Evaluating Exposure-Driven Security Governance for Proactive Risk Mitigation of AI-Powered Cyber Attacks in Digital Infrastructures

AI-enabled adversaries accelerate reconnaissance, exploitation, and evasion, exposing limitations of audit-periodic cybersecurity governance. This study compares four governance archetypes—compliance-driven, framework-centric, risk-based, and exposure-driven—using a mixed-methods design: a survey of 121 security practitioners, semi-structured interviews with senior security leaders, an aggregated 6-month pre/post enterprise case study, and triangulation with authoritative secondary sources. Operational outcomes (breach frequency, detection/containment speed, exposure closure, and analyst effort) are analyzed using one-way ANOVA with post-hoc tests. Exposure-driven governance is associated with significantly better outcomes in our sample, including lower breach frequency and faster detection and containment. Interview and case evidence attribute improvements to continuous asset visibility, exploitability- and context-aware prioritization, and bounded automation integrated with remediation workflows. Contributions include (i) a measurable operationalization of governance archetypes, (ii) comparative benchmarking across archetypes, and (iii) a formal exposure risk scoring and automation loop to support reproducible implementation. Limitations include subgroup imbalance and partial reliance on self-reported measures, motivating replication with telemetry-level paired data.