While most organizations were still debating ChatGPT, Culligan International was already implementing AI solutions two years ago. This early start gave Amir Niaz, VP and Global CISO, unique insights into enterprise AI security challenges that many organizations are just beginning to face.
As a global water treatment leader with over 15,000 employees and 150+ acquisitions in three years, Culligan faced the perfect storm of AI security challenges: massive scale, complex data environments, and aggressive M&A growth.
“When you measure productivity with risk, productivity always wins. So we chose to educate users rather than block them.”
─ Amir Niaz
When Culligan began testing Microsoft Copilot, users discovered productivity benefits but also started finding sensitive data they shouldn’t access:
🔴 Social Security cards from HR systems
🔴 W-2 forms from payroll departments
🔴 Confidential financial information from executive teams
🔴 Acquisition documents from completed deals
The reality check: “Before it was finding a needle in a haystack. Now it’s ‘you ask and I’ll give you.’ The data is right in front of you,” Amir explains.
When Culligan contacted Microsoft about data exposure issues, the response was revealing: “Copilot didn’t break it.” Microsoft was right. Copilot simply made visible what was always there ─ years of permission sprawl and overshared documents buried in SharePoint complexity.
With 150+ acquisitions bringing unstructured data and legacy permissions, what was once hidden by SharePoint's complexity became instantly searchable through natural language queries.
Supporting 15,000 global users with a lean security team meant traditional approaches wouldn’t scale. “We’re not in the business of fielding calls about folder access,” Amir explains.
🛡️ Technical Guardrails
📕 User Education
🚩 Executive Escalation
For critical exposures, Amir personally calls data owners. “When they see a call from the CISO, they know something bad happened and answer immediately.”
User reception has been overwhelmingly positive. Rather than feeling restricted, users appreciate being helped to use AI tools safely.
1️⃣ Start Small with Controlled Pilots
Select specific use cases and test security controls in low-risk environments.
2️⃣ Work on Governance and Adoption in Parallel
Develop frameworks while users gain experience, iterating based on real-world patterns.
3️⃣ Build Cross-Functional Teams
Include security, legal, risk, and compliance from the start with clear accountability.
4️⃣ Focus on Education Alongside Technical Controls
Invest in training programs and provide ongoing support resources.
“Once data exits your premise, it’s like toothpaste, you can’t put it back in the tube.” ─ This underscores the importance of preventing data exfiltration before it occurs and monitoring all AI interactions for sensitive content.
“AI adoption is four times faster than Internet adoption. I don’t even remember the last time I used Google.” ─ This pace means organizations have less time to adapt than with previous technology transitions. Security strategies must be designed for rapid scaling.
Culligan’s proven balance:
As a multinational corporation, Culligan navigates complex regulatory environments:
❇️ Enable Rather Than Block AI Adoption
Provide secure alternatives and position security as an innovation enabler.
❇️ Invest in Automated Discovery Tools
Implement continuous monitoring and create scalable remediation workflows.
❇️ Make Security Helpful, Not Harmful
Provide clear guidance and build positive relationships with business units.
❇️ Prepare for Exponential Change
Design flexible strategies that can adapt to use cases not yet imagined.
“My goal is not to scare people away from coming to security. I listen, understand the business case, and provide a better solution.” ─ This represents a fundamental shift from gatekeeper to enabler, from blocker to solution provider.
Amir’s predictions for enterprise AI:
“It’s not just about productivity tools anymore. AI will change customer experience, financial planning, budgets ─ everything.”
─ Amir Niaz
Culligan’s two-year AI journey offers a proven roadmap for balancing AI adoption with security requirements. Their experience shows the choice isn't between security and productivity but finding the right approach to achieve both.
As AI continues evolving, lessons from early adopters like Culligan become invaluable. The key is starting with secure frameworks that can evolve with the technology rather than waiting for perfect solutions.
Organizations that harness AI’s potential while maintaining stakeholder trust, regulatory compliance, and data protection will define the future of enterprise AI adoption.
