Learning platforms and educational technology support some of the most important work institutions do: preparing the leaders of tomorrow while protecting their confidential information.
Learning and EdTech are evolving quickly and sit at the intersection of two realities that do not always move at the same pace. Institutions are under pressure to adopt new tools quickly, particularly AI-powered ones, while the threat landscape those tools introduce is still being mapped. The gap between adoption and governance is not theoretical. It is where incidents happen.
The stakes are rising, and threat environments are becoming more complex. The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk over the previous year. The share of organizations actually assessing the security of their AI tools rose from 37% in 2025 to 64% in 2026, which sounds like progress until you consider what it means in reverse: more than a third of organizations are still deploying AI tools without formal security assessment. In a sector that handles sensitive personal data for millions of learners, that gap is not acceptable.
Part of the answer is not only whether AI is assessed, but where it operates. AI that is bound to the platform and works within data already under institutional control presents a fundamentally smaller attack surface than general-purpose tools that reach into open, unpredictable sources. That architectural boundary is meaningful: it keeps sensitive data out of external pipelines, preserves existing access controls and gives security teams a defined perimeter to defend. Platform-bound AI gives organizations a defensible starting position. Whether that position is actually defended is what separates architecture from security.
For CISOs and technology leaders evaluating learning platforms, the question is no longer whether a vendor takes security seriously. Every vendor will say yes. The more useful questions are whether security is built into the product from the start, whether AI is integrated into the same security boundaries, whether controls are verifiable through independent standards and whether the vendor can demonstrate how they manage risk across the full lifecycle of the platform, not just at the point of sale.
In our work across education, one lesson is clear: security is strongest when it is treated as a foundational design principle; one that is integrated from the start and not bolted on later. At D2L, that means working to build secure, resilient infrastructure that supports reliable access to the learning experiences people depend on every day. Built-in, layered safeguards help protect users, manage access and reduce unnecessary exposure. But trust cannot rest on words alone. It must be verifiable and supported by recognized compliance standards so customers can validate the trust they place in their EdTech partners.
Security by design starts with recognizing what is at stake. A learning platform supports the daily work of learners, educators, administrators and organizations. That means security has to be considered across the full lifecycle of the product, from design and development through operations, support and continuous improvement. Selecting a learning platform can no longer be treated as a feature comparison alone. It is a trust decision for your organization.
A strong learning platform should do more than list security controls. It should show how those controls work together when something fails. Technical, administrative and operational safeguards matter because they are supposed to reinforce each other. A weakness in one area should not become a breach across the whole system. When evaluating a platform, the real question is not whether controls exist. It is how the vendor enforces them, monitors them, tests them and responds when something goes wrong.
Data protection should be examined the same way. A mature provider should be able to explain its security posture as an operating model, not just as a set of product features. That means being clear about how data is protected in transit and at rest, how activity is monitored across the network, host and application layers, and where customer-controlled settings allow institutions to make their own risk decisions. The answer to “how do you protect our data” should be a coherent architecture, not a checklist.
Continuity is where security becomes visible to the people who rely on the platform every day. When a learning environment goes down, the impact is not only operational. It affects institutional trust, learner confidence and the ability of people to keep working. A resilient platform should have clear practices for redundancy, data replication, failover and service restoration. The vendor should be able to explain those practices plainly, show that they are tested and avoid relying on vague assurances when customers need evidence.
Trust you cannot check is just a claim. Trust should be independently verifiable. Certifications and assessments such as ISO/IEC 27701, ISO/IEC 27001, ISO/IEC 27018, ISO/IEC 27017, SOC reports, CSA STAR, TX-RAMP and Internet2 Cloud Scorecard resources do not eliminate risk, but they give customers a transparent way to evaluate how a provider manages security, privacy, cloud controls and data protection obligations.
The future of learning depends on trust and a clear commitment to security. Choosing learning platforms and AI tools wisely means choosing providers that treat security as foundational, continuous and non-negotiable. The people learning today represent our future. Protecting them should never be an afterthought.
Continue the conversation and explore the evolving landscape of learning and the future of cybersecurity. I’ll be speaking at our latest Fusion track, Trust by Design, in sessions covering Trust in the Cloud and Trust Under Pressure.
Written by:
