Firas Azmeh, President of Mobile Endpoint Security at Lookout.
Beyond technical discovery, organizations must operationalize a “compliance-by-design” framework that aligns with the EU AI Act and NIST AI Risk Management Framework.
In the past year, the cybersecurity industry has reached a consensus that AI visibility is no longer optional—it is the bedrock of modern enterprise risk management. We have seen significant industry momentum and product innovation focused on “AI Detection and Response” (AIDR). Recent announcements from major security players focus on Windows, macOS and cloud-native endpoints and have been instrumental in validating this urgency. It is a major step forward for the industry to align on the need to govern employees’ interactions with AI on their endpoints.
As we work to secure the endpoint, we also need to rethink what an “endpoint” actually is. It’s no longer just the desktop—mobile devices have become a primary attack surface, particularly in the era of AI-driven threats.
The Mobile Blind Spot
The modern workforce is mobile-first. In the United States alone, a February 2026 Gallup poll indicates that 78% of remote-capable employees work in hybrid or fully remote arrangements, using mobile devices as their primary interface for communication, access and execution. Yet, current AI governance strategies largely treat mobile devices as a secondary concern.
This creates a structural governance gap. Traditional discovery approaches rely on network gateways, secure web gateways (SWGs) and proxy-based inspection to analyze traffic and detect AI activity. These tools work well for corporate networks. But mobile AI traffic is fundamentally different; it often bypasses these network-based controls entirely, flowing directly from apps to cloud models over encrypted channels that never traverse the corporate perimeter.
With 83% of worldwide AI usage occurring through mobile apps, no AI governance program can be considered truly comprehensive if visibility does not extend beyond traditional network boundaries, where mobile devices operate.
The Agentic Evolution
Mobile visibility is no longer just about GenAI chatbots; it’s about the rise of agentic AI. The enterprise is moving from passive, prompt-based tools to autonomous agents that can plan, decide and execute multistep workflows with minimal human involvement. These systems don’t just respond to prompts; they take action, initiate processes, interact with other applications and persist over time to achieve defined objectives.
As agentic capabilities become embedded across mobile apps and services, they extend beyond simple productivity gains into operational execution. This evolution introduces a new class of “nonhuman” actors operating continuously at the edge, making decisions, triggering workflows and accessing enterprise systems in ways that traditional governance models were never designed to observe or control.
Without continuous visibility into the mobile layer, a security gap on a smartphone can allow an agent to exfiltrate data, invoke privileged APIs and manipulate business processes at machine speed, beyond the detection of legacy, desktop-centric security models.
A Complete Picture For The C-Suite
The push for greater AI visibility is directionally correct, but it must be comprehensive. Effective governance depends on traceability, risk assessment and control enforcement. Across frameworks such as the EU AI Act, ISO/IEC 42001 and the NIST AI Risk Management Framework, the expectation is clear: Organizations must provide auditable oversight throughout the enterprise.
If an organization governs AI risk on the desktop but leaves mobile unmonitored, it creates a systemic compliance gap, exposing the business to regulatory risk and potential penalties. An enterprise can appear fully compliant on paper while remaining exposed on the devices employees use every day.
The industry is moving in the right direction. By recognizing the need for AI visibility, major players are raising the bar for enterprise security. Now the priority is to complete that standard. To govern in the age of AI, controls must align with where work actually happens, not where it once did. That means bringing mobile AI activity into full view.
To achieve comprehensive AI visibility, leaders must transition from a desktop-centric security model to a mobile-native governance strategy. The first step is conducting an exhaustive AI inventory that identifies both sanctioned and shadow AI applications on mobile and BYOD units, ensuring that unobserved traffic through encrypted channels is brought into full view. This visibility should be augmented with mobile-native AI detection and response (AIDR) to monitor the rise of autonomous agentic AI, providing the oversight necessary to detect when nonhuman actors attempt to exfiltrate data or trigger unauthorized workflows at the edge.
Beyond technical discovery, organizations must operationalize a “compliance-by-design” framework that aligns with the EU AI Act and NIST AI Risk Management Framework. This involves establishing automated guardrails that screen mobile AI prompts for policy violations and appointing a cross-functional “AI Champion” to oversee accountability across legal, security and technology departments. By implementing real-time inventory and auditable oversight, leaders can ensure that their AI governance programs remain comprehensive and compliant, regardless of where work is actually being executed.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
