AI-enabled adversaries accelerate reconnaissance, exploitation, and evasion, exposing limitations of audit-periodic cybersecurity governance. This exploratory study compares four governance archetypes-compliance-driven, framework-centric, risk-based, and exposure-driven-using a mixed-methods design: a survey of 121 security practitioners, semi-structured interviews with senior security leaders, and a bounded, anonymized illustrative operational vignette for one SaaS product under aligned deployment conditions, triangulated with secondary sources. Operational outcomes were analyzed using variance-robust group comparisons (Welch ANOVA with Games–Howell post-hoc) and effect sizes/95% confidence intervals. Organizations classified as exposure-driven reported lower breach frequency and shorter response latencies within this sample. These comparative patterns are sample-bounded and may reflect enabling capability maturity, including telemetry completeness, tool integration, staffing depth, and process discipline as much as governance decision structure; they are based primarily on self-reported operational indicators and should not be interpreted as causal proof.
Dharmalingam et al. (Mon,) studied this question.