Security Models Are Being Rewritten

Historically, security models focused on systems, network perimeters, and access control. These models were built on assumptions about how data behaves that are no longer true in today's complex environments. Traditional security systems were designed for a time when data remained within a single environment, workflows were more predictable, and human users were the primary actors working with data.

But AI-powered systems are significantly changing how data is created, accessed, and moved, requiring a swift evolution in system security. Content is now generated, transformed, and shared across various tools. Data flows through complex, multi-step workflows that span SaaS applications, cloud services, and internal systems. Consequently, traditional security measures are no longer adequate for protecting this data.

As TechTarget recently noted, AI is expanding the CISO mandate from protecting infrastructure to sustaining digital trust across the organization. As a result, traditional security models no longer reflect how risk actually forms within systems and complex data. Security strategy has shifted towards a new organizing principle based on trust.

Why Traditional Models No Longer Hold

Modern environments are now very complex and dynamic, and are being transformed by several key factors, including:

  • SaaS sprawl. Enterprises routinely run hundreds of cloud applications, and many are not actively managed (including those that are part of shadow IT). One study reports an average SaaS portfolio of nearly 350 apps.
  • Cross-platform workflows. For instance, a single business process may start in a CRM, move into a ticketing tool, pass through collaboration chat, and end in a document repository. In any of these steps, data can be copied or reshared, and can also be breached or misused. It is also moving across users and teams, both human and machine actors. Data often moves across workflows and systems without any human intervention.
  • AI-generated and transformed content. AI systems now routinely decompose content, retrieve fragments, recombine information, and generate entirely new outputs. But context becomes critical in these new systems. The same piece of data may be harmless in one interaction but be violating a policy in another, depending on who is interacting with it.

These changes in data and systems mean that risk is no longer aligned to a specific location, system, or a single point-in-time decision about who is accessing data.

Deloitte, in a recent report, stated that “AI security risks manifest across four domains: data, AI models, applications, and infrastructure…security practices can be adapted to address these AI-specific risks.” AI systems also have very different behavior and scope than past computing infrastructure.

Meanwhile, security teams are being asked to do several things simultaneously: enable AI adoption, maintain governance, and demonstrate control to leadership. Those pressures expose the limits of perimeter- and access-based models as data moves through a variety of systems and tools.

What Trust-Centric Security Means

With trust-centric security, the center of security has shifted from systems and access control to how data is used and to whom or what it relates. It also focuses on whether the use of the data aligns with specific business context.

Digital trust has shifted and now depends on both a secure infrastructure and the reliability and resilience of the various AI systems in the organization. Trust-centric security means that the system evaluates trust continuously as data moves through workflows.

This security approach considers content sensitivity, the relationships between entities interacting with the content (such as customers, employees, and partners), and the context of its use across different systems and interactions.

With this type of approach to security, trust becomes measurable, enforceable, and aligned to how data behaves in real-world scenarios.

How Trust-Centric Security Changes Security Strategy

With trust-centric security, the security strategy shifts based on the way risk has changed.

First, security shifts from controlling access to governing data movement. This movement includes data copying, sharing, transformation, and AI-assisted reuse of data and content.

Enforcement shifts from static rules to context-aware decisions that consider the data, the actor, the destination, and the purpose. Finally, risk evaluation shifts from isolated events to continuous assessment across end-to-end workflows.

These updates allow organizations to adopt AI more safely and at scale by providing more precise controls and reducing friction in operations.

Trust Boundaries Become the Operating Model

With this type of trust-centric security approach, trust boundaries become the operating model because they define where data can move, how it can be used, and in what conditions it remains trusted as it crosses tools, teams, and automation.

In modern systems, trust boundaries are both dynamic and context-dependent, meaning that the same data may be appropriate in one workflow or tool and risky in another. Trust boundaries are also shaped by data flows across systems and channels, especially where copying, transformation, and AI augmentation occur.

Security teams are increasingly relying on trust boundaries as they allow them to evaluate risk in real time. Plus, they can also apply consistent controls across collaboration tools and demonstrate that data use aligns with both business and regulatory expectations.

Trust-centric security formalizes this approach so that governance is consistent, enforceable, and scalable, even across AI-driven workflows.

What This Means for Security Leaders: Executive Takeaway

CISOs must now rethink how security effectiveness is measured when data is moving through AI-driven and AI-powered systems. Security successes are no longer defined by how much access is blocked or how many alerts are generated.

Three key factors determine the success of a modern security system: the precision with which risk is identified, the consistency with which trust is maintained, and the certainty with which governance can be proven.

By adopting security models centered on trust, organizations will also accelerate AI adoption, decrease operational inefficiencies, and boost stakeholder confidence in new AI systems and the CISO's overall security strategy.

TL;DR: Security Strategy Is Becoming Trust-Centric

Traditional security models no longer align with how data moves. AI has both expanded and reshaped trust boundaries. But trust-centric security focuses on data, context, and relationships rather than systems and access control. With this new security approach, trust boundaries become the foundation for enforcement and governance.

The shift is already underway, but the key question for CISOs is how quickly their organizations can adapt.

If you want to understand how your current security model aligns with modern trust boundaries, start by evaluating how data actually moves across your environment.

Bonfy’s Data Security Risk Assessment reveals where trust boundaries exist, where they break, and how to strengthen them.

Take the Data Security Risk Assessment to evaluate your readiness for a trust-centric security model.