There's a conversation happening inside enterprises right now that should sound familiar to anyone who lived through the early days of cloud.
A CEO walks into a CISO's office and says some version of “We are going all-in on AI, and I need you to clear the path.” The CISO, who has spent the past decade building the muscle to ask hard questions about new technology, is being asked—politely, sometimes less politely—to set those questions aside. Approve the vendors. Sign the contracts. Get out of the way.
I have heard this story from CISOs at Fortune 500 healthcare companies, public software companies, large financial services firms, and pre-IPO scaleups. The setting changes. The dynamic does not. And if you have been in security long enough, you already know how this ends because you’ve seen the movie before. Maybe a couple times, in fact.
The Three-Act Pattern with Technology Adoption
Every major technology wave in enterprise computing has followed the same three-act structure.
Act One: Adoption Explodes
A new technology arrives that promises to change how businesses operate. The boldest companies adopt first, get a head start, and force everyone else to catch up. Security is told to enable, not gate.
Act Two: The Bill Arrives
Incidents happen. Regulations follow. Customers start asking questions in procurement. The technology that was supposed to be a competitive advantage becomes a source of unmanaged risk. Boards notice.
Act Three: A Purpose-Built Security Category Emerges
Not a feature inside the platform. Not a checkbox inside an existing security tool. A standalone category, built for the security buyer, designed around the specific risk profile of the new technology. The companies that own the category in Act Three are usually not the companies that defined Act One.
We have seen this play out at least twice in the last fifteen years.
The Pattern with the Cloud
The cloud era began in earnest in the late 2000s and inflected through the early 2010s. By the time AWS, Azure, and Google Cloud were the default infrastructure choice for new enterprise workloads, the security implications were obvious in retrospect. Misconfigurations. Over-permissioned identities. Shadow accounts spun up by engineering teams. Logs scattered across services nobody had a unified view into.
The platforms responded. AWS launched IAM in May 2011. GuardDuty arrived in 2017. Security Hub came later. These were good products. They are still good products. They were not the thing that captured the cloud security wave.
Wiz was founded in 2020—roughly a decade after AWS IAM shipped, and three years after GuardDuty. By mid-2022, Wiz had reached $100 million in annual recurring revenue in eighteen months, the fastest pace any software company had ever achieved that milestone. By August 2024, they had crossed $500 million. In March 2025, Google announced an agreement to acquire them for $32 billion in cash—the largest acquisition in Google's history—which closed in March of this year.
The lesson is not that AWS did the wrong thing. AWS did exactly what platforms do: ship native security features that solve platform-specific problems for platform-specific buyers. The lesson is that the security buyer wanted something different. They wanted a product that worked across every cloud provider, was built for the CISO vs. the cloud architect, and produced the kind of evidence and remediation pathway a security organization could operate against. The platform vendor could not be that product. Someone had to build it.
The Pattern with Endpoints
The same pattern played out a few years later in a different domain.
Mobile devices proliferated. Workforces went distributed. The endpoint became, for many enterprises, the new perimeter. Microsoft shipped Defender. Apple shipped Gatekeeper. Both were credible, well-engineered, and expanded over time. Both were sufficient for many use cases. Neither captured the endpoint security wave.
CrowdStrike was founded in 2011, went public in 2019, and reported $4.66 billion in ending ARR for its most recent quarter. The company is now a foundational element of the security stack at most large enterprises. Microsoft still ships Defender. Apple still ships Gatekeeper. CrowdStrike still owns the category.
Why Platforms Haven’t Captured the Security Wave
Two waves. Two purpose-built security companies. Two platforms that shipped credible native security and still did not capture the category their own technology created. The pattern is consistent enough that calling it a coincidence requires more faith than calling it a pattern.
There is a structural reason this keeps happening, and it matters for what comes next. The platform vendor is incentivized to make the technology adoptable. Their roadmap is dominated by feature work that drives consumption. Security is a tax on that motion—useful as a checkbox, dangerous if it slows down a sale. So the platform ships native security that is good enough to clear procurement, integrated tightly with the platform itself, and built around the buying patterns of the platform's primary user.
