Insights

There are periods when geopolitics hums in the background of corporate life, unsettling, tragic, but still distant enough to be categorized as “external.” And then there are moments when the map seems to press directly against the operating model of the enterprise. Escalation involving Iran sits firmly in that latter category, not because conflict in the region is new, but because it concentrates so many interlocking systems (energy corridors, cyber capability, sanctions regimes, proxy networks, global shipping routes) into a single geography where instability reverberates quickly and unevenly.

Every time you check your bank balance online, send an email, or make a purchase with a credit card, your information is encrypted, a mathematical shield that keeps your data protected from prying eyes. This encryption has worked extremely well for decades. The algorithms safeguarding your most sensitive data would take today’s most powerful traditional computers millions of years to crack. However, a new typeof machine is emerging that could change everything.

In June 2025, procurement vendor Chain IQ Group AG was hit by a sophisticated cyberattack. Hackers accessed data from Chain IQ and at least 19 of its clients, uploading files to the dark web shortly afterward, exposing over 130,000 employee records from firms including UBS and Pictet. None of those firms had hired the attackers’ actual entry point. They had hired Chain IQ.

The numbers came quickly. On February 20, 2026, Anthropic introduced Claude Code Security. Within hours, JFrog dropped nearly 25%. CrowdStrike and Cloudflare each fell about 8%. Losses extended to GitLab, Palo Alto Networks, and Zscaler. It was the second time in a month that a single AI announcement had rattled the entire cybersecurity industry.

Risk is an ever-present feature of enterprise operations. Whether it manifests as operational disruption, regulatory change, strategic misalignment, or the volatility of emerging threats, risk is embedded in the daily conduct of business. Yet it is not the presence of risk that should concern us most, but the way in which it is understood, managed, and integrated into the lifeblood of planning and decision-making.

In one of the latest articles on my website, I argued that GRC platforms must re-architect around digital twins, knowledge models, and agentic intelligence if they intend to survive the coming decade. But there is a deeper implication that deserves equal attention.

Almost half of all GenAI use now occurs through personal accounts like ChatGPT, Claude, Perplexity, and others, entirely outside corporate oversight or control. This isn’t about a few rogue users acting in secret. We’re seeing widespread bypassing of approved tools across entire organizations, with the average company experiencing 223 shadow AI incidents each month, twice as many as just a year ago.