Quote for the day:
"If you want to become the best leader you can be, you need to pay the price of self-discipline." -- John C. Maxwell
6 reasons why autonomous enterprises are still more a vision than reality
"AI is the first technology that allows systems that can reason and learn to be
integrated into real business processes," Vohra said. ... Autonomous
organizations, he continued, "are built on human-AI agent collaboration, where
AI handles speed and scale, leaving judgment and strategy up to humans." They
are defined by "AI systems that go beyond just generating insights in silos,
which is how most enterprises are currently leveraging AI," he added. Now, the
momentum is toward "executing decisions across workflows with humans setting
intent and guardrails." ... The survey highlighted that work is required to help
develop agents. Only 3% of organizations -- and 10% of leaders -- are actively
implementing agentic orchestration. "This limited adoption signals that
orchestration is still an emerging discipline," the report stated. "The scarcity
of orchestration is a litmus test for both internal capability and external
strategic positioning. Successful orchestration requires integrating AI into
workflows, systems, and decision loops with precision and accountability." ...
Workforce capability gaps continue to be the most frequently cited
organizational constraint to AI adoption, as reported by six in 10 executives --
yet only 45% say their organizations offer AI training for all employees. ... As
AI takes on more execution and pattern recognition, human value increasingly
shifts toward system design, integration, governance, and judgment -- areas
where trust, context, and accountability still sit firmly with people.Finding the key to the AI agent control plane
Agents change the physics of risk. As I’ve noted, an agent doesn’t just
recommend code. It can run the migration, open the ticket, change the
permission, send the email, or approve the refund. As such, risk shifts from
legal liability to existential reality. If a large language model
hallucinates, you get a bad paragraph. ... Every time an AI system makes a
mistake that a human has to clean up, the real cost of that system goes up.
The only way to lower that tax is to stop treating governance as a policy
problem and start treating it as architecture. That means least privilege for
agents, not just humans. It means separating “draft” from “send.” It means
making “read-only” a first-class capability, not an afterthought. It means
auditable action logs and reversible workflows. It means designing your agent
system as if it will be attacked because it will be. ... Right now,
permissions are a mess of vendor-specific toggles. One platform has its own
way of scoping actions. Another bolts on an approval workflow. A third punts
the problem to your identity and access management team. That fragmentation
will slow adoption, not accelerate it. Enterprises can’t scale agents until
they can express simple rules. We need to be able to say that an agent can
read production data but not write to it. We need to say an agent can draft
emails but not send them. We need to say an agent can provision infrastructure
only inside a sandbox, with quotas, or that it must request human approval
before any destructive action.PAM in Multi‑Cloud Infrastructure: Strategies for Effective Implementation
The "Identity Gap" has emerged as the leading cause of cloud security
breaches. Traditional vault-based Privileged Access Management (PAM)
solutions, designed for static server environments, are inadequate for today’s
dynamic, API-driven cloud infrastructure. ... PAM has evolved from an optional
security measure to an essential and fundamental requirement in multi-cloud
environments. This shift is attributed to the increased complexity,
decentralized structure, and rapid changes characteristic of modern cloud
architectures. As organizations distribute workloads across AWS, Azure, Google
Cloud, and on-premises systems, traditional security perimeters have become
obsolete, positioning identity and privileged access as central elements of
contemporary security strategies. ... Fragmented identity systems hinder
multi‑cloud PAM. Centralizing identity and federating access resolves this,
with a Unified Identity and Access Foundation managing all digital
identities—human or machine—across the organization. This approach removes
silos between on-premises, cloud, and legacy applications, providing a single
control point for authentication, authorization, and lifecycle management. ...
Cloud providers deliver robust IAM tools, but their features vary. A strong
PAM approach aligns these tools using RBAC and ABAC. RBAC assigns permissions
by job role for easy scaling, while ABAC uses user and environment attributes
for tight security.Giving AI ‘hands’ in your SaaS stack
If an attacker manages to use an indirect prompt injection — hiding malicious
instructions in a calendar invite or a web page the agent reads — that agent
essentially becomes a confused deputy. It has the keys to the kingdom. It can
delete opportunities, export customer lists or modify pricing configurations.
