Dig deep enough and you realize three forces — identity, geopolitics, data — are reshaping resilience. The question before organizations isn’t what happens when a disruptive incident occurs, but how quickly it can regain control when it does. This question has become the central premise of an organization’s security posture. Resilience shouldn’t be seen in defensive terms, but as a function that defines business capability against cyber risks. 

Identity is no Longer Sacrosanct  

Identity verification was, and remains, one of the driving forces of control. The assumption is that a login represents a real user, and that the voice on the call you recognize is that of a colleague you know and trust.  

AI has upended these assumptions in more ways than one. Impersonation is not only suddenly difficult to discern but can be scaled on demand. Deepfakes are making their presence felt, convincingly replicating voices and faces. We are seeing synthetic identities inserted into real systems, and automated bots that mimic human behavior with increasing sophistication. 

With 90% of cyber incidents linked to identity-related weaknesses, it is time we consider this both a cyber and structural risk. 

All critical actions within an organization, whether approving a transaction, authorizing access, or executing contracts, require identity to be proven, imposing massive dependence on its integrity. Repercussions of its compromise can be felt far beyond just IT systems. Organizations might have to address weaker financial controls and compliance gaps. The fabric of trust between organizations and their partners and customers may begin to fray. 

Geopolitical Unpredictability Results in Instability 

Globalization helped businesses expand into new markets and write their growth story. The exchange of goods, services, and people that moved beyond borders was, in part, driven by consistent regulatory frameworks. But the emergence of competing regulatory frameworks across different regions has complicated matters. Many organizations (69%) struggle with the growing complexity and volume of regulatory requirements.  

Couple that with different standards for data protection, managing AI risk company-wide, protecting economic interests, and crippling geopolitical unrest, and you have organizations with real problems on the table. 

In this scenario, state-sponsored threat actors are leveraging cyberattacks to disrupt or influence organizations that support critical infrastructure or are integral to sustaining global supply chains. The shifting sands of geopolitical dynamics pose a vulnerability over which organizations have little control. 

Data Integrity is a Continuing Issue 

Data is and will remain a strategic asset for all organizations. If this data is of top quality, it can lead to smart decision-making that puts organizations in a better competitive position. On the other hand, poor or compromised data can result in poor decision-making, jeopardizing the organization’s prospects.  

Today, data is at risk of being manipulated, polluted, and deliberately poisoned. Frontier threats include synthetic data generation, the injection of misleading or fake data into AI training models, the insertion of incorrect patterns into the model, and others. AI systems trained on compromised data will produce compromised outputs, including biased insights and inaccurate predictions, which can lead to poor operational decisions. 

A full 63% of organizations that experienced AI-related security incidents lacked proper AI governance frameworks, highlighting how quickly unmanaged data and AI can translate into real-world exposure. 

The rise of shadow AI further compounds this problem, as teams use AI tools without formal oversight or governance, which can inadvertently introduce vulnerabilities, expose sensitive data, or create regulatory gaps. 

A Roadmap for Better Control 

If your organization is approaching cybersecurity from the perspective of eliminating all risk, then it is on the wrong track simply because it’s not a realistic goal. A good cyber framework is built on the assumption that disruption is inevitable, so it must be capable of anticipating, absorbing, and adapting to it. 

Organizations must therefore design a framework for multiple futures, borrowing from the idea of a multiverse, in which several realities can unfold, meaning that resilience depends on being prepared for all of them. The cornerstone of such a framework will be scenario planning and stress-testing to help the organization understand the capacity of the framework and the systems that must endure under different stressors. 

Another important facet is to identify the crown jewels or critical organizational assets and prioritize their protection. To list critical dependencies and identify alternatives in case of disruption. Governance must be crafted around AI to ensure safe AI use. 

Final Thoughts 

Control shouldn’t be seen as an absolute or construed as a state that prevents every disruption, but rather as one that maintains continuity despite disruption. The organizations that will be successful in exercising control will be those that do not cling to rigid formulations but are agile and adaptable, with systems in place to move forward even as the ground beneath continuously shifts.