At the FAIR Europe Summit 2026 in London, I opened the event by exploring a question that is increasingly occupying the attention of boards, executive teams, regulators, and risk leaders around the world: how should organizations think about risk in an era where artificial intelligence is becoming embedded in virtually every aspect of business operations?
The question is important not simply because AI is a powerful technology. Every generation experiences technologies that fundamentally reshape how organizations operate. The internet transformed communication and commerce. Cloud computing transformed infrastructure and software delivery. Mobile technologies transformed customer engagement and workforce productivity. Over time, each of these innovations evolved from a competitive advantage into a foundational component of modern business operations.
AI is following the same path, but at a pace that is significantly faster than any of its predecessors.
What makes the current transition unique is not merely the speed of adoption. It is the breadth of adoption. AI is not confined to a single department or business function. It is being incorporated into software development, customer service, marketing, finance, operations, cybersecurity, legal workflows, and executive decision-making. Organizations are increasingly discovering that AI is less a standalone technology initiative and more a new operating layer that sits across the enterprise.
This shift explains why AI has moved so quickly from an innovation discussion to a risk discussion. As technologies become embedded in value creation, they inevitably become subjects of governance, oversight, and risk management. The business case for AI is compelling enough that most organizations feel significant pressure to move quickly. Executives see opportunities to improve productivity, accelerate innovation, optimize costs, and gain competitive advantage. Investors increasingly expect organizations to demonstrate credible AI strategies. Employees are adopting AI tools to improve the speed and quality of their work. In many industries, leaders feel that standing still may be more dangerous than moving forward.
Yet the same forces that are driving adoption are also exposing weaknesses in many existing approaches to risk management. AI is spreading across organizations faster than governance processes can adapt. New use cases are emerging faster than compliance frameworks can evaluate them. Dependencies on external AI providers are increasing faster than organizations can fully understand the implications of those dependencies. The result is a growing gap between the pace of innovation and the pace of organizational visibility.
That visibility gap is becoming one of the defining risk management challenges of the AI era.
The emergence of the EU AI Act, alongside DORA, NIS2, GDPR, and a growing body of AI-related regulatory guidance around the world, has further elevated the issue. While these regulations differ in scope and objectives, they share a common expectation: organizations are expected to understand how AI is being used, understand the risks that accompany its use, and demonstrate appropriate oversight. In practical terms, regulators are increasingly asking organizations to answer questions that many enterprises still struggle to answer consistently. What AI solutions are being used across the organization? What information is being shared with them? How are those systems governed? How is risk changing over time? Who is accountable for managing that risk?
These are not purely compliance questions. They are fundamentally questions about visibility, intelligence, and decision-making.
Over the past year, I have had the opportunity to speak with numerous boards and executive leadership teams about AI. One observation has become increasingly clear. The conversation is no longer about whether AI matters. That debate is largely over. The discussion has shifted toward understanding the implications of becoming increasingly dependent on AI technologies whose behavior, risks, and external dependencies can change rapidly. Directors are asking questions about resilience, accountability, concentration risk, regulatory exposure, and business impact. They are asking how AI risk differs from traditional cyber risk and whether existing governance models are sufficient to manage it.
These questions reveal a deeper issue. Many organizations continue to evaluate AI through frameworks that were designed for previous generations of technology risk. While those frameworks remain valuable, they are increasingly proving insufficient on their own.
Traditional cyber risk management has historically focused on assets, vulnerabilities, threat actors, and controls. The underlying assumption has been that risk can be understood by evaluating systems, identifying weaknesses, and implementing safeguards designed to reduce the likelihood or impact of adverse events. This model has served organizations well through multiple waves of technological change.
AI introduces additional complexity because risk increasingly emerges not only from technology assets themselves but from the interactions surrounding them. It emerges from how employees use AI systems, how data is shared with those systems, how models influence business decisions, how organizations depend on external AI providers, and how those dependencies evolve over time. In many cases, risk is created not by a single control failure but by a combination of factors that span multiple organizational functions and external ecosystems.
This distinction is important because it changes the nature of what organizations need to observe. A traditional security assessment may provide insight into the security posture of an AI provider. A governance review may provide visibility into approved use cases. A contract review may identify important liability provisions. A compliance assessment may evaluate adherence to regulatory requirements. Each of these activities contributes valuable information, yet none provides a complete understanding of enterprise AI risk on its own.