The security buyer needs something different. They need cross-platform coverage, because no enterprise runs on one platform. They need their own buying motion, with their own evaluation criteria, their own metrics, their own seat at the table when the board asks how exposure is trending. They need a vendor whose entire reason for existing is making them successful, not making the platform more sticky.
These are not the same product. AI is certainly unique as the next wave, but will it be the exception to the pattern?
AI Is the Third Wave
The AI adoption curve is steeper than the cloud curve and steeper than the endpoint curve. GitHub Copilot crossed 4.7 million paid subscribers in early 2026 and is deployed at roughly 90% of the Fortune 100. Every major SaaS platform—and most of the minor ones—now ships AI features and agentic capabilities. Employees connect AI tools to company systems faster than IT can inventory them. OAuth grants get issued. Data flows. Decisions get made by code that nobody on the security team has met.
The platforms are responding the way platforms respond. The model providers are shipping admin consoles, usage policies, and access controls for their own products. The hyperscalers are extending their security portfolios with AI-specific features. Some of this is good. None of it is enough yet.
It’s not enough because no enterprise runs on one AI vendor. A typical large company today is using a frontier model from one provider, a coding assistant from another, vertical AI tools embedded inside a dozen SaaS products, and a growing inventory of agents built internally that nobody has formally registered. The CISO needs to govern all of it, on one set of policies, with one source of evidence, against security and compliance frameworks that auditors and regulators recognize. That is not a problem any AI platform vendor is building to solve, because it is not the problem any AI platform vendor exists to solve.
It’s also not enough because the timing of regulation is converging with the timing of adoption in a way the cloud era did not see. EU AI Act enforcement begins August 2, 2026, with administrative fines reaching €35 million or 7% of global annual turnover for the most serious violations. Customers are already including AI-specific questions in their procurement processes. Boards are asking. The bill isn’t arriving in some far-off Act Three.
Where Are We In the Movie?
If the pattern holds, we are somewhere in late Act One—possibly very early Act Two—of the AI wave.
The "get out of the way" phase is short. With cloud, it was three to five years. Endpoint was about four. For AI, this phase appears to be running on a faster clock because the underlying technology is moving faster, the regulatory response is arriving sooner, and the customer pressure is reaching procurement teams within the same year as the adoption itself. My estimate is that the window between get out of the way and show me your governance will close inside two to three years. For some companies—especially the ones serving regulated industries—it has already closed.
The question that remains is the same one that was open in 2018 for cloud and 2014 for endpoint: who builds the purpose-built security category for this wave?
I do not believe that question is answered yet. I do not believe it will be answered by the AI platforms—though the comparison to AWS or Microsoft requires a distinction. The AI model providers are, in many cases, more technically capable of building security infrastructure than a cloud hyperscaler ever was. The difference is what they're building it for. A model provider's security tooling is built to govern their model, not to govern the twelve other AI systems running inside the enterprise alongside it. Capability is not the constraint. Scope is.
The previous two waves produced new companies because they required new categories. The AI wave may produce more than one category—but the cross-platform governance layer is not one that any single model provider is positioned to own today.
What Are We Doing About It?
I run a company whose entire reason for existing is being the trust layer between great companies. We have spent the last five years building the infrastructure that lets one company prove its security posture to another, automatically and continuously, against the frameworks that matter. The trust question between companies has never been more important than it is right now, because every company in every industry has just acquired a new capability—AI, in all its forms—that magnifies and accelerates what they can do, both intentionally and accidentally.
The trust question has expanded. It used to be “Is your security program sound?” Now it is also “What AI is operating inside your company, what data does it touch, and how do you govern it?” Eventually, and soon, it will become “When your AI agents act on my systems, what trust framework governs that interaction?”
These are the questions the next wave of security has to answer. In the next post in this series, I will lay out the five questions every CISO I talk to is already asking about AI agents, and where I think the answers are going to come from. The pattern from cloud and endpoint tells us a category leader will emerge. The data tells us it has not emerged yet. The window is open. We intend to be in it.
