and leadership may not even know how much AI is in use. There's no policy to violate, so technically it's not even shadow AI yet; it's just unmanaged adoption.

• Stage 2 (Reactive / Policy-Emerging) means a policy exists, but it's course-grained: "Don't use AI" or "use with caution." Known AI tools may be blocked at the network level. Security teams are learning about AI-specific threats but don't have dedicated expertise or tooling.

• Stage 3 (Defined / Risk-Informed) is where things get intentional. AI usage is governed through enterprise tools rather than outright bans. AI systems are included in security assessments. The organization can demonstrate mature governance to regulators and partners. For many organizations, this is a strong and defensible operating position.

• Stage 4 (Managed / Integrated) means AI is deeply embedded in security operations with measurable outcomes. AI systems are secured by design. Risk is quantified, not estimated. Decisions are data-driven. This is where organizations can handle AI-specific threats and operate at the tempo that AI-augmented adversaries demand.

• Stage 5 (Optimizing / Adaptive) is the frontier of AI-native security with self-improving defenses. Elements of this stage exist primarily in large technology companies, defense contractors, and AI-native firms. For most organizations, this is a multi-year journey.

Most of the security leaders I talk to land between Stage 1 and Stage 2. They have awareness, maybe a policy, but not the tooling or telemetry to demonstrate much beyond that. 

The model is pragmatic about these challenges. It doesn't expect every organization to reach Stage 5, and it adjusts maturity targets by sector. 

But it does require evidence of progress, not just intent. And for the majority sitting at Stage 2, the hard part is identifying the right steps to move from being merely reactive to a posture of operational readiness. That’s the chasm to cross.

The chasm

For the organizations sitting at Stage 2, current state often looks like this: They've written an AI acceptable use policy, and maybe they've blocked known AI apps at the network level. They've trained employees on what's allowed and what isn't. 

To be sure, blocking is the fastest lever a security team can pull, and it represents visible progress to the business. The problem is that it rarely stays effective. 

SANS calls the pattern that traps most organizations at Stage 2 the "Framework of No." 

"A block-based AI policy may feel like risk management, but practitioner experience shows it typically drives AI usage underground rather than preventing it,” the report notes. “This is the pattern SANS has documented as the 'Framework of No,' and it is why the Stage 2 to Stage 3 transition is so critical."

This is the chasm. On one side: awareness and policy. On the other: operational capability - the tooling, telemetry, and controls that let a security team see what's happening and respond to it. Most organizations are standing on the awareness side, looking across, not sure how to get over.

The model is specific about what crossing requires. The steps from Stage 2 to Stage 3 include technical BYOAI discovery (not a survey, but automated discovery), AI-specific data classification, AI-aware controls, and a cross-functional governance body. Data classification is a critical prerequisite: "You cannot write an effective AI policy without knowing where sensitive data lives," the report emphasizes.

These are visibility and measurement problems before they're policy problems. You can't govern what you can't see. You can't classify risk you can't measure. And a blocklist that pushes usage underground doesn't give you either: it just makes the gap between your policy and your reality harder to detect.

Getting this visibility right is necessary for crossing the chasm. But it’s not the only step organizations must undertake if they want to address their AI risk.

Governance is key, but don't forget about protection

Most AI security conversations today - the vendor pitches, board decks, and compliance checklists - are about the Govern pillar. Shadow AI discovery. Usage policies. Data classification. Controls around what employees paste into AI prompts or upload to AI tools. It's important work.

But the SANS model gives roughly equal weight to a second pillar that gets almost no attention: Protect - defending against AI-enabled attacks.

The Protect pillar starts from a stark baseline. At Stage 1, most organizations have no visibility into which AI agents or browser extensions have access to their corporate environment, let alone a framework for understanding how those could be attacked. 

By Stage 3, the model expects runtime validation of AI tools and plugins, detection capabilities mapped to AI-specific attack frameworks, and controls that cover the growing surface area of agentic AI. 

By Stage 4, organizations need real-time monitoring of AI agent behavior and defenses against attacks that exploit trust relationships between AI systems — capabilities most security teams haven't started scoping, much less building or procuring.

These are detection and response capabilities, not governance exercises — and the attacks they address are already well underway. One in three phishing payloads intercepted by Push arrive outside of email, through channels where most security controls don't exist. Evidence of the growth of browser-based attack methods enabled by AI tooling abounds:

• CrowdStrike's 2026 Global Threat Report documented a 563% increase in ClickFix lures — fake CAPTCHA pages that trick users into executing malicious commands on their own machines.

• Push has tracked a 37x increase in device code phishing since the start of 2026, with 18+ distinct kits now offering the technique.

• Anthropic identified 793 threat actors using AI for malicious cybersecurity purposes between March 2025 and February 2026, with the 2026 Verizon DBIR finding that 44% of AI-assisted initial access was phishing-related.

