GitLab Names Chaim Mazal CISO, and the Mandate Is Securing the Agentic Era From the Inside
People & Leadership

GitLab Names Chaim Mazal CISO, and the Mandate Is Securing the Agentic Era From the Inside

A longtime GitLab customer turned CISO arrives with an explicit brief: build the security rigor that AI agents demand, as attackers compress exploitation timelines and agents outrun governance.

PublishedJuly 1, 2026
Read time7 min read
Share

A Customer Who Became the Security Chief

GitLab has appointed Chaim Mazal as its Chief Information Security Officer, and the path he took to the role is unusually telling. Mazal was a GitLab customer for more than eight years before joining the company's advisory board to help shape product direction, and now he is taking the CISO seat. That trajectory, from user to advisor to executive, means he arrives with a deep, practitioner's understanding of the platform he is now charged with securing. He is not learning the product from the inside for the first time. He has been living with it for the better part of a decade.

That grounding matters for a company whose product is itself a security surface. GitLab is the platform on which enormous quantities of the world's software are built, reviewed, and shipped, which makes its own security posture inseparable from the security of its customers. A CISO who has operated the product as a customer brings a perspective that a pure outside hire cannot, understanding not just the abstract threat model but the lived reality of how teams actually use the platform and where the friction and the risk genuinely sit. GitLab is betting that this insider fluency will translate into sharper security decisions.

Fifteen Years and an AI Security Pedigree

Mazal's background is squarely aimed at the moment. He brings 15 years of security leadership experience, most recently as Chief AI and Security Officer at Gigamon, where he led security and the company's AI program, overseeing governance and responsible adoption across the organization. Before Gigamon he held senior security leadership roles at Kandji and ActiveCampaign, and he serves on the advisory boards of Cloudflare, Rapid7, Axonius, and Bugcrowd. That is a resume built at the intersection of hands on security operations and the emerging discipline of AI governance.

The Chief AI and Security Officer title from his previous role is the detail worth dwelling on. It reflects a growing recognition across the industry that AI strategy and security can no longer be treated as separate concerns owned by separate executives. The organizations that deploy AI aggressively are creating new attack surfaces and new governance obligations at the same time, and the leaders who can hold both agendas together are increasingly valuable. Mazal's experience running exactly that combined mandate at Gigamon is precisely what GitLab appears to have been looking for as it confronts the security implications of the agentic era.

The Mandate Is the Agentic Era

GitLab framed Mazal's remit with unusual specificity. He will ensure GitLab delivers the security rigor that AI agents require, addressing emerging AI driven threats and defining world class AI security programs for the agentic era. That is not a generic security brief, it is a bet that the defining security challenge of the coming years is the one created by autonomous AI agents operating inside software development. As agents write, review, and ship code at machine speed, the security model built for human paced development starts to strain, and someone has to rebuild it for the new tempo.

CEO Bill Staples made the logic explicit. The faster agents move, the more critical it becomes that developers find and fix security vulnerabilities before code hits production, he said. That sentence captures the core tension of AI assisted development. The productivity gains from agentic coding are real, but so is the risk that vulnerabilities are introduced and shipped faster than traditional security processes can catch them. GitLab's decision to hire a CISO specifically oriented toward this problem signals that it sees securing the agentic development pipeline as central to its product strategy, not a peripheral concern.

Compressed Timelines and Ungoverned Agents

Mazal's own framing of the threat is worth quoting, because it names the two dynamics that should worry every security leader. AI driven attacks are compressing exploitation timelines, while agents expose teams to risks they aren't equipped to govern yet, he said. Both halves of that statement describe a widening gap between the speed of the threat and the readiness of the defense. On the attack side, AI is shortening the window between a vulnerability's disclosure and its exploitation, a dynamic we have watched play out repeatedly in recent months.

On the defense side, the problem is that organizations are deploying agents faster than they are building the governance to control them. Teams are handing autonomous systems real capabilities, access, and authority without the mature controls, audit trails, and oversight mechanisms that such power demands. That is a recipe for exactly the kind of risk that materializes only after something goes wrong. Mazal's diagnosis, that agents expose teams to risks they are not equipped to govern, is a clear eyed acknowledgment that the enthusiasm for agentic AI has outrun the security discipline required to deploy it safely, and closing that gap is his job.

Why the Combined AI and Security Role Is Rising

The broader significance of this appointment is what it says about the evolving shape of security leadership. The CISO role is expanding to encompass AI governance, because the two domains have become inseparable in practice. Deploying AI creates security risk, and securing an organization increasingly depends on understanding AI, both as a tool for defenders and as a capability wielded by attackers. The executives who can operate at that intersection, fluent in both the security operations and the AI governance dimensions, are becoming some of the most sought after leaders in the enterprise.

We have tracked a steady stream of appointments that fuse these remits, from chief AI and security officers to CISOs with explicit AI mandates, and Mazal's move fits the pattern precisely. For boards and executive teams, the lesson is that the old organizational boundary between the AI strategy function and the security function is dissolving. Trying to run an aggressive AI agenda without embedding security leadership into it, or running security without deep AI fluency, is increasingly untenable. GitLab's hire is a clear vote for integrating the two, and it is a model other companies deploying agents at scale would do well to study.

What It Signals for the Software Supply Chain

GitLab's position in the software supply chain gives this appointment weight beyond the company itself. Because so much software passes through the platform, the security rigor GitLab builds into its agentic development capabilities propagates outward to the countless organizations that depend on it. A CISO focused on securing AI agents inside the development pipeline is, in effect, working on a problem that matters to the entire ecosystem, not just to GitLab's own risk posture. The security of the tools that build software has always been a leverage point, and it is becoming more so as agents take on more of the building.

For technology and security leaders watching from outside, the practical takeaway is to treat the security of AI assisted development as a first order concern rather than an afterthought. The productivity of agentic coding is seductive, but the risk that vulnerabilities ship faster than they can be caught is real and growing. We would encourage leaders to ask hard questions about the security controls around their own agentic development practices, and to watch how GitLab, with a purpose hired CISO now on the case, builds the guardrails for an era in which code increasingly writes itself.

Tagged#news#people#leadership#ciso#cybersecurity#ai-security