Have you ever found yourself in a situation where security controls get in the way of productivity?
Maybe its testing a new AI tool, connecting one SaaS platform to another, evaluating a third-party application or preparing a high-risk product rollout — security controls can become a preventative measure that stops the business from innovating, finding efficiencies, closing work or building better outcomes. That creates the feeling that security is getting in the way of the job.
Security is there for a reason. It stops executable downloads from being opened, prevents risky changes to desktops and helps keep one user’s decision from affecting the wider network.
But what happens when security prevents projects from being completed, contracts from being reviewed or applications from being tested? What if it prevents your business from innovating, evolving and growing?
Research from Replica Cyber found that 39% of organizations surveyed had delayed, canceled or scaled back market expansion because the required work could not be conducted securely. The problem was not limited to expansion plans. Product launches, vendor onboarding and M&A activity were also affected, raising a broader question: Are organizations losing momentum because they lack secure environments in which to do high-risk work? Download “The Exception Economy” report here.
Kristopher Schroeder, CEO and co-founder of Replica Cyber, said there is sometimes a lack of cultural alignment within an organization’s DNA. In a period when CISOs have increasingly been blamed — and, in high-profile cases, prosecuted or sentenced — for decisions made around security incidents, the natural reaction is to say no.
“So it puts them in a very hard position to say, yes, go ahead and try this new experimental thing because the business says they need it or it’s going to give you an advantage in the market, when we know that it could expose all of our customer data,” he said.
“I don’t think it’s necessarily just organizational reticence. I believe it’s more that there has been a very big target put on CISOs from a risk perspective; it’s hard to manage that, especially when most of them are understaffed. So, the delay almost seems natural to me.”
When caution becomes the operating model
Replica found that every organization surveyed had granted security or compliance exceptions in the past year. Some 63% had done so through formal channels, while a third had used informal workarounds. Additionally, 20% of high-risk work does not proceed because of exposure risks.
Schroeder said some of the numbers in the survey felt low, and while some projects were delayed rather than canceled, taken together they form “a very high percentage of projects” that were unable to move forward. The result is an innovation bottleneck that forms at the exact point where security controls, business urgency and operational risk collide.
However, some businesses and professionals have simply accepted certain risks rather than mitigating them.
“We know most people that are actually putting AI items into production are not mitigating the risks,” he said. “They’re just taking on that potential for compromise and going to run with it until it bites them.”
Schroeder said the answer is not to bolt another security tool onto the same old workflow, but to give teams a safer place to do risky work. That requires a more comprehensive way to create, manage and sustain secure environments where business users can operate without exposing the wider organization. In Replica’s view, that means moving the work into a protected environment rather than forcing teams to choose between delay, denial or unsafe improvisation.
A safer place to do risky work
Schroeder explained that Replica was founded to solve the problem of helping businesses do the difficult work they need to in a risk-free digital space.
“Replica is a very secure operating platform and secure environment platform; a place to go and do hard and risky work in a highly protected and enabled way,” he said. “It moves that work away from the corporate network while still maintaining the controls and observability people need.”
The emerging category is referred to as secure environments, secure isolated workspaces or Secure Environments-as-a-Service. It overlaps with VDI, browser isolation, malware sandboxes and secure collaboration tools. The broader idea is different in that it creates a governed place where high-risk digital work can happen without dragging that risk back into production systems.
Existing tools, Schroeder said, solve only one slice of the problem. A malware sandbox may help analyze a suspicious file, but high-risk work often moves through multiple people, tools and handoffs before it is resolved. Replica’s argument is that those steps should happen inside a single protected environment, rather than across corporate systems, ad hoc tools and disconnected workflows that pull risk back into production.
The permission trap
That raises a larger access-management problem. When employees cannot complete legitimate work inside approved systems, organizations often compensate by granting more permissions, relaxing controls or approving exceptions. Over time, the line between business need and convenience gets blurry.
Schroeder said that is exactly why security needs a different model. Traditional identity and access management systems can decide who gets into a system, but they do not solve the larger problem of where risky work should happen once access is granted.