While most organizations were still debating ChatGPT, Culligan International was already implementing AI solutions two years ago. This early start gave Amir Niaz, VP and Global CISO, unique insights into enterprise AI security challenges that many organizations are just beginning to face.
As a global water treatment leader with over 15,000 employees and 150+ acquisitions in three years, Culligan faced the perfect storm of AI security challenges: massive scale, complex data environments, and aggressive M&A growth.
“When you measure productivity with risk, productivity always wins. So we chose to educate users rather than block them.”
─ Amir Niaz
When Culligan began testing Microsoft Copilot, users discovered productivity benefits but also started finding sensitive data they shouldn’t access:
🔴 Social Security cards from HR systems
🔴 W-2 forms from payroll departments
🔴 Confidential financial information from executive teams
🔴 Acquisition documents from completed deals
The reality check: “Before it was finding a needle in a haystack. Now it’s ‘you ask and I’ll give you.’ The data is right in front of you,” Amir explains.
When Culligan contacted Microsoft about data exposure issues, the response was revealing: “Copilot didn’t break it.” Microsoft was right. Copilot simply made visible what was always there ─ years of permission sprawl and overshared documents buried in SharePoint complexity.
With 150+ acquisitions bringing unstructured data and legacy permissions, what was once hidden by SharePoint's complexity became instantly searchable through natural language queries.
Supporting 15,000 global users with a lean security team meant traditional approaches wouldn’t scale. “We’re not in the business of fielding calls about folder access,” Amir explains.
🛡️ Technical Guardrails
📕 User Education
🚩 Executive Escalation
For critical exposures, Amir personally calls data owners. “When they see a call from the CISO, they know something bad happened and answer immediately.”
User reception has been overwhelmingly positive. Rather than feeling restricted, users appreciate being helped to use AI tools safely.
1️⃣ Start Small with Controlled Pilots
Select specific use cases and test security controls in low-risk environments.
2️⃣ Work on Governance and Adoption in Parallel
Develop frameworks while users gain experience, iterating based on real-world patterns.
3️⃣ Build Cross-Functional Teams
Include security, legal, risk, and compliance from the start with clear accountability.
4️⃣ Focus on Education Alongside Technical Controls
Invest in training programs and provide ongoing support resources.
“Once data exits your premise, it’s like toothpaste, you can’t put it back in the tube.” ─ This underscores the importance of preventing data exfiltration before it occurs and monitoring all AI interactions for sensitive content.
“AI adoption is four times faster than Internet adoption. I don’t even remember the last time I used Google.” ─ This pace means organizations have less time to adapt than with previous technology transitions. Security strategies must be designed for rapid scaling.
Culligan’s proven balance:
As a multinational corporation, Culligan navigates complex regulatory environments:
❇️ Enable Rather Than Block AI Adoption
Provide secure alternatives and position security as an innovation enabler.
❇️ Invest in Automated Discovery Tools
Implement continuous monitoring and create scalable remediation workflows.
❇️ Make Security Helpful, Not Harmful
Provide clear guidance and build positive relationships with business units.
❇️ Prepare for Exponential Change
Design flexible strategies that can adapt to use cases not yet imagined.
“My goal is not to scare people away from coming to security. I listen, understand the business case, and provide a better solution.” ─ This represents a fundamental shift from gatekeeper to enabler, from blocker to solution provider.
Amir’s predictions for enterprise AI:
“It’s not just about productivity tools anymore. AI will change customer experience, financial planning, budgets ─ everything.”
─ Amir Niaz
Culligan’s two-year AI journey offers a proven roadmap for balancing AI adoption with security requirements. Their experience shows the choice isn't between security and productivity but finding the right approach to achieve both.
As AI continues evolving, lessons from early adopters like Culligan become invaluable. The key is starting with secure frameworks that can evolve with the technology rather than waiting for perfect solutions.
Organizations that harness AI’s potential while maintaining stakeholder trust, regulatory compliance, and data protection will define the future of enterprise AI adoption.
