This article is by Benjamin Dulieu, Chief Information Officer and Chief Information Security Officer at Duck Creek Technologies
Bio: Benjamin Dulieu serves as Chief Information Officer and Chief Information Security Officer at Duck Creek Technologies, where he oversees enterprise IT, data and analytics, cybersecurity and AI governance. He leads platform modernization and Duck Creek’s AI operating model, focusing on measurable productivity, strong governance, and trusted use across the business. Prior to Duck Creek, he was Global Head of Cyber and Technology Risk Management at Brown Brothers Harriman, overseeing cyber, technology risk, third-party risk, and operational resilience. He also served as a United States Marine Captain and led combat communications operations in Afghanistan during Operation Enduring Freedom.
In industries like insurance and financial services, trust is not a slogan or a brand attribute. It is the business itself.
Customers entrust us with their most sensitive data. Regulators expect disciplined stewardship. Partners rely on us to operate resilient, reliable platforms. Customer trust is foundational to who insurtechs are and how we operate. That trust is earned over time through consistent behavior, clear accountability and decisions that prioritize long-term protection over short-term convenience. It is reinforced every time systems perform as expected and data is handled with care.
Yet across the industry, there is a growing disconnect between how organizations signal trust and how they actually manage risk. Too often, compliance is treated as proof of trustworthiness, while the underlying realities of data sprawl, identity complexity, and operational risk remain insufficiently addressed. Certifications can build external trust, but relying on them alone for security can allow vulnerabilities to emerge. This gap grows as technology stacks expand and operating models become more distributed. That gap is where trust quietly erodes It does not disappear overnight. It fades through small failures, delayed responses, and unanswered questions that accumulate over time. Three interrelated trends help explain why.
Data Is Everywhere, Ownership Is Nowhere
Modern enterprises have never been more data-rich, or more uncertain about who truly owns that data.
Sensitive customer and operational data now span SaaS platforms, cloud environments, internal systems, analytics pipelines, and increasingly AI-enabled workflows. Yet in many organizations, ownership remains fragmented. Responsibility is distributed across teams, systems, and vendors, often without a clearly accountable business owner. Data is created quickly and reused widely but stewardship rarely keeps pace with that expansion.
The result is a fundamental governance challenge. Many organizations cannot confidently answer where their most sensitive data resides, who has access to it, or whether that access is still appropriate. These gaps often surface only during audits, incidents, or regulatory inquiries, when clarity is needed most.
This is not a tooling failure. It is a lack of intentional data governance. Without defined ownership, even well implemented controls lost effectiveness because no one is accountable for outcomes.
Without clear ownership, security controls become reactive rather than designed. Access decisions persist long after their original business purpose has passed. When incidents occur, uncertainty around responsibility slows response and undermines confidence. Teams spend critical time determining who should act instead of acting decisively.
In highly regulated industries, this ambiguity does not just increase risk. It directly threatens customer trust.
Identity Is the New Control Plane, and It Is Failing Quietly
As data becomes more distributed, identity has become the primary control plane that governs access to it.
Human users, service accounts, system integrations, automation, and now AI-driven systems all operate through identity. When identity is well governed, it enables speed, scale, and confidence. When it is not, it becomes the silent failure point behind many modern security incidents.
What makes identity risk particularly dangerous is how quietly it accumulates. Permissions expand incrementally. Privileged access grows in the name of efficiency. Non-human identities proliferate as systems integrate and automate. Everything appears to function as intended, until accumulated risk reaches a breaking point.
AI compounds this challenge.
As organizations adopt AI capabilities across vendors, partners, and internal platforms, access is often granted broadly to enable rapid value creation. These systems frequently operate with delegated authority that spans multiple datasets and services, acting continuously and sometimes autonomously. In many cases, this access is provisioned without the same rigor applied to human users or traditional system integrations.
This is not an entirely new category of risk, but it is a more complex evolution of an existing one. Like earlier waves of integration and automation, the technology itself is not the problem. The risk emerges when access is granted without clear intent, visibility, or lifecycle discipline.
In a world where data is everywhere, identity remains the only scalable way to enforce intent. As AI becomes embedded into core business workflows, identity governance must evolve alongside it. When it does not, security posture drifts further from business reality. That gap may not be visible in audits, but it is meaningful to adversaries and consequential to customers.
Compliance Is Still Mistaken for Security
In regulated industries, compliance is essential. But compliance alone does not create trust.
Passing an audit demonstrates that controls exist at a point in time. It does not demonstrate that risk is understood, prioritized, or actively managed. It does not prove that risk is understood, prioritized, or actively managed. Yet many organizations continue to treat regulatory adherence as the primary indicator of security maturity.
This creates a false sense of confidence.
Compliance frameworks establish necessary baselines, but they are not dynamic risk models. They do not adapt to changing data flows, evolving identity structures, or new operational dependencies such as AI. When organizations optimize for evidence instead of exposure reduction, risk accumulates beneath the surface.
Customers do not place their trust in companies because of certifications or audit reports. They place their trust in companies because their data remains protected, services remain reliable, and risks are managed intentionally and transparently.
Trust Is a Risk Outcome
These three forces are deeply interconnected.
Data without ownership creates ambiguity. Identity without governance creates exposure. Compliance without risk context creates false assurance. Together, they form the conditions under which trust erodes gradually, often long before any visible failure occurs.
Trust is not built through checklists or attestations. It is built through disciplined, risk-focused decision making that aligns data governance, identity controls, and operational accountability around clear business intent.
For organizations, cybersecurity must be a first and foremost a risk management discipline. Governance sets direction. Risk informs prioritization. Security enables trust at scale.
In a data- and regulation-heavy industry, this approach is not optional. It is the responsibility we owe our customers, our partners, and the markets we serve.
Compliance tells you whether you meet a standard. Risk management determines whether you deserve trust. The organizations that endure will be the ones that understand, and operationalize, the difference.
Be the first to comment