If someone asked you to prove, with evidence, that the AI in your product is secure, could you do it? Most teams can’t, and until recently there was no shared standard for what that proof even looks like. Chris Cochran, Field CISO and VP of AI Security at the SANS Institute, built one.
After nine months of conversations with three to four hundred security leaders around the world, all asking the same questions, he authored the SANS AI Security Maturity Model, a framework already being used to map compliance requirements under the EU AI Act.
Chris breaks down the model’s three pillars: protect, utilize, and govern, and explains why the most uncomfortable questions in the framework are the foundational ones. He also reveals the highest maturity stage of the model any company has claimed, why a small business can outrank an enterprise, and what developers shipping AI into regulated environments can’t afford to ignore.
As Chris puts it, the genie is out of the bottle. AI does not care if you believe in it or not.
Topics Covered
00:00 - Introducing Chris Cochran
02:20 - Why we need another framework
04:00 - The three pillars: protect, utilize, and govern
05:05 - Half of security leaders are AI skeptics, and why this mindset is unproductive
06:50 - The most uncomfortable question in the SANS AI Security Maturity Model
08:40 - Data classification as the prerequisite for any AI policy
10:30 - The highest maturity stage of the framework that someone has claimed
12:30 - Two ways to read the framework: front to back or scoring rubric first
13:25 - AI assisted adversaries will target everyone soon, what that means for small businesses
16:30 - Why SANS uses industry specific weighting
18:25 - What developers need to know about shipping the same AI tools in different industries
20:40 - Why developers should care about the AI Security Maturity Model
About Chris Cochran
Chris Cochran is the Field CISO and Vice President of AI Security at the SANS Institute, where he stands at the intersection of frontier AI innovation and real-world cybersecurity defense.
A Marine Corps veteran and former leader at organizations like Netflix, Mandiant, the U.S. House of Representatives, Axonius, and NSA, Chris has spent his career translating complexity into clarity, whether guiding organizations through emerging AI threat landscapes, pioneering defensive AI workflows, or shaping the next generation of AI-security practitioners. His work blends deep operational cyber experience with cutting-edge research in AI governance, model risk, multi-agent systems, and adversarial AI, positioning him as one of the few leaders equally fluent in shaping AI strategy and securing it.
Known for his storytelling, community leadership, and ability to distill fast-moving technical shifts into actionable insight, Chris is helping build the future where AI systems are both powerful and safe.
Connect with our guest Chris Cochran: LinkedIn
Download the SANS AI Security Maturity Model: https://www.sans.org/mlp/2026-ai-security-maturity-model-ebook







