Why did the agenda change?
Enterprise AI quickly went from demos to production scenarios: document search, support assistants, contract analysis, meeting minutes, developer tips, financial comments, ticket processing and industry copilots. But along with the benefits, questions have arisen that cannot be resolved at the level of an individual chatbot: what data can be used, who sees the answer, where the logs are stored, how the source is checked, who is responsible for the error and how the cost is controlled.
For the CIO, it is a matter of architecture, integrations, data quality, reliability and impact. For CISO, it is a question of access, personal data, leaks, agent actions, supply chains, model exploitation and provable control. In 2026, these tasks can no longer be divided into different committees: AI, data and information security must be designed as a single managed loop.
Five decisions to make at management level
AI governance before scaling
Define valid AI scenarios, owners, data sources, roles, logs, response validation rules, cost model, and boundaries for using external services.
Data as a product
Assign data owners, describe critical reference books, build showcases and a BI layer, without which AI and ERP give beautiful answers to a bad invoice.
Secure development by default
Integrate threat modeling, SAST, DAST, SCA, secret scanning, container security and information security acceptance into the regular SDLC, rather than adding them before release.
Russian ERP environment without loss of logic
When migrating SAP → 1C, transfer not only data, but also business rules, integrations, reporting, control procedures, roles and historical context.
Regulation as part of architecture
Federal Law No. 152-FZ, ISPDn, CII, GIS, digital ruble and internal policies should be included in the requirements at the start, and not become a separate project after launch.
AI: from pilots to controlled platform
The main risk of enterprise AI in 2026 is not that the technology will not work. The risk is that it will work chaotically: departments will connect different services, data will go into uncontrolled environments, answers cannot be verified, and costs and responsibilities will be spread between IT, business and contractors.
The right route starts with an AI scenario registry and data classification. Then the target architecture is determined: private AI or hybrid model, RAG by corporate sources, delimitation of rights, logging, quality control, prompt templates, policy for working with personal and commercially sensitive data, as well as industrial launch criteria.
What should the CIO see?
Architecture, cost of ownership, integration, SLA, source map, infrastructure requirements and scaling plan.
What should the CISO monitor?
access rights, logs, storage loops, personal data protection, security of LLM applications, agent actions and audit of shadow AI.
What is important for business
Clear effect: reduction of manual work, faster response, quality of document processing, reduction of errors and measurable KPIs for the pilot.
How RESTART helps
We design RESTART AI Enterprise Platform, Ragify, AI Service Desk, Document AI, Meeting Hub, VoiceHelp and AI infrastructure as managed enterprise solutions.
Information security: move from prohibitions to engineering environment
In a mature company, information security should not be the last signature before release. It should be built into the development, procurement, maintenance, integration and operation cycle. This is especially important for AI scenarios, personal accounts, APIs, ERP, mobile applications, service desk, BI and industrial data.
The practical minimum for 2026: a unified vulnerability management process, inventory of external and internal assets, privileged access control, secure SDLC, open source and container auditing, event logging, incident preparation and regular update of the threat model for critical systems.
Design
Threat model, information security requirements, data classification, roles, HLD/LLD and acceptance criteria before development begins.
Development
SAST, SCA, secret scanning, control of dependencies, containers, infrastructure code and secure coding rules.
Examination
DAST, pentest, rights check, abuse scenarios, logging, backup and failure response.
Operation
SIEM/SOAR/SGRC, VM, PAM/IDM, monitoring, responding, auditing changes and regularly improving protective measures.
Data, ERP and reporting: linking impact to management
AI and information security become convincing for business only when they are linked to management processes: ERP, 1C, SAP, DWH, BI, reporting, contracts, procurement, service requests, finance and operational metrics. Therefore, any digital transformation must answer a simple question: what decisions can a manager make faster and based on what data?
For a CIO, this means working with data architecture, integrations, master data, directory quality, marts, and reporting. For CISO - control of access to this data, protection of personal data, audit of changes, differentiation of roles and verifiability of how data is used in AI scenarios.
| environment | What to check | What result is needed |
|---|---|---|
| ERP / 1C / SAP | Critical processes, integrations, historical data, roles, reports, manual operations and risk areas during migration. | Roadmap for development or transition without loss of business logic and reporting. |
| Data / BI / DWH | Quality of sources, data owners, storefronts, cubes, regulatory reporting, Qlik, SAP BI, PIX BI, DataLens, 1C and open source BI. | A single layer of management analytics on top of which you can build an AI-copilot. |
| AI | Knowledge sources, access rights, logging, response quality, query costs, and industrial use cases. | A platform that can scale across departments without shadow AI. |
| IS | Federal Law No. 152-FZ, CII, ISPDn, AppSec, access, logging, vulnerabilities, incidents and readiness for audits. | Provable controls built into processes rather than a separate set of documents. |
What to do in the next planning cycle
It is convenient to start the CIO and CISO agenda not with a large strategic document, but with a short diagnostic on key contours. The result should be a map of decisions: what can be launched quickly, what requires architectural preparation, where there is regulatory risk and what initiatives need to be combined into one program.
Take an AI inventory
Find official and shadow AI scenarios, identify owners, data, services, storage loops and risks.
Check data for AI and BI
Assess sources, references, data quality, access rights, showcases, reporting, and RAG/AI-copilot readiness.
Assess the security of the development
Check SDLC, CI/CD, dependencies, secrets, containers, pipeline, release rules and vulnerability control.
Collect the regulator map
Break down the systems Federal Law No. 152-FZ, ISPDn, CII, GIS, internal policies, requirements for journals and documents.
How RESTART closes this agenda
RESTART is useful where the problem cannot be solved by technology alone. We connect AI, information security, ERP, 1C, SAP, Data/BI/DWH, DevOps/DevSecOps, custom development, AI infrastructure and dedicated teams into one managed route. This approach reduces the risk of disconnects between strategy, architecture, implementation, and operations.
Landmarks to look at
It is important for the management agenda to rely not on hype, but on verifiable frameworks and research. The NIST AI RMF helps structure AI risks and develops a profile for critical infrastructure in 2026. OWASP captures the practical risks of LLM applications and web development. IBM Cost of a Data Breach 2025 shows that the lack of AI governance and access controls is already becoming a factor in incidents. Verizon DBIR 2026 remains one of the leading benchmarks for real-world security breach scenarios.
NIST AI RMF
AI risk management framework, generative AI profile and development of an approach for critical infrastructure.
Open sourceOWASP Top 10 for LLM Applications
Risk map of LLM applications: prompt injection, data leaks, supply chain, excessive powers and unsafe actions of agents.
Open sourceOWASP Top 10:2025
Current guidance on the risks of web applications: access control, misconfiguration, supply chain, cryptography, injection and insecure design.
Open sourceIBM Cost of a Data Breach 2025
Research into the cost of leaks, AI oversight gap, shadow AI and the role of security automation in reducing the consequences of incidents.
Open sourceVerizon DBIR 2026
An annual benchmark on real-world incidents, human factors, vulnerabilities, records and company resilience to breaches.
Open sourcePMI Pulse of the Profession
A reference point for project management, value delivery, maturity of project offices and change implementation.
Open sourceLet's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