“You can’t just say, ‘OK, I’m going to give you full admin access to this server,’” Schroeder said. “Those approaches do not work. That model has been broken for many years.”
The risk is that a temporary permission change can open a much larger set of issues in a live environment. A user may need access to test one application, review one dataset or connect one tool. But once those permissions exist, they can affect systems, data and workflows that were never part of the original request. With AI agents, the problem becomes more acute: an agent can inherit a user’s permissions and then act faster, across more systems, than a person ever could.
When AI agents inherit the risk
He said that the CISO’s job has become harder and faster as the velocity of threats and operational challenges has increased. Expanded access would be one issue if organizations were only dealing with humans and employees. Agents operating across networks and endpoints present an even greater challenge because they inherit the same access privileges.
“That agent can do a heck of a lot more than a human could in 25 minutes, and you have very little visibility or auditability into what that agent might have done and who it interacted with,” Schroeder said.
The question is whether organizations can keep pace with the rate of change as technology evolves so rapidly. Schroeder said this is the approach Replica has taken in providing secure environments to customers.
“I want to make sure that they have options. Even if they have not implemented them yet, they at least know they have the ability to say, ‘No, you don’t have to take my data.’
“You have these implementations, and as those implementations and approaches change, Replica will change with them, so they don’t have to redesign their architecture.”
Security as the way to say ‘Yes’
Security has long carried the reputation of being the department that says no.
When business leaders want to move quickly — whether through product development, AI adoption, mergers and acquisitions, or expansion into new markets — security is often perceived as the function that slows everything down. That tension has created what many organizations now face as an “exception economy,” where teams are forced to choose between reducing exposure risk and maintaining innovation and growth.
The old pattern was simple: ship first, document the exception later.
Yet that dynamic is beginning to shift. Increasingly, organizations are recognizing that security teams cannot remain purely preventative functions if they want to stay aligned with business objectives. Instead, the more successful security organizations are repositioning themselves as enablers of growth.
From control layer to business capability
One example comes from a global organization using AI-driven analytics originally implemented for security monitoring. The platform was designed to provide visibility into network and system activity across international offices, but the insights generated quickly proved valuable beyond cybersecurity.
Business development and market leadership teams began using the same data to identify operational trends, collaboration patterns and potential commercial opportunities across the organization.
What began as a security initiative evolved into a broader business capability. That evolution reflects a larger trend in how security leaders are approaching innovation.
Rather than restricting experimentation with emerging technologies such as AI agents or automation platforms, some organizations are creating secure, isolated environments where employees can safely test and develop new ideas. In these cases, security is not acting as a blocker to innovation; it is providing the controlled framework that allows innovation to happen responsibly.
This represents a fundamental change in mindset. Instead of responding with “no,” security teams are increasingly expected to respond with “yes, and here is how we can do it safely.”
The cost of standing still
The distinction matters because the cost of failing to help the business evolve is becoming harder to ignore. Security is no longer being judged only on whether it prevents incidents. It is also being judged on whether it helps the organization innovate, reinvigorate operations and pursue new opportunities without creating unmanaged exposure.
It all starts with the environment.
When organizations lack secure environments for experimentation and development, growth initiatives slow down. New capabilities are delayed, innovation programs stall and operational friction increases. For executive leadership, particularly CEOs under pressure to accelerate transformation, security quickly becomes a point of scrutiny if it is perceived as obstructing progress.
Replica’s survey put numbers behind that pressure: 20% of high-risk digital work does not go ahead because of exposure, compliance or lack of a safe environment; 39% of organizations delayed or canceled market expansion; 35% delayed product launches; 32% delayed M&A or strategic partnerships; and 100% granted security or compliance exceptions in the past year.
The organizations navigating this most effectively are those treating security as a service layer for the business rather than a gatekeeping function. Rather than demanding massive investments or forcing business units to solve problems independently, security teams are delivering practical, cost-effective solutions that allow the organization to move forward with confidence.
The challenge for modern security leaders is no longer simply preventing incidents. It is enabling the business to innovate, experiment and grow without creating unmanaged exposure. Organizations that successfully balance those priorities are likely to define the next phase of security maturity.
