![Mind The [AI Trust] Gap](https://imageio.forbes.com/specials-images/imageserve/6a32e5a88c23cb662b0461be/0x0.jpg?format=jpg&height=900&width=1600&fit=bounds "Mind The [AI Trust] Gap")
With 15+ years in the field, Matt Hillary serves as SVP, Security and CISO at Drata—leading global security, IT, GRC & privacy initiatives.
If you’ve ever ridden the London Underground, you know the warning “Mind the gap.” It’s painted on the platform edge, announced at every station and repeated until it fades into background noise. The gap between the train and the platform is small, predictable and entirely manageable, and not even noticeable to frequent passengers who know it’s there.
Every week, I talk with security and GRC leaders who are wrestling with the same question: Can we trust all of these AI capabilities we’re using today? It’s a critical question to be asking. We are boarding all of the shiny new AI trains that are helping us travel faster than ever, all while still trying to assess that gap between us and the train, making sure we neither trip over nor fall through.
The AI trust gap starts with evaluating each AI capability: how reliable it is, how much we can trust the outputs, where the hallucinations might occur. But the question that matters most—and the one most companies haven’t built the muscle to answer well—is whether they have a systematic way to evaluate, deploy and monitor AI capabilities over time in a way that builds and maintains trust.
Like the gap on the platform, the AI trust gap is small and predictable when you know it’s there. It only becomes dangerous when you either don’t know it’s there, or you haven’t built the muscle memory to step over it without missing a beat.
The Real [AI Trust] Gap
Most companies lack confidence in AI because they’re still crafting a defensible strategy to adopt and prove its reliability. Many don’t have a repeatable way to know—continuously, not just at the moment of approval—whether a given AI capability or agent is operating within the original boundaries and expectations they set for it. AI behaves differently over time as models improve, skills are updated and prompts change. That’s the gap widening when no one’s looking.
Closing that gap is the work, and while I won’t pretend the industry has it figured out yet, the path is becoming clearer. At its core, AI is a technology that shares many of the same risks that have already existed. The non-deterministic nature of AI is not idempotent like an API response. The same prompt won’t reliably produce the same output, and running the same operation twice won’t reliably produce the same downstream state. Most governance frameworks were designed around systems where you can test once and reasonably extrapolate. AI breaks that assumption at the inference and workflow layer, even when the underlying model was produced deterministically. It evolves continuously, the chain of accountability is harder to draw, and the assurance burden shifts from “verify once” to “verify constantly.” Treating AI risk as just another flavor of vendor risk or application risk underestimates it.
But the path to closing the gap borrows heavily from things we already know how to do well.The novelty is in the infinite ways we can use AI today. The discipline that closes the AI trust gap relies on familiar processes we’ve used all along.
Speed Without Structure Widens The Gap
Organizations are moving fast with AI, and that’s not the problem. Speed is fine. Speed without repeatable structure and continuous trust is the real challenge.
AI risks aren’t boldly announcing themselves like we hear on the London Underground. We’re learning (and mitigating where possible) these risks as fast as AI capabilities iterate. By the time anyone notices, our agents, systems and capabilities are now making decisions for weeks or months under conditions we may not have realized. The gap was always there. We need to mind it!
What erodes trust is the moment a leader realizes they can’t explain, in real terms, how the AI their business depends on is being managed. That space between how fast AI evolves and how organizations are set up to govern it is where most of the discomfort I hear about actually lives. As security and GRC professionals, we want to move as fast as our organizations do, and the adoption of AI continues to move faster than a bullet train.
The irony is that the lack of structure doesn’t speed anything up. Over time it does the opposite. Review cycles get longer because we’re learning and pivoting to understand things we’ve not had to understand as deeply before.
A Compounding Advantage
The organizations I see making the most progress aren’t the ones with the most polished AI policies (though they have them!). They’re the ones building the operational muscle to close the gap continuously: monitoring built into the systems themselves, clear ownership attached to every AI-enabled workflow and change management for AI handled with the same seriousness as a change to a production database.
When that’s in place, the payoff is faster deployment, shorter review cycles, more confident decisions and a different kind of conversation with customers, partners and regulators. Trust stops being something a person has to manufacture in the moment and starts being something the organization can demonstrate, on demand, with evidence behind it.
Ultimately, trust is becoming the constraint that separates the winners in an AI-driven world from the rest.
What The Winners Will Have In Common
The companies that will prove most successful in the next decade of AI won’t be the ones with the most models in production or the highest fidelity policy documents. They’ll be the ones who built a systematic way to evaluate, deploy, monitor and earn trust in every AI capability the business depends on. That’s not an AI strategy. It’s an operating-discipline strategy, and it’s what turns AI from a source of quiet risk into a source of compounding advantage.
That’s how trust gets built: as something businesses can actually prove, every day, to themselves and to everyone watching. Ultimately, we’re left “minding the gap,” as they say, because once you know it’s there, it stops being a source of danger. It starts being something you can expect and trust without it tripping you up.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
