Chris DaltonCheck Point Selling AI Governance Advice Is Peak "The Fox Guards the Henhouse"
March 6, 2026
I want to start by saying I have nothing against Check Point. I genuinely don't. They've been around since 1993. They protect over 100,000 organizations globally. They know what they're doing with firewalls. I'm sure their people are smart and work hard and some of them hold elevators. I want them to succeed.
But what they announced on March 5th, 2026 is one of the most perfectly constructed conflicts of interest I've seen in the enterprise software space in a while, and I think we should talk about it plainly.
What Actually Happened
Check Point Software Technologies (NASDAQ: CHKP) announced a Secure AI Advisory Service - a new service designed to help enterprises accelerate AI adoption with governance, risk management and regulatory compliance embedded from the start. The pitch is straightforward: AI is moving fast, your board is nervous, regulators are circling, let us help you build a governance framework.
The service delivers AI governance frameworks aligned to business strategy, AI risk and impact assessments with prioritized mitigation roadmaps, regulatory readiness aligned to EU AI Act, GDPR, ISO 42001 and NIST AI RMF, plus executive and practitioner enablement to operationalize controls. It's available in three tiers: Essential, Enhanced and Total.
Pricing, naturally, was not disclosed.
This new service is part of the CPR Act, Check Point's Cyber Resilience and Response unit. Unlike one-off assessments or standalone consulting, CPR Act integrates AI governance into the security lifecycle, connecting intelligence, readiness, detection, and response.
On paper, this sounds reasonable. Helpful, even. The kind of thing a company with Check Point's resources and threat intelligence is well-positioned to offer. And that's exactly where the problem starts.
The Conflict Nobody's Saying Out Loud
Here's the structural issue. Organizations experienced an average of 1,968 cyber attacks per week in 2025, representing a 70% increase since 2023, as attackers increasingly leverage automation and AI. Check Point's own research documents this. They publish the scary numbers. They write the threat reports. Then they sell you the thing that addresses the scary numbers.
That's not automatically bad. That's kind of how security works. You identify threats, you sell protection. Fine.
But now they're also selling you governance advice - the strategic layer that tells you which AI systems to deploy, how to oversee them, which risks matter, and what your board should be thinking about. They describe it as vendor-agnostic advisory combined with intelligence-led insight. Vendor-agnostic. From Check Point. Who has a 2026 strategy centered on securing customers' AI transformation across the enterprise, focused on executing against four strategic pillars - Hybrid Mesh, Workspace, and Exposure Management - while embedding AI-driven security throughout their portfolio, including through the acquisition of Cyata to expand their AI security stack.
You see the problem. The company advising you on AI governance also has a very specific commercial interest in which AI risks you decide to prioritize and which security products you decide to buy to address them. The advice and the product catalog are not separate things. They're connected at the hip, by design, by quarterly revenue targets, and by the fact that calculated billings rose 8 percent year on year to $1,039 million for Check Point's most recent quarter, with security subscription revenue growing 11 percent to $325 million.
I'm not saying they're lying to you. I'm saying the incentive structure makes genuine independence structurally impossible. The fox-guards-the-henhouse situation is when someone takes on the role of supervising and protecting valuable things when they have a bias or conflict of interest with the valuables they're protecting. This is that.
This Is a Pattern, Not a Surprise
What Check Point is doing isn't new. GitHub presents a similar dynamic - as the creator of Copilot, it also offers a suite of security tools designed to identify and remediate vulnerabilities in code, creating a situation where it develops a tool that can inadvertently introduce security risks while also profiting from selling tools to mitigate those very risks. Security vendors building revenue streams around the problems their core products create - or at minimum, the problems their core products are supposed to solve - is a genre at this point. It's not a scandal. It's a business model.
But the AI governance layer is different from selling a firewall. When you're advising a company's board and executive team on strategic AI risk - on what the organization should decide - you've moved out of product and into something closer to fiduciary territory. And that's where the conflict sharpens.
Derek spent about twenty minutes last week explaining to me why the Disney Star Wars sequels are actually good if you understand the broader narrative arc. I nodded. I kept nodding. At some point I realized I genuinely didn't know what I believed anymore because someone confident was talking at me for a long time. That's what vendor-led governance advice does to organizations. You bring in someone who knows a lot about the space, and you come out aligned to their roadmap.
The Regulatory Pressure Is Real, Though
Here's the thing I don't want to dismiss: the underlying demand is legitimate. AI is moving from experimentation to core business infrastructure, and in many organizations, deployment is outpacing oversight. Boards and executive teams are facing increased regulatory scrutiny, operational risk and accountability gaps as AI systems expand across hybrid networks, cloud environments and digital workspaces.
Regulatory readiness requirements span the EU AI Act, GDPR, ISO 42001 and the NIST AI Risk Management Framework. Many organisations are working out how these requirements map to existing security and compliance processes, as AI governance begins to resemble other risk disciplines such as data protection and cyber security.
Check Point's own research found 89% of organizations encountering risky AI prompts, with about 1 in 41 prompts deemed high risk. These numbers aren't invented for marketing. The compliance burden is real. The board-level pressure is real. Companies genuinely need help structuring their AI governance approach and they're going to pay for it from someone.
Stephanie sat in on a vendor call last month for something that started around a certain price per month and by the end of the call she was nodding along to a number that would give most people pause. She just genuinely has no concept of what things cost. She left that call saying it seemed reasonable. There's a version of that happening at the board level in companies right now with AI governance services. The fear is real, the confusion is real, and the vendors are very calm and very confident.
