We spend a lot of time in this industry talking about AV network security as a technology challenge. Those conversations are worth having. But they tend to skip over a prior question that may be harder to answer: in a typical enterprise, who is actually responsible for the security of the AV network?
In most organizations, the honest answer is nobody. Not clearly.
That gap has been building for years and is now showing up consistently in conversations with enterprise AV customers across verticals. IT security teams are discovering AV networks, and the AV teams are not ready for the conversation.
The AV team doesn't have a security mandate, and often doesn’t have the knowledge either. The IT team doesn't have AV expertise.
Farooq Khan, VP Software Security at NETGEAR Enterprise
AV infrastructure has historically been reported to facilities management, operations, or a dedicated AV team sitting outside the IT org chart. IT teams manage corporate networking and security, but rarely have visibility into AV devices. They don't speak Dante or NDI. They haven't configured an AV-over-IP VLAN. The CISO owns security policy but typically inherits whatever boundaries the IT and facilities teams have already drawn. Often, those boundaries leave AV on the outside.
The result is a structural issue. The AV team doesn't have a security mandate, and often doesn’t have the knowledge either. The IT team doesn't have AV expertise. The security team doesn't have jurisdiction. As a result, nobody is responsible for the security of the AV network.
This was always going to happen. The AV industry spent the last decade converging with IT and adopting IP infrastructure. AVIXA's Audiovisual Network Professional certification, which is designed equally for AV professionals who need to prove networking competency and IT professionals who need to prove AV integration capability, is a direct acknowledgment that neither side currently speaks the other's language fluently enough. In higher education, AV infrastructure has already moved under IT governance in many institutions. In larger enterprises, the trajectory is the same, with hybrid models becoming common: AV teams retain operational responsibility while IT owns the security layer.
The AV/IT Convergence Conversation
The convergence conversation has mostly glossed over the fact that converging the technology doesn't automatically converge the governance. You can put AV on the same IP network as corporate IT and still have two entirely separate organizations with separate reporting lines, separate accountability frameworks, and no shared understanding of what a secure AV environment actually looks like. The infrastructure merged. The ownership question didn't.
The scenarios we're hearing reflect this. A facilities manager at a large enterprise receives a request from the CISO's office for a device inventory of the AV network. They want a list of everything connected, every open port, every remote access point. The AV team has never been asked this question and doesn't have a clean answer. A healthcare organization's AV infrastructure supporting telemedicine systems gets flagged during a compliance audit because it sits inside the network boundary but outside the security monitoring scope. A multi-site retailer's IT team flags that digital signage endpoints are pulling content across the same network that carries payment data. Nobody made a decision to do that. It just happened because decisions were made without security as a criterion.
At a customer event in Dallas recently, I asked a room of AV end-customers how many were experiencing increased pressure from IT or security leadership around their AV networks. Nearly every hand went up. A contact described a situation his team was navigating: their AV infrastructure runs on one vendor's managed switches, their corporate IT runs on another, and their IT security team demanded visibility into the AV network. If they couldn’t get that, they’d use their IT infrastructure for both IT and AV moving forward. However, replacing AV infrastructure solves the visibility problem on IT's terms but causes performance problems that the AV team is left to clean up.
My background is in network security, not AV, which means I came to this problem without the assumptions baked into either side. What I've found is that the governance gap is more entrenched in AV than in almost any other part of enterprise IT. The technology convergence is largely done. The governance convergence is not.
The organizations handling this well share one characteristic. They established clear ownership and decided deliberately what a security-compliant AV environment looks like without sacrificing the performance that the original investment was made to deliver. That means getting ahead of the ownership question before it becomes someone else's mandate to answer.
