At Zscaler’s Zenith Live 2026 conference, I had the opportunity to speak with Gregor Goodman, Chief AI Officer at CNA, and Preston Curry, Deputy Director Security Operations, about their journey toward secure AI adoption.
Their experience highlighted an important lesson many organizations are still learning: successful AI programs start by understanding how people work today rather than simply mandating AI usage.
By combining a zero trust architecture with visibility into AI usage, CNA improved security, enhanced the user experience, and realized significant cost savings.
Key Takeaways about AI Strategy
- Successful AI adoption starts with understanding user workflows, not simply mandating AI usage across the organization.
- Blocking AI entirely can create shadow AI risks, making visibility and governance more effective than restrictive policies alone.
- Zero trust modernization improved both security and user experience, helping CNA replace legacy VPN and NAC technologies while achieving more than $1 million in cost savings and avoidance.
- AI usage visibility enables better security decisions, with CNA analyzing more than 34,000 AI prompts to better understand user behavior, data risks, and governance requirements.
- Security programs are most effective when they reduce friction, allowing organizations to balance security, usability, and innovation without sacrificing trust.
Rethinking AI Strategy
One of the most practical insights I heard during our conversation was Gregor’s perspective on AI strategy.
Rather than asking, “How do we use AI?” he suggested organizations first ask, “What do we do right now, and how could AI help us do it better?”
That mindset has guided CNA’s approach to modernizing operations while maintaining the rigorous security standards required to support the U.S. Navy and other government entities.
As a Federally Funded Research and Development Center (FFRDC) serving the Department of the Navy, CNA supports critical research and analysis efforts around the world.
Their analysts frequently work from military installations, ships, crisis centers, and other challenging environments where secure access to sensitive information is essential.
Moving Beyond Legacy Security Models
Before adopting Zscaler’s Zero Trust Exchange platform, CNA relied on traditional VPNs, network access control (NAC) solutions, and multiple firewall vendors.
These technologies introduced operational complexity, scalability challenges, connection instability, and increased risk.
A common concern with legacy architectures is lateral movement.
When an attacker compromises a device and gains network-level access, they often have opportunities to move throughout the environment.
A zero trust approach reduces this risk by limiting access to only the applications and resources users require.
According to Gregor and Preston, replacing legacy VPN and NAC technologies improved the user experience while reducing operational overhead.
Users gained faster access to applications, and the organization achieved more than $1 million in overall cost avoidance and savings through modernization efforts.
The Reality of AI Usage
Like many organizations handling sensitive data, CNA initially adopted a highly restrictive approach to generative AI.
Public large language models (LLMs) were largely blocked due to concerns around data exposure and compliance.
However, the team quickly recognized a challenge that many security leaders face today. When security creates too much friction, users often find workarounds.
Rather than maintaining a blanket “deny all” policy, CNA focused on understanding how employees were actually using AI.
Using Zscaler’s Generative AI Security capabilities and AI-focused Data Loss Prevention (DLP) controls, the organization gained visibility into user interactions with public AI tools.
This visibility proved valuable for several reasons.
First, it helped prevent sensitive information from being entered into public AI systems.
Second, it provided detailed insights into how employees were leveraging AI in their daily work.
Finally, it generated data that could support broader governance and insider threat initiatives.
Over a four-month period, CNA analyzed more than 34,000 AI prompts — visibility they previously did not have.
Prioritizing the User Experience
Throughout our discussion, both Gregor and Preston repeatedly emphasized the importance of the client and user experience.
Security programs succeed when they enable the mission rather than hinder it.
One of the most interesting discoveries from CNA’s AI monitoring efforts was that many employees were using public LLMs primarily for research.
That insight helped stimulate internal discussions around whether specialized internal AI capabilities should be developed to better support users while maintaining appropriate governance controls.
By enabling secure access to approved AI tools, CNA reduced provisioning times from days — or even weeks — to seconds.
Analysts could work more efficiently, IT teams spent less time processing exception requests, and security teams gained better visibility into organizational risk.
Balancing Security and Innovation
CNA’s experience demonstrates that secure AI adoption is not simply a technology challenge.
It is a people, process, and visibility challenge.
By replacing legacy infrastructure with a zero trust architecture and implementing controls that enable rather than restrict productivity, the organization created a foundation for responsible AI innovation.
For security leaders evaluating AI strategies, the lesson is clear: start by understanding how your workforce operates today, then build controls that support those workflows securely.
When organizations balance security, usability, and visibility, they can accelerate innovation without sacrificing trust.