... For AI agents, this means we must treat them as non-human identities
(NHIs) with the same or greater scrutiny than we apply to employees. ... The
industry is coalescing around the model context protocol (MCP) as a standard
for this layer. It provides a universal USB-C port for connecting AI models to
your data sources. By using an MCP server as your gateway, you ensure the
agent never sees the credentials or the full API surface area, only the tools
you explicitly allow. ... We need to treat AI actions with the same reverence.
My rule for autonomous agents is simple: If it can’t dry run, it doesn’t ship.
Every state-changing tool exposed to an agent must support a dry_run=true
mode. When the agent wants to update a record, it first calls the tool in
dry-run mode. The system returns a diff — a preview of exactly what will
change . This allows us to implement a human-in-the-loop approval gate for
high-risk actions. The agent proposes the change, the human confirms it and
only then is the live transaction executed. ... As CIOs and IT leaders, our
job isn’t to say “no” to AI. It’s to build the invisible rails that allow the
business to say “yes” safely. By focusing on gateways, identity and
transactional safety, we can give AI the hands it needs to do real work,
without losing our grip on the wheel.AI-fuelled supply chain cyber attacks surge in Asia-Pacific
Exposed credentials, source code, API keys and internal communications can
provide detailed insight into business processes, supplier relationships and
technology stacks. When combined with brokered access, that information can
support impersonation, targeted intrusion and fraud activity that blends in with
legitimate use. One area of concern is open-source software distribution, where
widely used libraries can spread malicious code at scale. ... The report points
to AI-assisted phishing campaigns that target OAuth flows and other single
sign-on mechanisms. These techniques can bypass multi-factor authentication
where users approve malicious prompts or where tokens are stolen after login.
... "AI did not create supply chain attacks, it has made them cheaper, faster,
and harder to detect," Mr Volkov added. "Unchecked trust in software and
services is now a strategic liability." The report names a range of actors
associated with supply-chain-focused activity, including Lazarus, Scattered
Spider, HAFNIUM, DragonForce and 888, as well as campaigns linked to Shai-Hulud.
It said these groups illustrate how criminal organisations and state-aligned
operators are targeting similar platforms and integration layers. ... The
report's focus on upstream compromise reflects a broader trend in cyber risk
management, where organisations assess not only their own exposure but also the
resilience of vendors and technology supply chains.
Automation cannot come at the cost of accountability; trust has to be embedded into the architecture
Visa is actively working with issuers, merchants, and payment aggregators to roll out authentication mechanisms based on global standards. “Consumers want payments to be invisible,” Chhabra adds. “They want to enjoy the shopping experience, not struggle through the payment process.” Tokenisation plays a critical role in enabling this vision. By replacing sensitive card details with unique digital tokens, Visa has created a secure foundation for tap-and-pay, in-app purchases, and cross-border transactions. In India alone, nearly half a billion cards have already been tokenised. “Once tokenisation is in place, device-based payments and seamless commerce become possible,” Chhabra explains. “It’s the bedrock of frictionless payments.” Fraud prevention, however, is no longer limited to card-based transactions. With real-time and account-to-account payments gaining momentum, Visa has expanded its scope through strategic acquisitions such as Featurespace. The UK-based firm specialises in behavioural analytics for real-time fraud detection, an area Chhabra describes as increasingly critical. “We don’t just want to detect fraud on the Visa network. We want to help prevent fraud across payment types and networks,” he says. Before deploying such capabilities in India, Visa conducts extensive back-testing using localised data and works closely with regulators. “Global intelligence is powerful, but it has to be adapted to local behaviour. You can’t simply overfit global models to India’s unique payment patterns.”Most ransomware playbooks don't address machine credentials. Attackers know it.
