Maman Ibrahim

expert panel

Critical infrastructure is where cyber risk stops being abstract. When power grids, water systems, transportation networks, hospitals or financial systems are disrupted, the fallout isn’t limited to one company’s operations or balance sheet. It can affect public safety, economic stability and trust in the systems people rely on every day.That’s why a recent World Economic Forum survey should get leaders’ attention: 31% of global CEOs lack confidence that their country could respond effectively to a major cyberattack on critical infrastructure. But that lack of confidence may not reflect doubts about governments’ readiness alone. Many leaders may also be recognizing security gaps closer to home, from aging systems and complex vendor networks to crisis plans that haven’t been tested under real pressure. In a recent survey of senior leaders, 48% said the potential emergency they felt least prepared for was a cybersecurity crisis. Preparedness requires much more than policy statements, compliance checklists or well-intentioned plans stored in a shared drive. Leaders across industries and nations need a clearer understanding of how decisions will be made, who will act first and how organizations, sector partners and public agencies will coordinate when minutes matter.Members of the Senior Executive Cybersecurity Think Tank have deep expertise in enterprise cybersecurity strategies, risk management and modern security architecture. Below, seven of them share what’s driving leaders’ declining confidence in cyber resilience and what practical steps could strengthen preparedness at both organizational and national levels.

expert panel

AI agents are quickly moving from helpful assistants to active participants in business workflows, and that shift is creating a new access-control challenge for security leaders. To do their jobs well, these systems often need to interact with customer records, financial systems, employee data, proprietary information and other sensitive resources. That creates a difficult balance: The more access agents have, the more useful they may become—but the more damage they can do when something goes wrong. And that risk isn’t theoretical. A 2025 IBM report found that among organizations that experienced an AI-related breach, 97% lacked proper AI access controls, and 63% had no AI governance policies at all.Traditional access models weren’t built for autonomous tools that can act across systems, make rapid decisions and process large volumes of data in seconds. When convenience trumps safety in AI adoption, loose access can expand an organization’s attack surface before security teams can assess the risk. As AI agents become more embedded in daily operations, organizations need to think differently about identity, permissions and accountability. Members of the Senior Executive Cybersecurity Think Tank bring deep expertise in enterprise cybersecurity strategies, data breach prevention, risk management and modern security architecture. Below, five of them share how leaders should weigh the trade-offs of AI agent access and rethink permissioning for AI-driven systems.

expert panel

Agentic AI systems are designed to operate autonomously to achieve a goal, interpreting objectives, selecting tools, executing multistep tasks across systems, and adapting their approach based on intermediate results. Unlike traditional software that follows fixed instructions, agentic AI can make decisions, delegate to other agents and take actions with real-world consequences, often with minimal or no human intervention at each step.Enterprises are adopting agentic AI at a rapid pace, drawn by its ability to compress complex workflows ranging from IT operations and software development to customer service and financial processing. These automated pipelines run faster and at a greater scale than human teams alone. But that same autonomy introduces a security challenge that conventional frameworks weren’t built to handle.Traditional access controls were designed around a simpler premise: Verify the user or system, then permit or deny the action. In agentic environments, that model breaks down. An agent may be fully credentialed and operating within approved systems yet still drift into behavior that no one explicitly authorized. That’s why intent-based security is quickly becoming a core consideration for enterprise AI adoption. For security leaders, the challenge is building controls that are strong enough to prevent harm without slowing the very automation they’re trying to enable. Members of the Senior Executive Cybersecurity Think Tank have deep expertise in enterprise cybersecurity strategies, risk management, regulatory compliance, and modern security architecture. Below, three of them discuss why intent matters in agentic environments and which runtime signals and safeguards leaders should prioritize as autonomous systems become more deeply embedded in business operations.

expert panel

A code audit might catch a misconfiguration before it ships. A penetration test might expose how a real attacker could chain vulnerabilities together. A bug bounty might surface something neither effort ever would have found. Each of these exercises brings value, but each one only shows part of the picture at a moment in time. But software risk constantly grows and changes as systems, dependencies, attackers and business priorities evolve. Security gaps often live where handoffs break down: between development and release, between internal teams and external researchers, and between finding a problem and implementing a fix. And as AI supercharges the speed at which vulnerabilities can be found, patching cadence matters more than ever. When teams design a security program in which code audits, pentesting and bug bounties reinforce one another across the entire software lifecycle, they’re better positioned to find issues early, prioritize what matters and build safer products without bottlenecks and delays. Moving from point-in-time testing to continuous improvement requires both structural changes and cultural ones, including how findings are tracked and how engineering and security teams collaborate day to day. Below, members of the Senior Executive Cybersecurity Think Tank share what they’ve learned about integrating code audits, pentesting and bug bounties into a security program that keeps improving with every test, fix and release.

expert panel

When they think about cyberattacks, most people likely picture a shadowy human adversary probing a network, finding a crack and then manually extracting valuable data. Even though such attacks have been all too common, there was some comfort in the idea that defenders had time, however limited, to detect anomalies and respond. That window may now be closing. Anthropic’s disclosure of a September 2025 breach marked a watershed moment in cybersecurity: Attackers deployed agentic AI to both design and execute the intrusion. As one of the first documented cases of unprecedented AI involvement in a cyberattack, it’s an early sign of a looming threat leaders can’t afford to ignore—AI agents that can recon, adapt and escalate an attack without a human in the loop.  While AI can’t carry off an attack completely on its own (yet), it’s already helping hackers pinpoint vulnerabilities and write malicious code. The cybersecurity vulnerabilities autonomous systems target aren’t necessarily new. Misconfigured services, overprivileged accounts and weak identity controls have topped security risk lists for years. What’s changed is the pace and persistence with which these gaps can now be found and exploited—continuously, simultaneously and at machine speed. That puts enormous pressure on defenses that were designed around human-paced threats. Members of the Senior Executive Cybersecurity Think Tank have extensive experience and deep experience in enterprise security strategy, zero-trust architecture, threat detection and cybersecurity leadership. Below, two of them break down the vulnerabilities autonomous systems are likeliest to probe—and detail the defensive models companies need to build before they’re put to the test.

expert panel

Employees will always find the fastest path to getting work done, even if it bypasses important digital protections. A quick snippet gets dropped into an AI assistant. A file is shared through a personal browser profile. Sensitive data now leaves enterprises every day through copy-paste—often into unmanaged AI tools, browser accounts or chat apps. The biggest cybersecurity risk for businesses may no longer be sophisticated hacks but “convenient” shortcuts. Employees aren’t trying to undermine policy. When official tools feel slow, clunky or restrictive, people improvise. Faced with a deadline or a long to-do list, they likely see these bypasses as harmless—they may even congratulate themselves on their efficiency. When these informal shadow workflows become the real operating model of a business, they not only increase cybersecurity risk but also signal costly friction in official processes. The question is not how to eliminate human shortcuts but to build better, more secure processes your team won’t want to bypass. That means understanding how work really gets done and building secure defaults into the tools employees already prefer.  Members of the Senior Executive Cybersecurity Think Tank have deep expertise in enterprise cybersecurity strategies, risk management and modern security architecture. Below, two of them discuss how leaders can rethink informal workflows—not as nuisances to stamp out but as intelligence to design smarter, more human-centered defenses.