Thornton May's 2 June column on CIO.com makes an uncomfortable argument: the next 12 to 24 months represent a closing window for the CIO to become the most trusted voice in the C-suite. After that window shuts, the title attached to enterprise trust will belong to whoever moves first, and the candidates are stacking up.
A 12 to 24 month opening
May frames the moment with three observations and one prescription. The observations describe the conditions that make trust scarce. The prescription explains why the CIO, of all officers, is positioned to supply it. The central claim is that decisions under genuine uncertainty, the discipline of balancing theory and practice, and the habit of running collaborative stakeholder projects are exactly the qualifications the rest of the executive team lacks. Read the original piece on CIO.com for the full framing.
Trust networks under load
The first observation is that trust networks across travel, healthcare, education, and economic mobility are visibly fraying. Customers who once accepted institutional reassurance now demand evidence. Patients second guess clinical guidance. Students question whether credentials translate into earnings. Travelers assume the published schedule is provisional. None of this is news to anyone who has filed a claim, booked a flight, or sat in a waiting room in the last twelve months, but May's point is structural: when civic trust contracts, the demand for trustworthy institutional voices inside the enterprise expands. Boards want someone in the room whose word survives audit. That role is open.
AI as a new exfiltration path
The second observation is that generative and agentic AI have introduced a new exfiltration path that most controls were not designed to see. Prompts leak intent. Embeddings leak structure. Fine tuning leaks proprietary phrasing. Brian Lurie, the former Stryker CIO quoted in the column, treats this as a category change rather than a configuration problem, and the implication is that posture has to be redrawn rather than patched.
May then borrows a sharper lens from Carissa Véliz, author of Prophecy: Prediction, Power, and the Fight for the Future, who compares the current AI mystique to the Oracle of Delphi and to astrology. The comparison is not dismissive. It points out that humans have always been willing to grant authority to systems whose mechanics they cannot inspect, and that the willingness scales with anxiety. An anxious executive team will assign oracle status to a model long before procurement finishes its review. The CIO is the only officer with both the standing and the technical literacy to refuse that frame on behalf of the business.
From future shock to present shock
The third observation extends Alvin Toffler's future shock into what May calls present shock. Toffler's diagnosis was that change would arrive faster than human institutions could metabolize it. The update is that the lag has collapsed to zero. There is no longer a future to brace for. The disorientation is happening in the current quarter, and it is happening to leaders whose calendars assumed otherwise. Trust, in that environment, becomes the scarcest organizational resource, and the officer who can be relied upon to describe what is actually happening accrues authority that no reorganization can transfer.
We should treat the AI trust charter as a forcing function
Here is the operator take. The practical move May prescribes, and the one we should adopt, is publishing an AI trust charter under the CIO's own name. Not a policy buried in a governance portal. A signed document, dated, versioned, and circulated to the board, that takes positions on five questions: how training and inference data is handled, how autonomous agents are scoped and supervised, how models are selected and retired, how vendor concentration is measured and capped, and how incidents are detected, disclosed, and remediated. Every one of those positions will be contested. That is the point. A charter that nobody argues with is a charter that nobody read.
The urgency anchor is regulatory, not rhetorical. EU AI Act obligations for general purpose AI providers and high risk systems continue to phase in through the second half of 2026, with documentation, transparency, and incident reporting requirements that map almost line for line onto the charter sections above. A CIO who publishes first establishes the internal vocabulary that compliance, legal, and audit will then inherit. A CIO who waits inherits a vocabulary written by someone else, usually under deadline pressure, and spends the following year reconciling it with operational reality. The geopolitical overlay, covered separately by CIO.com, only tightens the timeline, because vendor concentration and data residency questions stop being abstract the moment a supplier's home jurisdiction shifts posture.
Who else is reaching for the same ground
The competition is named in the column and visible in every org chart refresh of the last six months. Chief AI officers are being appointed with mandates that explicitly include trust and ethics. Chief data officers are extending their remit from quality and lineage into model governance. Chief risk officers are absorbing AI risk into enterprise risk frameworks and writing the taxonomies that the rest of the company will be measured against. Each of these moves is defensible. None of them is coordinated. Whoever publishes the first signed, board facing document on AI trust sets the terms that the others have to negotiate against.
What happens if the CIO publishes, and what happens if not
If the CIO publishes a credible AI trust charter in the next two quarters, three things follow. The charter becomes the reference document for board questions, which routes those questions through the CIO's office. Procurement gains a defensible filter for vendor selection, which compresses cycle time. Audit gains a stable target, which reduces the surface area of every subsequent review. The CIO becomes, in May's phrase, synonymous with trust, and the title sticks because it is attached to an artifact rather than a personality.
If the CIO does not publish, the charter still gets written. It gets written by a chief AI officer hired from outside, or by a consulting firm under a risk committee mandate, or by regulators who do not need internal consent. In each of those cases the CIO inherits the operational burden of a document drafted without operational input, and the trust position migrates to the desk that signed first. The window May describes is narrow because it is procedural. It closes the moment someone else picks up the pen.
