Technology Risk Briefing
A podcast that translates technology risk headlines into practical actions for technology, risk, security, resilience and audit professionals and for Boards to keep abreast of current Technology Risk topics.
Technology Risk Briefing
AI Agents, Software Supply Chain Attacks, Critical Vulnerabilities and the Growing Challenge of Technology Resilience
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
This week’s Technology Risk Weekly Briefing explores several developments that highlight how rapidly the technology risk landscape is evolving.
We examine the emergence of AI agents as a new cyber attack vector, major software supply chain compromises affecting enterprise development environments, critical vulnerabilities impacting widely used software, and the increasing focus on securing open-source ecosystems.
The episode also explores what these developments mean for technology leaders, risk professionals, CISOs, and boards responsible for operational resilience and digital trust.
Topics covered:
- AI agents and emerging cyber security risks
- Software supply chain attacks targeting CI/CD environments
- Critical vulnerabilities affecting enterprise software
- Open-source security and dependency management
- Practical resilience and control improvements
Sponsored by CauTix — helping organisations strengthen secure and resilient digital operations through effective technology risk and control frameworks.
Hello, and welcome to the Technology Risk Weekly Briefing. I'm David Horn, and each week we examine the most important development shaping technology risk, cyber resilience, cloud governance, operational controls, artificial intelligence, and third-party oversight. This podcast is proudly sponsored by Cortix, a specialist advisory firm focused on technology risk and control, helping organisations design, assess and strengthen the frameworks that underpin secure and reliable digital operations. In this week's episode, we'll examine a number of developments that collectively demonstrate how quickly technology risk is evolving. We'll discuss the emergence of AI agents as a new cybersecurity challenge, growing software supply chain attacks, significant vulnerabilities affecting enterprise environments, and why organizations need to rethink resilience in an increasingly interconnected digital ecosystem. One of the most interesting developments this week is the growing focus on AI agents and their potential role as a new cybersecurity attack service. Security experts are increasingly warning that organizations are deploying AI agents with access to sensitive systems, privileged workflows, customer data and internal processes without fully understanding the associated risk exposure. Unlike traditional software, AI agents can make autonomous decisions, interact with multiple systems and perform actions on behalf of users. This creates an entirely new governance challenge. If an AI agent is manipulated through prompt injection, misconfiguration, compromised integrations or poor access controls, the consequences can be significant. Recent reporting highlights concerns that many organizations are effectively creating highly privileged digital employees without implementing equivalent governance, monitoring or oversight controls. Technology leaders should consider several immediate actions, apply least privilege principles to AI agents, monitor AI behaviour and decision-making activity, assess third-party AI integrations, include AI agents within identity governance frameworks, and extend operational resilience testing to AI-enabled workflows. The key message here is simple. As organizations deploy more autonomous AI capabilities, governance maturity must evolve at the same pace. Our second story focuses on software supply chain security. This week CESA issued warnings relating to ongoing attacks targeting development environments, GitHub repositories, CICD pipelines, extensions and developer workflows. The attacks demonstrate a growing trend. Rather than attacking production systems directly, attackers are increasingly targeting software development ecosystems, where they can compromise code, credentials, secrets, and deployment processes before software even reaches production. Recent campaigns have involved compromised packages, malicious workflow files, credential theft, and cloud key exfiltration. This has become a recurring theme across both industry reporting and developer communities. Reddit discussions continue to highlight concerns about the growing scale of open source malware, malicious packages, exposed secrets, and compromised software dependencies. For technology risk leaders, several priorities stand out. Strengthen software bill of materials capabilities, increase visibility into dependency chains, audit CICD workflows regularly, rotate secrets and credentials frequently, and improve governance over third-party code adoption. Supply chain attacks are no longer niche events, they are becoming one of the most significant sources of systemic technology risk. Another important development this week involves a critical vulnerability affecting 7zip, one of the world's most widely used archive and compression utilities. The vulnerability carries a high severity rating and could potentially allow malicious code execution through specially crafted archive files. Because 7Zip is embedded into many operational tools, backup systems, automated processes and security products, the downstream exposure is significant. This story reinforces a broader trend. The time between vulnerability discovery and exploitation continues to shrink. Security communities increasingly report situations where vulnerabilities are targeted before organizations have realistic opportunities to patch them. Technology risk teams should therefore focus on risk-based vulnerability prioritization, exposure management rather than patch volume, dependency mapping, faster remediation governance, and improved threat intelligence integration. The challenge is no longer identifying vulnerabilities, the challenge is identifying which vulnerabilities matter most, before attackers do. Our final major topic this week concerns the growing importance of open source software security. This week, IBM announced a $5 billion initiative designed to improve the security of open source software ecosystems through AI-assisted vulnerability detection, patch validation, and coordinated remediation programs. The announcement reflects a broader industry reality. Modern enterprises depend heavily on open source software. Many organizations have hundreds or even thousands of open source dependencies embedded within applications, infrastructure, cloud services and AI systems. As recent supply chain incidents demonstrate, weaknesses in these ecosystems can quickly become enterprise-wide operational risks. This is increasingly becoming a board-level concern because open source risk affects operational resilience, vulnerabilities can create systemic exposure, third-party dependencies are often poorly understood, and supply chain attacks can bypass traditional security controls. Technology leaders should focus on building visibility, governance, accountability, and resilience around software dependencies rather than treating open source software as a purely technical issue. As we close this week's briefing, several themes stand out. Artificial intelligence is creating entirely new governance and cybersecurity challenges. Software supply chain attacks continue to grow in sophistication. Vulnerability exploitation windows are shrinking. And operational resilience increasingly depends on understanding complex technology ecosystems. Technology risk management is becoming less about individual systems and more about managing interconnected digital dependencies. The organizations that succeed will be those that combine innovation with disciplined governance, strong operational controls, resilient architectures, and continuous oversight. Thank you for joining me for this week's Technology Risk Weekly Briefing. I'm David Horn, and this podcast is proudly sponsored by Cortix, helping organizations strengthen the frameworks and controls that underpin secure and reliable digital operations. Stay resilient, stay informed, and stay ahead of technology risk.