What many organizations possess today is not a lack of information but a fragmentation of information. Security teams, governance teams, procurement teams, compliance teams, and business units each possess pieces of the puzzle. The challenge is that AI risk increasingly emerges from the interaction between those pieces rather than from any individual component viewed in isolation.
|
Traditional Cyber Risk |
AI Risk |
|
Assets |
Human-AI Interaction |
|
Vulnerabilities |
AI Configurations |
|
Threat Actors |
Third-Party AI Dependencies |
|
Controls |
Autonomous Decision-Making |
|
Point-in-time Assessment |
Continuous Adaptation |
This is why I believe we are witnessing the emergence of a new discipline that I refer to as AI Cyber Risk Intelligence.
Every mature risk management discipline is built upon a foundation of intelligence. Financial risk management depends on financial intelligence. Operational risk management depends on operational intelligence. Threat management depends on threat intelligence. The AI era requires an equivalent capability that enables organizations to continuously understand how AI is being used, where exposure exists, how that exposure is changing, and what business consequences may result.
Importantly, AI Cyber Risk Intelligence is not simply another governance program or compliance activity. Rather, it represents the foundation upon which effective governance, compliance, security oversight, and risk quantification can be built. Before organizations can govern AI risk, they must first understand it. Before they can prioritize investments, they must understand how exposure is evolving. Before they can quantify risk, they must have confidence that they are observing the factors that actually influence risk outcomes.
In my view, this intelligence capability ultimately depends on visibility across five interconnected dimensions of AI exposure: live activity, configuration posture, compliance evidence, outside-in exposure, and contractual dependencies. Each dimension provides a unique perspective on enterprise AI risk. More importantly, each becomes significantly more valuable when analyzed in the context of the others. AI risk rarely emerges from a single source. It emerges from the interaction of usage patterns, governance decisions, technical configurations, external conditions, and business dependencies that are continuously changing.
The practical implication of this framework is that organizations must begin thinking differently about how they build visibility into AI risk. Historically, many organizations have approached AI oversight through a single lens. Some have concentrated primarily on governance and policy management. Others have focused on compliance and regulatory requirements. Still others have approached AI from a cybersecurity perspective, emphasizing technical controls, model security, or data protection. Each of these approaches addresses an important part of the challenge, but none fully captures the complexity of the environment that organizations are now operating within.
Consider a simple example. An organization may have approved a particular AI platform for enterprise use and completed a thorough security review before deployment. From a governance perspective, the organization may appear to have exercised appropriate oversight. Yet over time, adoption may expand into business functions that were never contemplated during the original review. New categories of sensitive data may begin flowing into the platform. Configuration settings may be modified to improve usability or productivity. External conditions may change as vulnerabilities are discovered, vendor practices evolve, or new regulatory requirements emerge. At the same time, contractual dependencies may deepen as the organization incorporates AI more extensively into critical business processes.
Viewed independently, each of these developments may appear manageable. Viewed collectively, however, they can materially alter the organization's risk posture. This is precisely why AI risk cannot be understood through periodic assessments or static inventories alone. The environment is too dynamic, the dependencies too interconnected, and the pace of change too rapid. Effective oversight increasingly requires a continuously updated understanding of how these dimensions interact and how those interactions influence business exposure.
The challenge facing many organizations today is that they are still in the early stages of this journey. Most have made meaningful progress in establishing AI governance structures, creating inventories of approved tools, defining policies, and implementing initial controls. These are necessary and important steps. Yet they should be viewed as foundational capabilities rather than end-state objectives.
In many respects, the current state of AI risk management resembles the early stages of cybersecurity maturity two decades ago. At that time, organizations focused heavily on asset inventories, vulnerability identification, and control implementation. Over time, however, leaders recognized that visibility alone was insufficient. Knowing what existed did not necessarily reveal what mattered most. Understanding vulnerabilities did not automatically indicate which risks required immediate attention. The discipline evolved toward more sophisticated approaches that connected technical observations to business outcomes.
I believe AI risk management will follow a similar path.
The first stage of maturity focuses on discovery. Organizations seek to understand what AI solutions are being used across the enterprise and where adoption is occurring. The second stage focuses on visibility, creating a more comprehensive view of usage patterns, configurations, dependencies, and governance requirements. The third stage introduces intelligence, enabling organizations to understand how different forms of exposure interact and how risk conditions evolve over time. Ultimately, however, the destination is not visibility or intelligence. The destination is decision-making.