What "Vendor-Agnostic" Actually Means Here
Check Point uses the phrase "vendor-agnostic advisory" in their announcement. Let's be precise about what that means in practice.
CPR Act integrates AI governance into the security lifecycle, connecting intelligence, readiness, detection, and response, ensuring controls and monitoring to adapt to new AI risks, regulations, and threats, offering organizations a single accountable partner from strategy through execution.
"Single accountable partner from strategy through execution." That's the pitch. They're not promising neutrality - they're promising continuity. The same organization that audits your AI governance needs will also, conveniently, be positioned to help you execute on whatever gaps they find. Check Point differentiates the approach from one-off assessments, positioning CPR Act as a single partner from strategy through execution, with controls and monitoring that can adapt as AI risks and regulations change.
That's a subscription model with a governance audit as the top of the funnel. I'm not saying it can't deliver real value. I'm saying you should understand what you're buying.
I spent about an hour once setting up an AI integration the wrong way - I had the governance triggers running on the wrong layer, so it was flagging everything as high-risk regardless of actual exposure. I just kept getting alerts. Constant alerts. I didn't realize I'd configured the scope backwards until someone pointed it out. Somewhere in that experience is a metaphor for buying governance frameworks from the same company that calibrates what counts as a threat. The lens matters. The lens is not neutral.
This Is Where Small and Mid-Sized Businesses Get Hurt
Enterprise companies have independent CISOs, risk committees, general counsel, and sometimes actual independent third-party auditors. They can push back. They can hire someone else to sanity-check the governance framework before they implement it. They have leverage.
The companies that get hurt by this dynamic are mid-market businesses that are genuinely overwhelmed, genuinely don't have internal AI governance expertise, and are going to take the framework a trusted security vendor gives them and implement it without questioning the underlying incentive structure. AI is driving one of the fastest security shifts the industry has experienced, forcing organizations to reassess long-standing assumptions about how attacks originate, spread, and are stopped, with capabilities once limited to highly resourced threat actors now widely accessible. When the pace of change is that fast, the companies with the least internal expertise are the most dependent on outside advice, and the most vulnerable to advice that's shaped by vendor interest.
This is also where I get genuinely protective, honestly. We've written before about the agentic AI hype cycle and how most businesses aren't ready for it - and the version of that story where companies get locked into a governance framework that was quietly designed to recommend the governance tool vendor's own product stack is going to be a story we're telling for years.
The Counterargument (Because It Exists)
Okay. Let me steelman this for a second.
The argument for getting governance advice from a company like Check Point is that their threat intelligence is real and their visibility into actual attack patterns is genuine. The Check Point research team consists of over 200 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs, with data sources including open sources, the ThreatCloud AI network and dark web intelligence. That's not nothing. An independent governance consultant who's never actually seen a live AI-assisted attack might produce a framework that's theoretically pure and practically useless.
There's also the argument that all consulting has embedded incentives. McKinsey recommends transformations that require McKinsey. Law firms recommend litigation strategies that require law firms. The idea of a truly disinterested advisor is a fiction at enterprise scale. Check Point is at least transparent that they're a security company with a security product portfolio. You know the bias going in.
Tory would say the fact that you can see the conflict of interest is actually a feature. He said something like this recently about his divorce proceedings and I'm still not sure what he meant, but the logic applied here is: disclosed bias is better than hidden bias. And Tory is relentlessly, almost painfully optimistic about everything right now, so take that for what it's worth.
He's not wrong. But I still think the combination of fear-forward threat reporting, product sales, and strategic governance advice, all from the same vendor, deserves a harder look than it's getting.
What Businesses Should Actually Do
I'm going to say what I actually think, which is that AI governance advice from a cybersecurity vendor should be treated as a starting point, not a conclusion. Use it to understand the regulatory landscape. Use their framework to identify gaps. Then have someone else - an independent risk consultant, a compliance attorney, an internal team with no stake in the product stack - evaluate whether the gaps they identified and the solutions they're recommending are actually aligned to your business or to their renewal cycle.
The executives who've already admitted deep AI dependency - and we've written about what happens when that dependency gets locked in - are the most exposed to this dynamic. If you've already built your operations around AI, you're not in a neutral position to evaluate a governance framework. You need someone with no product to sell telling you where you're actually exposed.
And if you're genuinely just trying to understand where your AI deployment sits relative to the EU AI Act or NIST AI RMF, those frameworks are public documents. They're not easy reading, but they're not proprietary. You don't have to buy a tiered advisory service to access the compliance standard. You have to buy a tiered advisory service to have someone else read it for you and map it to your environment - and that's fine, that's legitimate, but know that you're paying for interpretation, and interpretation is where the conflict lives.
The Actual Takeaway
Check Point is a smart company making a rational business move. They ended 2025 with $4,342 million in cash balances, marketable securities, and short-term deposits. They're not doing this because they need the money. They're doing it because they see that AI governance is going to be a major enterprise spending category and they want to own the top of that funnel before someone else does.
That's legitimate. That's how businesses grow. I'm not mad at them for it. I genuinely want them to succeed and I'm sure the people delivering these advisory services are thoughtful and competent.
But I want businesses - especially smaller businesses without a full bench of risk and compliance people - to walk into this with their eyes open. When the company selling you threat intelligence, security infrastructure, and now governance frameworks describes itself as vendor-agnostic, that's the sentence to slow down on. Read it again. Ask what it means. Ask who it serves.
The fox is wearing a very nice blazer and has excellent deck materials. That doesn't change what it is.
If you're evaluating AI integration tools and governance approaches from the bottom up rather than the top down, our coverage of AI integration solutions is a reasonable place to start building your own picture before you bring in a vendor to frame it for you.