CISA Nominee Delay: Where AI Fixes Cyber Governance

Federal cybersecurity can’t run on “acting” forever.

With Congress in its final week of the year (as of Dec. 16), House Homeland Security Committee Chairman Rep. Andrew Garbarino said he’s “disappointed” the Senate hasn’t confirmed Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency (CISA). That’s a headline about one nomination—but it’s also a stress test of how the U.S. governs cyber risk.

Here’s my take: the nomination delay isn’t just politics; it’s operational debt. When leadership for a critical cyber agency stalls, everything downstream slows too—regulatory alignment, information-sharing agreements, crisis coordination with states and the private sector, and long-term investment decisions. In an era where AI in defense and national security is accelerating both attack and defense, leadership gaps land at the worst possible time.

This post uses the CISA nominee delay as a case study for a practical question government leaders are asking more often: Can AI modernize federal governance workflows without compromising due process, transparency, or civil liberties? Yes—but only if we treat AI as a system for accountability, not a shortcut.

Why a delayed CISA director becomes a national security issue

A delayed CISA director creates decision latency across the cyber ecosystem. CISA isn’t just another agency headcount box; it’s one of the federal government’s key conveners for critical infrastructure security, incident coordination, and guidance that shapes how operators actually defend networks.

The real cost: slower alignment when threats don’t wait

The article points to multiple pressure points happening at once:

• Major nation-state intrusions into U.S. critical infrastructure and telecom environments (including the widely discussed “Typhoon” campaigns).
• Regulatory harmonization debates that require steady, credible leadership to keep agencies and industry moving in the same direction.
• Information-sharing authorities that can expire, be amended, or be weakened—creating uncertainty for private-sector partners.

If you’re running security for a federal program, a state SOC, a telecom, or a hospital system, you already know the pattern: when the policy center wobbles, defenders at the edge end up improvising.

Leadership gaps create “policy drift” (and attackers love drift)

In cyber operations, ambiguity is expensive. When a top role is unfilled:

• Interagency coordination slows because nobody wants to overstep.
• Program managers delay long-term commitments because priorities can change overnight.
• Industry gets mixed signals on what standards and reporting expectations will stick.

Attackers don’t need to be better than you. They just need you to be slower than you were last quarter.

The hidden story: cyber information-sharing authorities are fragile

The most immediate operational risk isn’t the nomination itself—it’s what the nomination delay signals about follow-through on cyber authorities. Garbarino emphasized the need to reauthorize the Cybersecurity Information Sharing Act of 2015, which lapsed during the shutdown and was temporarily revived through Jan. 30 under a stopgap funding extension.

Why the 2015 information-sharing law matters in plain terms

The original law created legal protections that made it easier for companies to share cyber threat indicators with government partners without fearing lawsuits or regulatory penalties.

That legal “safe lane” is what makes high-volume, fast-turn information exchange possible—especially during active campaigns.

When that lane narrows:

• Legal teams slow down disclosures.
• Companies share less, later, and with fewer specifics.
• Government gets a weaker picture of adversary infrastructure and techniques.

Garbarino’s quote is blunt and accurate: if the bill isn’t renewed, people stop sharing. And in cyber defense, reduced sharing is the same as reduced visibility.

AI’s role here isn’t “more data”—it’s lower friction

Government often talks about information-sharing as if the challenge is motivation. In practice, it’s also about workflow:

• What’s allowed to be shared?
• What has to be scrubbed first?
• Who approves release?
• How fast can it move without exposing customer or citizen data?

This is where AI-enabled governance can make a real difference.

Used responsibly, AI can:

• Automatically classify threat data (technical indicator vs. sensitive business info).
• Flag potential personally identifiable information (PII) for removal.
• Create auditable “why this was shared” decision logs.
• Route packages to the right legal/privacy approvers based on policy.

That doesn’t replace legal authority. It makes lawful sharing more consistent and less dependent on heroic effort.

How AI can modernize federal appointments and oversight (without cutting corners)

AI can reduce nomination and oversight bottlenecks by making processes more transparent, consistent, and measurable. The goal isn’t to “automate confirmations.” The goal is to reduce preventable friction that turns governance into a backlog.

Use case 1: nomination readiness and documentation quality

A major reason nominations stall is that records, disclosures, and background materials arrive in inconsistent formats, with gaps that trigger rework.

AI can help agencies and committees by:

• Checking disclosure packets for missing fields and inconsistencies.
• Summarizing large volumes of supporting documents into standardized briefs.
• Mapping prior statements and publications to likely hearing topics.
• Producing a structured “risk register” for conflicts, recusals, and ethics constraints.

This isn’t about spinning the nominee. It’s about reducing clerical failure modes that cause procedural holds and delays.

Use case 2: faster, more accountable oversight workflows

Garbarino referenced ongoing back-and-forth with DHS over responses to committee questions on major Chinese cyber intrusions, saying early responses didn’t answer everything.

That’s a familiar dynamic: oversight requests get answered late, partially, or in a way that’s hard to validate.

AI can strengthen oversight by creating:

• Traceability: link each committee question to specific DHS response sections.
• Completeness scoring: flag which sub-questions weren’t addressed.
• Evidence tagging: identify where a response provides claims without supporting documentation.

Done right, this makes oversight less theatrical and more operational.

Use case 3: decision intelligence for “should we extend this authority?”

Information-sharing authorities aren’t just legal artifacts—they’re performance mechanisms.

AI can support renewal debates by producing structured metrics like:

• How many actionable indicators were shared under the authority per quarter.
• Median time from private discovery to government receipt.
• Percentage of shared indicators that were later corroborated.
• De-identification error rates (how often PII slipped through).

If Congress is going to fight over duration (2-year vs. 10-year) or carve-outs, it should be fighting over measurable outcomes, not vibes.

Telecom security whiplash shows why governance needs “machine-speed visibility”

When telecom security rules change abruptly, adversaries inherit the confusion. Garbarino questioned a recent FCC vote to reverse telecom security rules that had been put in place after a major telecom intrusion campaign. Whatever your view of that vote, the broader issue is consistent: telecom is now a frontline for national security.

AI can’t replace telecom regulation—but it can reduce blind spots

Telecom environments are complex, heterogeneous, and full of legacy systems. That’s where AI-driven cybersecurity tools have been most useful in practice:

• Behavior-based anomaly detection for signaling abuse and lateral movement.
• Automated correlation across network telemetry, identity signals, and endpoint events.
• Rapid scoping of affected users and services during incident response.

But these benefits compound only when governance is stable.

If policy shifts every election cycle (or every commission vote), defenders struggle to plan:

• procurement timelines
• vendor requirements
• reporting thresholds
• investment in detection and logging

AI thrives on consistent instrumentation. Governance creates the conditions for instrumentation to exist.

A practical blueprint: “AI for cyber governance” that actually works

If you want AI to improve federal cyber leadership and governance, build it like a safety system—measurable, auditable, and constrained. Here’s a blueprint I’ve found useful when advising teams that sit at the intersection of cyber operations, compliance, and mission delivery.

1) Start with the workflow, not the model

Pick one governance workflow that is currently slow and high-impact:

• drafting and approving interagency threat bulletins
• responding to congressional oversight questions
• reviewing information-sharing packages for PII
• preparing nomination support materials

Define baseline metrics first (cycle time, error rate, rework rate).

2) Require auditability by design

For public sector AI, “because the model said so” is not an acceptable control. Require:

• versioned prompts and policies
• model and data lineage
• human approvals for high-impact outputs
• immutable logs for who accepted/edited outputs

This is how you make AI compatible with democratic accountability.

3) Treat privacy and civil liberties as functional requirements

Concerns about CISA’s past work around misinformation and free speech aren’t side issues—they shape trust and cooperation.

A workable pattern is:

• strict separation between cyber threat indicators and content moderation topics
• written policies that define what AI is allowed to process
• automated PII detection and redaction with human review sampling
• published transparency reporting on system use (what, when, why)

If you don’t build for trust, you’ll spend your budget fighting litigation, not adversaries.

4) Build a “governance cockpit” for leaders

Once leadership is in place, they need visibility. A governance cockpit is a dashboard of:

• open authorities nearing expiration (with deadlines and owners)
• top interagency dependencies
• incident coordination metrics
• information-sharing volumes and quality scores
• staffing and surge capacity indicators

That kind of operational view is how a CISA director (or acting director) moves from reacting to steering.

Snippet-worthy point: AI is most valuable in government when it reduces decision latency without reducing accountability.

Where this fits in the AI in Defense & National Security series

In this series, we often focus on AI for threat detection, intelligence analysis, and operational planning. This story is a reminder that governance is a frontline capability too.

A nation can have strong models and great cyber tools, but still fail if:

• authorities lapse,
• leaders can’t get confirmed,
• oversight turns into document chaos,
• and agencies can’t coordinate at speed.

The CISA nominee delay is a public example of a private reality across government: too many mission-critical processes still run like they’re paper-bound, even when the threats are machine-speed.

What leaders should do before the next deadline hits

The funding extension through late January creates a short runway. If you’re a federal, state, or critical infrastructure leader looking at 2026 planning right now, here are concrete next steps that don’t require new legislation to start:

1. Inventory your “governance bottlenecks.” Find the top three workflows where approvals, documentation, or coordination cause operational delay.
2. Pilot AI where the risk is manageable. Start with summarization, classification, and routing—not autonomous decisions.
3. Instrument everything. Measure cycle time, rework, and error rates before and after.
4. Publish internal policy guardrails early. If you wait until after deployment, you’re already behind.

CISA leadership will eventually get resolved—by confirmation, renomination, or replacement. The bigger question is whether the federal cyber enterprise keeps treating governance as paperwork, or starts treating it as infrastructure.

If your organization wants AI to strengthen cyber governance—appointments support, oversight response, information-sharing workflows, or incident coordination—what’s one process you’d be willing to measure and modernize in the next 90 days?