Attackers are already vibecoding phishing kits, rotating infrastructure daily, and exploiting identity flows that traditional endpoint and network tools can't see.

The SANS model makes the speed argument a central focus at Stage 4: Detection built for human-pace adversaries is increasingly insufficient when threats operate at machine speed. For organizations investing exclusively in AI governance, AI-enabled threats represent an entire category of risk that is not being addressed.

Why governance alone can't close the gap

An organization can have an AI policy, shadow AI discovery, data classification, and usage controls, and still be exposed. When an employee hits a device code phishing page or a ClickFix lure, the governance program documented the risk perfectly. It just couldn't stop the attack. The policy existed but the detection (and ideally, mitigation) didn't.

The reverse is equally true, and it's why the SANS model treats the pillars as interdependent rather than sequential. Detection capabilities that fire into a void with no policy to act on findings, no classification to assess exposure, and no governance body to shape proactive policy just create alerts, not security. 

Yet most organizations are only investing heavily in one side of the solution, which is almost always Govern. The maturity model is explicit about the risks of this approach: Governance with no attack detection leaves a critical gap. 

Closing the gap requires a control point where both problems are visible and addressable.

Crossing the chasm requires addressing both pillars at once

The bottleneck for most security programs isn't frameworks or strategy — it's data quality. For teams taking on the dual problems of shadow AI and AI-enabled attacks, browser telemetry is the foundation to any meaningful solution. That’s because both problems converge in the same place.

AI-enabled phishing attacks, credential theft, malicious browser extensions, and OAuth exploitation happen in the browser. So do shadow AI adoption, sensitive data pasted into AI prompts, file uploads to unapproved tools, and unauthorized integrations. The browser is where external attacks and internal misuse are both visible and stoppable.

For the security team trying to advance past the Framework of No, browser telemetry replaces the blunt instrument of network-level blocking with actual visibility:

• which AI apps are in use (including personal account usage)

• what data is moving into them (file uploads, clipboard activity)

• graduated controls - per-app, per-user group, per-content pattern - that can monitor, warn, or block based on context rather than allow/deny

The same browser-layer instrumentation can also provide real-time detection of credential phishing, ClickFix, adversary-in-the-middle attacks, and device code phishing. And it can detect and disable malicious browser extensions based on confirmed threat intelligence, monitor OAuth integrations, and generate the identity attack surface data (login behaviors, MFA gaps, SSO coverage) that the Protect pillar requires at Stage 3 maturity and beyond.

We built Push around this insight: that the browser is where both problems converge, and a single deployment can advance AI security maturity in both areas simultaneously. The SANS model makes the same argument.

Where to start: 5 steps to maturity with Push

The chasm closes when organizations make meaningful strides forward in both AI governance and proactive defense against AI-enabled attacks. Here's the starting plan that I'd recommend, and Push can provide the tooling to automate these steps:

1. Build an AI inventory automatically. Every stage transition in the SANS model starts with knowing what's in your environment. A manual survey won't cut it; employees won't self-report the tools they're not sure they're allowed to use, and may overlook apps where AI is a feature but not the core function (AI-enabled apps). Instead, organizations should deploy automated discovery for AI apps, browser extensions, and OAuth integrations across the workforce - including the ones using personal accounts. Until this inventory exists, every policy decision is based on incomplete information.

2. Classify what you find. Not all AI usage carries the same risk. A developer pasting code into ChatGPT and a salesperson using an AI notetaker are different problems. Once you can see the tools, categorize them by data sensitivity, authorization status, and access scope. The SANS model calls out data classification as a critical prerequisite; you can't write an effective AI policy without knowing where sensitive data lives.

3. Turn on browser-layer detection. This is the step most organizations skip, and it's why addressing only the Protect pillar will keep you at Stage 1. AI-enabled phishing, ClickFix attacks, device code phishing, malicious extension updates, and OAuth exploitation all execute in the browser. Without detection in that layer, there's no visibility into the fastest-growing attack category, and no path to advancing beyond basic AI usage awareness.

4. Move from blocking to graduated controls. The Framework of No fails because it's binary: allow or deny, with nothing in between. Organizations that cross the chasm adopt monitor, warn, and block modes — per app, per user group, per content pattern. Monitor first to see what's happening, warn to change behavior without disrupting workflows, and block only where the risk justifies it. This is the operational difference between Stage 2 and Stage 3.

5. Assess yourself honestly against evidence, not aspiration. The SANS AI Security Maturity Model includes a self-assessment and industry-specific weighting profiles. The value isn't in the score, but in identifying which pillar is keeping you from advancing.

The organizations that cross the AI security chasm will be the ones that recognize early that AI security isn't one problem with one solution. It's two problems that happen to share a control point. The most efficient path forward is a platform that addresses both.

Learn more about Push

Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser - high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.

Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.

Book a live demo to learn more.