Ted TschoppCyber+AI: Why Every Business Needs to Rethink Risk, Resilience, and Readiness
Artificial intelligence is often introduced into business conversations as a productivity tool. It can draft documents, summarize meetings, generate code, analyze data, automate workflows, and help employees move faster. That view is not wrong, but it is incomplete.
The more important business question is not simply, “How can AI make us more efficient?” The more important question is, “What changes when both businesses and adversaries can use AI to move faster, analyze more deeply, automate more broadly, and operate at greater scale?”
That is where cybersecurity and AI become inseparable.
The convergence of cyber and AI is not just a technology issue. It is a business operating model issue. It affects governance, procurement, vendor management, compliance, workforce readiness, data strategy, architecture, risk management, incident response, and executive decision-making. AI changes both sides of the equation: it gives organizations new defensive capabilities, but it also gives attackers new ways to discover weaknesses, automate attacks, manipulate people, and exploit complexity.
For many organizations, the biggest risk may not be that AI introduces something entirely new. The bigger risk may be that AI exposes how much of the current business environment still depends on outdated assumptions.
Many companies still operate as if change happens at quarterly, annual, or human-scale speed. Risk reviews happen periodically. Procurement cycles move slowly. Vendor assessments rely on questionnaires. Compliance is often document heavy. Architecture review may happen late in the process. Security teams are expected to protect increasingly complex environments with incomplete visibility, constrained resources, and systems they do not fully control.
AI compresses these timelines. It can accelerate discovery, analysis, testing, exploitation, response, and decision support. That creates opportunity for defenders, but it also creates pressure on businesses that are still organized around slower ways of working.
The result is a new business challenge: organizations must learn how to adopt AI safely while also defending against AI-enabled threats.
AI Is Not Just a Tool. It Is a Change in Business Tempo.
Most businesses are still at the early stage of understanding AI’s full impact. The first wave of adoption has focused on productivity: writing, research, analytics, software development, customer support, knowledge management, and process automation. These are valuable use cases, but they are only the beginning.
As AI becomes more capable, it starts to affect the tempo of the enterprise itself.
Business cases can be developed faster. Designs can be generated and reviewed faster. Code can be written and tested faster. Contracts can be analyzed faster. Threats can be researched faster. Configurations can be compared faster. Incident response plans can be drafted faster. Knowledge can be retrieved faster. Decisions can be supported faster.
But speed without governance is not automatically progress.
A faster organization can also make mistakes faster. It can spread bad assumptions faster. It can automate weak processes faster. It can expose sensitive data faster. It can deploy poorly understood tools faster. It can create dependencies on systems that employees do not know how to challenge, validate, or override.
This is why AI adoption cannot be treated as a software rollout alone. It must be treated as a change to the way the business operates.
The Cyber Risk Landscape Is Changing
AI also changes the cybersecurity threat environment.
Attackers can use AI to improve phishing, social engineering, reconnaissance, vulnerability research, malware development, impersonation, and supply-chain targeting. They can use AI to interpret public documentation, scan for exposed systems, analyze leaked data, summarize technical manuals, generate convincing messages, and tailor attacks to specific roles or organizations.
This does not mean every attacker suddenly becomes elite. It means AI can lower the skill floor and increase the speed and scale of activity. Tasks that once required specialized knowledge may become easier to attempt. Campaigns that once took significant manual effort may become easier to customize. Social engineering that once had obvious warning signs may become more persuasive.
Businesses therefore need to revisit assumptions about identity, access, vendor trust, data protection, monitoring, segmentation, and incident response. The controls that were “good enough” in a slower threat environment may not be good enough when both attackers and defenders can operate with AI assistance.
Legacy Operating Models Are Becoming a Risk
One of the most important impacts of Cyber + AI is that it challenges traditional operating models.
Many organizations still rely on processes that are too slow, too siloed, and too document-heavy for the current environment. Security, architecture, procurement, legal, compliance, privacy, operations, and business teams often work in sequence rather than together. By the time risk is reviewed, the tool may already be in use. By the time a policy is approved, employees may already have found workarounds. By the time a vendor assessment is complete, the platform may have changed.
AI makes this harder because AI capabilities evolve quickly and are often embedded inside other products. A vendor that was once providing a conventional software platform may suddenly add AI features. A collaboration tool may gain summarization. A development platform may gain code-generation agents. A customer service tool may gain autonomous workflow capabilities. A data platform may gain natural language query and content generation.
This means organizations need governance models that are continuous rather than episodic. They need clear accountability, measurable controls, and cross-functional review processes that can keep pace with change.
The answer is not to stop AI adoption. The answer is to modernize how adoption is governed.
Black-Box and Vendor Risk Become More Important
Modern businesses rely heavily on third-party platforms, managed services, embedded software, SaaS tools, APIs, integrations, and vendor-controlled environments. In many cases, the business does not own the source code, cannot inspect the underlying logic, and has limited ability to validate how the system works.
