Most enterprises today are built on the same foundations. The same cloud platforms. The same AI models. Often, even the same vendors. On paper, their technology stacks look remarkably similar.
And yet, their risk profiles couldn’t be more different.
Not because one chose better tools than another, but because they operate in different places and have access to very different pools of talent. Who you can hire, where you can hire them, and how easily they move matters far more than most organizations realize.
What looks like a hiring challenge is actually something bigger. The shortage of cybersecurity and AI governance skills is shaping how safely AI can be scaled across regions.
To understand how we got here, we zoom out before we look closer.
The shortage everyone knows about, and the details we tend to miss
By now, many of us are familiar with the headlines.
According to ISC2, the global cybersecurity workforce gap exceeds 4.7 million professionals in 2024. The World Economic Forum continues to list cyber risk among the most severe global threats, while repeatedly warning that AI adoption is outpacing the skills needed to govern it safely.
But here’s the part we don’t talk about enough. That shortage is not evenly distributed. And it is not evenly felt.
A missing cybersecurity professional in one region creates a very different kind of risk than a missing AI governance expert in another. Regulation, labor mobility, education systems, and enterprise maturity all shape how dangerous a skills gap actually becomes.
This is where AI governance changes the conversation.
Why AI governance turns a talent gap into a risk gap
Cybersecurity shortages are painful. But AI governance shortages are destabilizing.
That’s because AI governance is not a single discipline. It lives at the intersection of AI engineering, data governance, cybersecurity, regulation, and ethics. It requires people who can understand how models work, how they fail, how they can be attacked, and how regulators expect them to be controlled.
And let’s face it: Very few professionals are trained this way.
The World Economic Forum has noted that while organizations expect AI risk and governance roles to grow rapidly, most enterprises are assigning this responsibility to existing teams like Security, Legal, or Compliance, rather than building a new team dedicated to this capability.
This is the moment where geography starts to matter. Because whether that workaround is manageable or dangerous depends entirely on where you are.
The United States: Burnout behind the boom
On paper, the U.S. looks well positioned. Data from CyberSeek shows over 1.33 million cybersecurity professionals already employed. The ecosystem is mature, salaries are high, and AI expertise is widely available.
And yet, the U.S. still has hundreds of thousands of unfilled cybersecurity roles, a gap that directly affects not just traditional security work but also emerging AI governance demands. According to recent data, the United States faces a cybersecurity workforce shortage of roughly 700,000 unfilled positions, highlighting just how stretched the market has become.
That pressure shows up inside organizations.
Burnout is no longer the exception. Up to 70% of cybersecurity professionals report experiencing burnout, driven by relentless workloads, constant incident response, and expanding responsibility including AI oversight without equivalent increases in capacity.
At the same time, stability at the top is eroding. Nearly half of cybersecurity leaders were projected to change jobs, with around 25% leaving for entirely different roles due to workplace stressors.
Senior expertise is moving frequently. This creates a subtle but serious problem for AI governance.
Europe: Governance by design, execution by constraint
Europe approaches the problem from the opposite direction.
Regulatory clarity is strong. The GDPR, NIS2, and the EU AI Act define expectations in detail. From a governance perspective, Europe arguably has the clearest playbook in the world. But playbooks need players.
The European Commission and ENISA estimate a cybersecurity skills gap of 250,000 to 500,000 professionals across the region. The shortage is especially acute in roles that blend technical depth with regulatory understanding, precisely the profile AI governance demands.
The result is tension.
European enterprises often know exactly what needs to be done, but struggle with who can do it.
China: Ambition running ahead of experience
China’s approach to cybersecurity and AI is unapologetically ambitious.
National strategies, including the push to strengthen cyber and digital sovereignty, have accelerated investment in AI, infrastructure, and regulation. But underneath that momentum sits a growing constraint: people.
According to the 2022 White Paper on the Live-Fire Capabilities of Cybersecurity Talents, China is facing a rapidly widening cybersecurity talent gap. By 2027, the shortage is expected to reach 3.27 million professionals. At the same time, colleges and universities are producing only around 30,000 cybersecurity graduates per year.
That imbalance matters, especially because the shortage is not at the entry level.
The same research highlights a particularly severe lack of “live-fire” (实战) talent. These are practitioners with hands-on, real-world experience in defending systems, responding to attacks, and managing complex risk scenarios. In other words, people who can operate under pressure, not just understand theory.
This challenge becomes even sharper when AI enters the picture.
There remains a shortage of cross-disciplinary professionals, i.e., individuals who understand AI systems, cybersecurity threats, and governance requirements together. These are exactly the skills AI governance depends on, and they are the hardest to train at scale.
The result is a familiar pattern.
The pattern that connects everything
When you step back and look across regions, a clear pattern emerges.
The problem isn’t that organizations don’t understand AI and cyber risk. And it isn’t that they aren’t trying hard enough to hire either. The real issue is that the skills enterprises now depend on no longer exist as a single role or in a single place.
Every region feels the strain, but for different reasons.
AI governance has crossed a threshold. It has become too complex, too interdisciplinary, and too tightly bound to local regulation and data sovereignty to be solved through traditional hiring models.
This is the point most enterprises are only beginning to recognize.
The only way forward: Design for scarcity
Organizations that are moving ahead have accepted this early. They are no longer designing for talent abundance. They are designing for talent scarcity.
That decision leads to three clear shifts.
First, they treat AI governance as a system, not a role. Instead of relying on one or two experts, they clearly define who can make which decisions, how risks are escalated, and who is accountable at each step. Governance is built into processes and tools, not stored in people’s heads. When individuals leave, the way AI is governed stays consistent.
Second, they build overlapping capabilities across cybersecurity, data, legal, and risk teams. No single function owns AI governance end to end; instead, ownership is shared across the organization. This is how a capability like AI scales when specialists are rare.
Third, they localize execution. Global principles stay consistent, but governance operates where regulation, data, and risk actually live. This reduces reliance on hard-to-move talent and aligns oversight with regional reality.
This approach doesn’t eliminate the talent gap. It makes it manageable. And it fundamentally changes the question leaders ask.
Not, “Why can’t we hire fast enough?”
But, “Why are we still designing for a world that no longer exists?”
Because in the age of AI, advantage won’t come from having the most talent. It will come from knowing how to operate when talent is scarce.
