Establishing AI Governance Without Stifling Innovation: Lessons Learned
Billy Norwood
[un]prompted 2026 — AI Security Practitioner Conference · Day 1 · 2
Billy Norwood, CISO of $5B pharmaceutical distributor FFF Enterprises, walked through the hard lessons of building AI governance from scratch: the 40-project roadmap that hit reality, the AI usage policy that was too vague to be useful, and the intake processes that had to be rebuilt after every new use case exposed a gap. His central message — governance is about balancing value and risk, not blocking either. ---
AI review
Norwood was candid about his failures, which is more than most CISOs manage, and the $250K pre-authorization use case is a real proof point. But this is a lessons-learned talk from a pharmaceutical distributor's AI governance growing pains — interesting for enterprise security leaders in regulated industries, wrong venue for a practitioner AI security conference.