That creates a black-box risk problem.
AI makes this problem more urgent. As AI improves the ability to analyze behavior, interpret documentation gaps, test assumptions, and identify patterns, businesses need to assume that opaque systems can still be studied, targeted, and exploited. The fact that a system is proprietary, old, obscure, vendor-managed, or difficult to inspect does not make it safe.
Organizations need better ways to assess risk when they do not have source code. That means looking at architecture, exposure, identity controls, logging, telemetry, vendor evidence, patchability, configuration, compensating controls, contractual obligations, business criticality, and operational consequence.
The key shift is accountability. A vendor may own the platform, but the business owns the consequence of failure.
That means vendor risk management must evolve beyond questionnaires and annual reviews. Businesses need stronger contractual requirements, clearer incident notification expectations, better security evidence, more explicit end-of-life planning, stronger monitoring, and architectural controls that reduce blast radius when vendor-managed systems fail.
AI Can Strengthen Defense, But Only If It Is Governed
The defensive potential of AI is significant.
AI can help security and technology teams analyze large volumes of data, triage vulnerabilities, summarize alerts, prioritize patches, draft incident response playbooks, review configurations, detect anomalies, generate test cases, support threat hunting, and accelerate investigation. It can also support business continuity, operational resilience, fraud detection, customer operations, software engineering, risk analysis, and executive decision support.
The opportunity is not simply to give every employee a chatbot. The larger opportunity is to embed AI into defensible business processes where speed, scale, and pattern recognition matter.
High-value defensive use cases may include:
| Business Area | Potential AI-Enabled Defensive Use |
|---|---|
| Cybersecurity operations | Alert triage, threat hunting, incident summarization, response playbooks |
| Vulnerability management | Patch prioritization, exploitability analysis, exposure mapping |
| Identity and access | Entitlement review, anomaly detection, privileged access monitoring |
| Software delivery | Secure code review, dependency analysis, test generation, configuration checks |
| Vendor risk | Contract review, evidence analysis, control gap identification |
| Business continuity | Scenario planning, dependency mapping, crisis communication support |
| Fraud and abuse detection | Pattern recognition, behavioral anomaly detection, case summarization |
| Data governance | Sensitive data discovery, classification support, policy mapping |
| Compliance | Control mapping, evidence collection, audit preparation |
However, AI must be used carefully. A poorly governed AI capability can create new risks: data leakage, over-permissioned automation, hallucinated outputs, weak auditability, inappropriate reliance, privacy exposure, and unclear accountability.
The most successful organizations will not be the ones that simply buy the newest AI tool. They will be the ones that know where AI belongs, where it does not belong, what data it can access, what actions it can take, who supervises it, how it is monitored, and how humans can intervene.
Data Readiness Is Business Readiness
AI readiness is often discussed as a technology issue, but it is largely a data and operating model issue.
AI systems are only as useful as the data, context, permissions, and processes around them. If business data is stale, incomplete, untrusted, siloed, poorly classified, or inaccessible, then AI may produce outputs that are fast but unreliable. If the organization lacks clear data ownership, AI adoption can amplify confusion. If sensitive data is not classified or protected, AI can increase exposure. If knowledge lives only in people’s heads, AI cannot reliably help the organization reason about it.
This means businesses need to ask practical readiness questions before scaling AI:
| Readiness Area | Key Question |
|---|---|
| Data quality | Is the data accurate, current, complete, and trusted? |
| Data classification | Do we know what is sensitive, regulated, confidential, or public? |
| Access control | Can AI only access what the user or workflow is authorized to access? |
| Architecture | Are AI tools integrated safely into enterprise systems? |
| Monitoring | Can we see what AI accessed, generated, recommended, or changed? |
| Governance | Who approves AI use cases, models, data sources, and automations? |
| Workforce readiness | Do employees know how to use, challenge, and verify AI outputs? |
| Operational support | Can the AI-enabled process be maintained, audited, and improved? |
A business that is not ready for AI from a data, governance, and architecture perspective may still be able to experiment. But experimentation is not the same as production readiness.
Moving from pilot to production requires reliability, measurability, supportability, security, and clear ownership.
The Human Role Must Be Redesigned, Not Assumed
Many AI risk discussions rely on the phrase “human in the loop.” That phrase can be useful, but it can also create false comfort.
A human is not automatically a safe fallback.
Humans are only a meaningful control if they are trained, informed, empowered, and practiced enough to intervene under pressure. If employees become dependent on automation but lose the skills to challenge it, the organization may become less resilient. If an AI system produces confident recommendations and humans are expected to approve them quickly, oversight can become ceremonial rather than substantive.
Businesses need to decide where humans should approve, supervise, audit, override, or remain fully responsible. The answer will vary depending on the risk of the process.