The gap between ransomware threats and the defenses meant to stop them is
getting worse, not better. Ivanti’s 2026 State of Cybersecurity Report found
that the preparedness gap widened by an average of 10 points year over year
across every threat category the firm tracks. ... The accompanying Ransomware
Playbook Toolkit walks teams through four phases: containment, analysis,
remediation, and recovery. The credential reset step instructs teams to ensure
all affected user and device accounts are reset. Service accounts are absent. So
are API keys, tokens, and certificates. The most widely used playbook framework
in enterprise security stops at human and device credentials. The organizations
following it inherit that blind spot without realizing it. ... “Although
defenders are optimistic about the promise of AI in cybersecurity, Ivanti’s
findings also show companies are falling further behind in terms of how well
prepared they are to defend against a variety of threats,” said Daniel Spicer,
Ivanti’s Chief Security Officer. “This is what I call the ‘Cybersecurity
Readiness Deficit,’ a persistent, year-over-year widening imbalance in an
organization’s ability to defend their data, people, and networks against the
evolving threat landscape.” ... You can’t reset credentials that you don’t know
exist. Service accounts, API keys, and tokens need ownership assignments mapped
pre-incident. Discovering them mid-breach costs days. CISO Julie Chatman offers insights for you to take control of your security leadership role
In a few high-profile cases, security leaders have faced criminal charges for how they handled breach disclosures, and civil enforcement for how they reported risks to investors and regulators. The trend is toward holding CISOs personally accountable for governance and disclosure decisions. ... You’re seeing the rise of fractional CISOs, virtual CISOs, heads of IT security instead of full CISO titles. It’s a lot harder to hold a fractional CISO personally liable. This is relatively new. The liability conversation really intensified after some high-profile enforcement actions, and now we’re seeing the market respond. ... First, negotiate protection upfront. When you’re thinking about accepting a CISO role, explicitly ask about D&O insurance coverage. If the CISO is not considered a director or an officer of the company and can’t be given D&O coverage, will the company subsidize individual coverage? There are companies now selling CISO-specific policies. Make this part of your compensation negotiation. Second, do your job well but understand the paradox. Sometimes when you do your job properly, you’re labeled ‘the office of no,’ you’re seen as ‘difficult,’ and you last 18 months. It’s a catch-22. Real liability protection is changing how your organization thinks about risk ownership. Most organizations don’t have a unified view of risk or the vocabulary to discuss it properly. If you can advance that as a CISO, you can help the business understand that risk is theirs to accept, not yours.The AI bubble will burst for firms that can’t get beyond demos and LLMs
Even though the discussion of a potential bubble is ubiquitous, what’s going on
is more nuanced than simple boom-and-bust chatter, said Francisco Martin-Rayo,
CEO of Helios AI. “What people are really debating is the gap between valuation
and real-world impact. Many companies are labeled ‘AI-driven,’ but only a subset
are delivering measurable value at scale,” Martin-Rayo said. Founders confuse
fundraising with progress, which comes only when they are solving real problems
for real clients, said Nacho De Marco, founder of BairesDev. “Fundraising gives
you dopamine, but real progress comes from customers,” De Marco said. “The real
value of a $1B valuation is customer validation.” ... The AI shakeout has
already started, and the tenor at WEF “feels less like peak hype and more like
the beginning of a sorting process,” Martin-Rayo said. ... Companies that
survive the coming shakeout will be those willing to rebuild operations from the
ground up rather than throwing AI into existing workflows, said Jinsook Han,
chief agentic AI officer at Genpact. ”It’s not about just bolting some AI into
your existing operation,” Han said. “You have to really build from ground up —
it’s a complete operating model change.” Foundational models are becoming more
mature and can do more of what startups sell. As a result, AI providers that
don’t offer distinct value will have a tough time surviving, Han said.
What could make the EU Digital Identity Wallets fail?
Large-scale digital identity initiatives rarely fail because the technology does
not work. They fail because adoption, incentives, trust, and accountability are
underestimated. The EU Digital Identity Wallet could still fail, or partially
fail, succeeding in some countries while struggling or stagnating in others. ...
A realistic risk is fragmented success. Some member states are likely to deliver
robust wallets on time. Others may launch late, with limited functionality, or
without meaningful uptake. A smaller group may fail to deliver a convincing
solution at all, at least in the first phase. From the perspective of users and
service providers, this fragmentation already undermines cross border usage. If
wallets differ significantly in capabilities, attributes, and reliability across
borders, the promise of a seamless European digital identity weakens. ... While
EU Digital Identity Wallets offer significantly higher security than current
solutions, they will not eliminate fraud entirely. There will still be cases of
wallets issued to the wrong individual, phishing attempts, and wallet takeovers.
If early fraud cases are poorly handled or publicly misunderstood, trust in the
ecosystem could erode quickly. The wallet’s strong privacy architecture
introduces real trade-offs. One uncomfortable but necessary question worth
asking is: are we going too far with privacy? ... The EU Digital Identity Wallet
will succeed only if policymakers, wallet providers, and service providers treat
trust, economics, and usability as core design principles, not secondary
concerns.
No comments:
Post a Comment