Technology Risk Briefing

AI Agents, Software Supply Chain Attacks, Identity Resilience and the New Operational Risk Landscape

David Horn Season 1 Episode 7

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 8:11

Artificial Intelligence is rapidly transforming enterprise operations, but the risk landscape is evolving just as quickly.

This week's Technology Risk Weekly Briefing examines the emergence of AI agents as a significant governance and security challenge, major software supply-chain attacks impacting developers and cloud ecosystems, accelerating vulnerability exploitation driven by AI, and the growing importance of identity resilience as a core operational capability.

Topics covered include:

  • AI agents and enterprise governance risks
  • AI-driven vulnerability exploitation
  • Microsoft-related supply chain compromises
  • Identity resilience and cyber recovery
  • Cloud and software ecosystem risks
  • Operational resilience lessons for technology leaders

Sponsored by CAUTIX — helping organisations strengthen technology risk management, operational resilience, and digital trust.

SPEAKER_00

Hello and welcome to the Technology Risk Weekly Briefing. I'm David Horn, and each week we explore the most significant development shaping technology risk. This podcast is proudly sponsored by Cortix, helping organisations design, assess and strengthen the controls that underpin secure and resilient digital operations. This week we focus on one of the biggest emerging themes of 2026: the convergence of AI, software supply chains, identity systems, and operational resilience. Across multiple developments this week, a common pattern emerges. Technology ecosystems are becoming increasingly autonomous, increasingly interconnected, and increasingly difficult to govern using traditional control frameworks. Let's begin with artificial intelligence. The AI conversation is shifting. The focus is no longer simply on generative AI. Instead, attention is moving towards autonomous AI agents that can access systems, make decisions and execute actions. Industry practitioners increasingly describe these agents as privileged digital workers. Unlike traditional software, agents can operate across multiple systems, interact with APIs, consume unstructured information, and execute workflows with minimal human intervention. This creates entirely new governance challenges. Security professionals continue to raise concerns around privileged escalation, prompt injection, auditability and accountability. Community discussions across cybersecurity forums recently highlight concerns around excessive permissions, weak oversight, and insufficient monitoring controls. From a risk perspective, the areas we need to be concerned about are uncontrolled autonomous actions, data leakage through agent workflows, excessive system privileges, regulatory accountability gaps, and lack of auditability and explainability. It's clear that organizations are deploying agents faster than governance frameworks are evolving. So what can we do about it? Extend identity governance to AI agents, apply lease privilege principles, require human approval for high-risk actions, implement comprehensive logging, and introduce AI-specific operational risk assessments. In our second segment this week, we'll look at how AI is accelerating vulnerability exploitation. For years, defenders have focused on reducing the time between vulnerability disclosure and patch deployment. AI may now be fundamentally changing that equation. Anthropic demonstrated that advanced AI systems can rapidly analyse vulnerability disclosures and develop exploit techniques at unprecedented speed. Historically, organizations often had days or weeks to react. Increasingly, that window may shrink to ours. This represents a major shift in vulnerability management strategy. The challenge is no longer simply identifying vulnerabilities. The challenge is determining which vulnerabilities are most likely to be weaponised immediately. This can all result in reduced remediation windows, increased likelihood of zero-day exploitation, greater pressure on patch management teams, and expanded attack surface across legacy environments. This all shows that traditional patch cycles may no longer be fast enough. So what can we do to mitigate these risks? Well we should be prioritizing exposure management, increase threat intelligence integration, automate vulnerability assessment workflows, enhance compensating controls, and review patch governance frameworks. In our third segment this week, we'll look at software supply chain attacks as they continue to escalate. Software supply chain attacks continue to evolve in both sophistication and scale. Rather than targeting production systems directly, attackers are increasingly targeting trust relationships, developer environments, package repositories, build pipelines, open source projects, and cloud native tooling. The recent attacks affecting Microsoft owned repositories illustrate how a single compromise component can potentially impact thousands of downstream users. This is no longer simply a cybersecurity issue, it's an operational resilience issue. From a risk perspective, this can result in compromised software releases, credential theft, cloud environment exposure, third-party dependency risk, and business disruption. The key lesson to learn here is that trust assumptions within software ecosystems require re-evaluation. So what should we be doing? Maintain software bills and materials, increase repository monitoring, strengthen CICD security controls, introduce dependency governance reviews, and validate third-party code provenance. Our fourth segment this week focuses on identity resilience as it becomes a boardroom concern. Identity has become the new control plane. As organizations expand their use of cloud platforms, SaaS applications and AI-powered services, identity systems increasingly determine who can access what, when, and under what conditions. Attackers understand this. Compromising identity systems frequently provides a direct route into enterprise environments. The challenge becomes even more significant when AI agents, service accounts, APIs, and machine identities are added to the equation. Many organizations still focus heavily on prevention. Increasingly, resilience matters just as much. The ability to recover identity systems quickly may determine whether an incident becomes a disruption or a crisis. This can all result in credential compromise, privilege escalation, service disruption, regulatory exposure, and business continuity impacts. A lesson to be learnt here is that identity should be treated as critical infrastructure. Now let's think about what we can do to address this. We should be establishing identity recovery capabilities, strengthening privileged access management, reviewing machine identities, implementing continuous access reviews, and testing identity-related covery scenarios. The final theme connecting all of this week's stories is resilience. Whether the issue involves AI agents, cloud services, software dependencies, outsource technology providers or identity systems, organizations are increasingly dependent on complex digital ecosystems. The question is no longer whether something will fail. The question is whether organizations understand their dependencies well enough to respond effectively when failure does occur. Boards and executives should consider three questions. First, do we really understand our critical digital dependencies? Second, can we identify when those dependencies fail? And thirdly, can we recover within acceptable business timeframes? Those questions increasingly define technology resilience. As technology risk professionals, we should review critical service dependency maps, update outsourcing risk assessments, test recovery capabilities regularly, include AI-enabled services and resilience planning, and strengthen executive oversight of technology risk. Several themes stand out this week. AI is creating new operational capabilities and new risk categories. Software supply chain attacks continue to challenge assumptions of trust. Identity systems are becoming foundational resilience assets. And operational resilience increasingly depends on managing complex interconnected ecosystems. Technology leaders who focus on visibility, governance and resilience will be best positioned to navigate this rapidly evolving landscape. Thank you for joining me for this week's Technology Risk Weekly Briefing. I'm David Horn, and this podcast is proudly sponsored by Cortix. Stay informed, stay resilient, and stay ahead of Technology Risk.