For low-risk tasks, AI may be allowed to automate more. For high-risk decisions, AI may support analysis but not make final decisions. For safety-critical, financially material, legally sensitive, or security-sensitive workflows, organizations need stronger controls, clearer escalation paths, and more deliberate human judgment.
The future of work is not simply humans using AI. It is humans, AI systems, and business processes being redesigned together.
Myths Every Business Should Test
The following table can help organizations determine whether the Cyber + AI conversation is relevant to them. If any of these myths reflect current assumptions inside the business, then the organization likely has work to do.
The point is not to claim that every business should already have perfect answers. Most do not. The value is in recognizing the assumptions, bringing the right people together, and developing a practical approach across cybersecurity, technology, operations, legal, compliance, procurement, risk, finance, and business leadership.
| Myth to Test | AI-Era Reality |
|---|---|
| “AI is just a productivity tool for office workers.” | AI is a business capability, a cyber capability, an automation layer, and a force that can reshape operating models. |
| “AI only helps us move faster.” | AI helps defenders move faster, but it can also help attackers move faster. Speed matters on both sides. |
| “Our current assessment, patching, procurement, and compliance cadence is good enough.” | AI compresses discovery, analysis, targeting, testing, and response cycles. Slow governance can become a risk in itself. |
| “We can wait for vendors, regulators, or industry standards to tell us what to do.” | External guidance often matures after the risk has already changed. Waiting is not neutral; it is a risk decision. |
| “Obscure, proprietary, old, or hard-to-understand systems are safer.” | Obscurity is losing defensive value as AI improves the ability to interpret systems, documentation gaps, configurations, and behavior. |
| “If we do not have source code, we cannot meaningfully assess the risk.” | Businesses still need defensible ways to assess black-box risk using architecture, exposure, behavior, telemetry, testing, vendor evidence, and compensating controls. |
| “The vendor owns the platform, so the vendor owns the risk.” | The business owns the operational, financial, legal, reputational, and customer impact when a vendor-managed platform fails. |
| “We can add AI once we buy the tool.” | AI readiness depends on data readiness, architecture readiness, governance readiness, workforce readiness, and operational readiness. |
| “Humans are always the safe fallback.” | Humans are only a safe fallback if they remain trained, informed, empowered, and practiced enough to intervene under pressure. |
| “Cybersecurity can manage this alone.” | Cyber + AI requires a cross-functional operating model involving security, technology, data, legal, compliance, procurement, risk, operations, and business leadership. |
What Business Leaders Should Do Now
The Cyber + AI challenge is too broad to leave to one department. It requires executive sponsorship and cross-functional ownership.
Business leaders should begin by asking five questions.
-
Which business processes are already using AI, formally or informally? - Shadow AI adoption is already happening in many organizations. Employees may be using public tools, embedded vendor features, browser extensions, code assistants, meeting summarizers, or workflow automation without centralized visibility.
-
Where could AI create the greatest defensive or operational value? - The goal should not be AI everywhere. The goal should be AI where it improves measurable outcomes: reduced response time, better prioritization, lower risk, improved resilience, better customer experience, faster analysis, or stronger decision support.
-
Which systems, vendors, and processes are least visible but most critical? - Cyber + AI makes black-box risk more important. Organizations need to understand where they depend on systems they cannot inspect, vendors they cannot easily challenge, or processes they cannot quickly recover from.
-
Is the organization’s governance model fast enough? - If AI adoption moves faster than security, architecture, procurement, privacy, and compliance review, the organization will either slow innovation or lose control. Neither outcome is ideal. Governance must become more continuous, practical, and risk-based.
-
Is the workforce ready? - Employees need to know how to use AI responsibly, protect sensitive data, validate outputs, recognize AI-enabled threats, and escalate concerns. Technical teams need deeper skills in AI security, data governance, automation oversight, and adversarial thinking. Leaders need enough fluency to make informed decisions. The organization needs to staff these people and retrain the through this disruptive time period.
The Path Forward
Cyber + AI is not a future issue. It is already becoming part of how businesses operate, compete, defend, and fail.
The organizations that benefit most from AI will not be the ones that treat it only as a productivity tool. They will be the ones that recognize AI as a change in business tempo, risk, architecture, governance, and workforce design.
They will modernize slow operating models. They will improve visibility into black-box and vendor-managed environments. They will use AI defensively, but with clear controls. They will invest in data readiness. They will keep humans meaningfully engaged in high-risk decisions. They will treat cybersecurity not as a blocker to AI adoption, but as a necessary partner in making AI useful, trusted, and resilient.
No organization has all the answers yet. That is exactly why the conversation matters.
The right starting point is not certainty. The right starting point is bringing together the people who understand the business, the technology, the data, the vendors, the risks, the regulations, and the operations. From there, organizations can begin to test their assumptions, retire outdated myths, and build a practical approach to Cyber + AI that supports both innovation and resilience.