This distinction is important because risk management is often evaluated by the quality of information it produces rather than by the quality of decisions it enables. Visibility creates awareness. Intelligence creates understanding. Neither automatically creates better outcomes. Better outcomes emerge when organizations can use that understanding to make informed decisions about priorities, investments, controls, and risk treatment strategies.
This is where quantification becomes essential.
One of the recurring themes within the FAIR community has been the importance of expressing cyber risk in business terms. For years, we have advocated for moving beyond qualitative labels, subjective scoring systems, and purely technical measurements toward a more rigorous understanding of probable business impact. That perspective becomes even more important in the context of AI because organizations are increasingly making decisions that involve balancing significant opportunities against potentially significant risks.
The central challenge facing executives is rarely determining whether risk exists. The existence of risk is usually obvious. The more difficult challenge is determining whether a particular risk is significant enough to justify investment, intervention, or strategic change. As AI adoption expands, organizations will face a growing number of these decisions. Should a particular use case be accelerated or restricted? Should additional controls be implemented? Does a particular dependency create unacceptable concentration risk? Does a change in exposure warrant executive attention? Which investments will produce the greatest reduction in risk relative to their cost?
These are fundamentally economic questions. They require organizations to evaluate tradeoffs, compare alternatives, and allocate finite resources. They require a common language capable of connecting technical exposure, operational impact, regulatory obligations, financial consequences, and strategic objectives.
This is why I believe AI Cyber Risk Intelligence and quantitative risk analysis are ultimately complementary disciplines. AI Cyber Risk Intelligence provides the visibility and contextual understanding necessary to observe and interpret exposure. Quantitative risk analysis provides the framework necessary to evaluate significance, prioritize actions, and support decision-making. One helps organizations understand what is happening. The other helps them determine what to do about it.
Together, they create the foundation for a more mature approach to AI risk management—one that aligns more closely with the realities of modern business decision-making.
Looking ahead, I believe the organizations that will derive the greatest value from AI will not necessarily be those that adopt AI most aggressively, nor will they be those that impose the most restrictive governance models. Instead, the leaders will be organizations that develop the capability to continuously understand their AI exposure, continuously assess the implications of changing conditions, and continuously make informed decisions as the environment evolves.
This observation reflects an important shift in how we should think about risk management itself. Historically, risk management has often been portrayed as a mechanism for slowing change, limiting exposure, or preventing undesirable outcomes. In practice, the most effective risk management functions have always served a different purpose. Their role is not to prevent innovation but to enable sustainable innovation. Their objective is not to eliminate uncertainty but to help organizations make better decisions in the presence of uncertainty.
That distinction is particularly important in the context of AI. The future belongs neither to organizations that ignore AI risk nor to organizations that attempt to avoid AI adoption altogether. Both approaches are ultimately unsustainable. The organizations that will succeed are those that recognize AI as both a source of opportunity and a source of risk, and that develop the capabilities necessary to manage both simultaneously.
Every major technology transformation changes the nature of risk. The internet changed risk by connecting organizations to a global digital ecosystem. Cloud computing changed risk by shifting critical infrastructure beyond traditional organizational boundaries. Mobile technologies changed risk by dissolving the perimeter and extending access to virtually every location. AI is introducing another transformation, one that is characterized by increasing autonomy, increasing dependency, and increasing complexity.
The organizations that thrive in this new environment will not be distinguished solely by the sophistication of their AI capabilities. They will be distinguished by the sophistication of their decision-making. They will possess the ability to understand how AI exposure is evolving, evaluate the business implications of that exposure, and act with confidence in the face of uncertainty.
Developing that capability will require new forms of visibility, new forms of intelligence, and new forms of risk analysis. It will require organizations to move beyond fragmented views of AI risk toward a more integrated understanding of how exposure emerges across technology, business processes, external dependencies, governance structures, and human behavior. Most importantly, it will require leaders to recognize that managing AI risk is not ultimately a technology problem. It is a business decision-making challenge.
That is why I believe AI Cyber Risk Intelligence will become one of the defining disciplines of the next decade. As AI continues to reshape how organizations operate, compete, and create value, the ability to continuously understand, assess, and quantify AI-related risk will become an increasingly important source of organizational resilience and competitive advantage. The future of AI risk management will not be defined by the organizations that can see the most data. It will be defined by the organizations that can transform that data into intelligence, translate that intelligence into decisions, and use those decisions to navigate the opportunities and uncertainties of the AI era with greater confidence and precision.