How to talk to your CISO about AI co-workers.

Security isn't the blocker. Vague answers are.

Most "the CISO is blocking AI" stories are really "the AI vendor couldn't answer the CISO clearly." Good security teams aren't ideologically opposed to AI — they're trained to find unbounded blast radii. When the answers to their questions are bounded, specific, and auditable, the conversation usually ends with a yes.

What follows are the five questions we hear in every security review, and the shape of the answer that actually moves the conversation forward.

"What data does it read?"

Wrong answer: "The CRM" or "Our docs." Those aren't scopes — they're system names.

Right answer: a named list of tables, views, channels, or folders. For a customer-health co-worker, that might be: salesforce.Account, salesforce.Opportunity (status = open), zendesk.Ticket (last 90 days), warehouse.product_usage_daily. Five rows on a security review form, not a hand-wave.

The corollary is: nothing else. The co-worker doesn't read your finance system to answer a customer-health question. Least-privilege as a default, not an aspiration.

"Where does it run? Where does the data go?"

This is where most demos fall apart. If the answer is "we hit a vendor API and the request payload includes your customer data," your CISO is going to ask how that vendor handles it — and reasonably so.

The Riyalabs default: the co-worker runs in your environment. Your VPC, your cloud account, your existing data perimeter. Calls to a model provider go out under your egress policy with the prompts visible to you, not embedded in vendor infrastructure you can't audit.

If a vendor can't tell you exactly which network the data crosses, push harder.

"What can it do without a human in the loop?"

The shortest answer: nothing externally facing.

A co-worker can read freely (with the Q1 scope). It can draft into a queue. It can route work between people. But anything that leaves your environment — a customer email, a CRM update, a Slack message to a non-Riyalabs human — passes through an approval gate that names a specific human role.

"Why not just trust the model?" Because the model isn't the system. The model is one part. The other parts — the approval queue, the audit log, the role mapping — are the engineering that makes the model safe in your environment.

"Who decided what, and can I see it?"

Every draft the co-worker produces is logged with: the question (or the trigger event), the source rows it pulled, the prompt that generated the draft, the human who approved, the timestamp, the result.

The log is queryable. It exports. It survives the engagement — if you bring the work in-house in month six, the log comes with it. There's no "audit-on-request" lock-in.

The CISO test: can you, on a random Tuesday, answer "show me every approved draft against this customer's data in the last 30 days, with who approved each one"? If yes — you're done.

"How do we shut it off?"

The rollback test is one of the most underrated security questions. A co-worker that's hard to turn off becomes a political problem the day someone wants to.

The Riyalabs default: a single feature flag in your environment. Flip it, and the read connectors disconnect, the approval queue stops accepting drafts, the co-worker is offline. Source data is untouched (it's read-only). Audit log is preserved.

A CISO that watches you flip the switch in a meeting will trust the rest of the architecture more than any slide deck.

Walk in with answers, not a demo.

• Bring the one-page scope memo from discovery. Named datasets, named workflow, named approver role.
• Bring the network diagram. Sketch it if you have to.
• Show the audit log on a real (or sample) draft. Click the source citation.
• Flip the kill switch live. Show that the co-worker stops.
• Don't open the demo until the above is acknowledged.

Most security teams will green-light the pilot at this point. The remaining concerns are usually about scope expansion rather than the first workflow — and those are fair to raise.