\n<\/p>\n
Firas Azmeh, President of Mobile Endpoint Security at <\/em>Lookout<\/em><\/a>.<\/em><\/p>\n Beyond technical discovery, organizations must operationalize a “compliance-by-design” framework that aligns with the EU AI Act and NIST AI Risk Management Framework.<\/p>\n In the past year, the cybersecurity industry has reached a consensus that AI visibility is no longer optional\u2014it is the bedrock of modern enterprise risk management. We have seen significant industry momentum and product innovation focused on “AI Detection and Response” (AIDR). Recent announcements from major security players focus on Windows, macOS and cloud-native endpoints and have been instrumental in validating this urgency. It is a major step forward for the industry to align on the need to govern employees’ interactions with AI on their endpoints.<\/p>\n As we work to secure the endpoint, we also need to rethink what an \u201cendpoint\u201d actually is. It\u2019s no longer just the desktop\u2014mobile devices have become a primary attack surface, particularly in the era of AI-driven threats.<\/p>\n The modern workforce is mobile-first. In the United States alone, a February 2026 Gallup poll<\/a> indicates that 78% of remote-capable employees work in hybrid or fully remote arrangements, using mobile devices as their primary interface for communication, access and execution. Yet, current AI governance strategies largely treat mobile devices as a secondary concern.<\/p>\n This creates a structural governance gap. Traditional discovery approaches rely on network gateways, secure web gateways (SWGs) and proxy-based inspection to analyze traffic and detect AI activity. These tools work well for corporate networks. But mobile AI traffic is fundamentally different; it often bypasses these network-based controls entirely, flowing directly from apps to cloud models over encrypted channels that never traverse the corporate perimeter.<\/p>\n With 83% of worldwide AI<\/a> usage occurring through mobile apps, no AI governance program can be considered truly comprehensive if visibility does not extend beyond traditional network boundaries, where mobile devices operate.<\/p>\n<\/section>\n Mobile visibility is no longer just about GenAI chatbots; it\u2019s about the rise of agentic AI. The enterprise is moving from passive, prompt-based tools to autonomous agents that can plan, decide and execute multistep workflows with minimal human involvement. These systems don\u2019t just respond to prompts; they take action, initiate processes, interact with other applications and persist over time to achieve defined objectives.<\/p>\n As agentic capabilities become embedded across mobile apps and services, they extend beyond simple productivity gains into operational execution. This evolution introduces a new class of \u201cnonhuman\u201d actors operating continuously at the edge, making decisions, triggering workflows and accessing enterprise systems in ways that traditional governance models were never designed to observe or control.<\/p>\n Without continuous visibility into the mobile layer, a security gap on a smartphone can allow an agent to exfiltrate data, invoke privileged APIs and manipulate business processes at machine speed, beyond the detection of legacy, desktop-centric security models.<\/p>\n<\/section>\n The push for greater AI visibility is directionally correct, but it must be comprehensive. Effective governance depends on traceability, risk assessment and control enforcement. Across frameworks such as the EU AI Act<\/u><\/a>, ISO\/IEC 42001<\/u><\/a> and the NIST AI Risk Management Framework<\/u><\/a>, the expectation is clear: Organizations must provide auditable oversight throughout the enterprise.<\/p>\n If an organization governs AI risk on the desktop but leaves mobile unmonitored, it creates a systemic compliance gap, exposing the business to regulatory risk and potential penalties. An enterprise can appear fully compliant on paper while remaining exposed on the devices employees use every day.<\/p>\n The industry is moving in the right direction. By recognizing the need for AI visibility, major players are raising the bar for enterprise security. Now the priority is to complete that standard. To govern in the age of AI, controls must align with where work actually happens, not where it once did. That means bringing mobile AI activity into full view.<\/p>\n To achieve comprehensive AI visibility, leaders must transition from a desktop-centric security model to a mobile-native governance strategy. The first step is conducting an exhaustive AI inventory that identifies both sanctioned and shadow AI applications on mobile and BYOD units, ensuring that unobserved traffic through encrypted channels is brought into full view. This visibility should be augmented with mobile-native AI detection and response (AIDR) to monitor the rise of autonomous agentic AI, providing the oversight necessary to detect when nonhuman actors attempt to exfiltrate data or trigger unauthorized workflows at the edge.<\/p>\n Beyond technical discovery, organizations must operationalize a “compliance-by-design” framework that aligns with the EU AI Act and NIST AI Risk Management Framework. This involves establishing automated guardrails that screen mobile AI prompts for policy violations and appointing a cross-functional “AI Champion” to oversee accountability across legal, security and technology departments. By implementing real-time inventory and auditable oversight, leaders can ensure that their AI governance programs remain comprehensive and compliant, regardless of where work is actually being executed.\u200b\u200b<\/p>\n Forbes Technology Council<\/u><\/a> is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?<\/u><\/em><\/a><\/p>\nThe Mobile Blind Spot<\/h2>\n
The Agentic Evolution<\/h2>\n
A Complete Picture For The C-Suite<\/h2>\n
\n
<\/section>\n<\/div>\n