Cyber risk is often framed as a technical exploit. In the boardroom, it presents very differently. It is the split-second decision a CFO makes while walking into a meeting: a message that sounds exactly like the CEO’s voice, carrying an urgency that bypasses the usual checks.
Cyber resilience is no longer primarily a technology problem. It is a question of human judgement under engineered conditions.
Most incidents do not begin with a sophisticated software breach. They begin with a moment of judgement that has been shaped in advance. A deepfake that mimics a trusted voice. An AI-generated message that does not just look legitimate, it feels personal.
The landscape has shifted. AI is not just boosting productivity. It is industrialising manipulation. At the same time, it is exposing system vulnerabilities at a speed no human team can match. The pressure is no longer linear. It is simultaneous.
The attack is no longer directed at the system. It is directed at human judgement.
If cyber risk is still being reported as a technology issue, the organisation may already be looking in the wrong place.
The organisation’s boundary no longer stops at its systems. In a hyper-connected ecosystem, the supply chain becomes the perimeter. A vulnerability in a third-party API or a software dependency can quickly become a material risk.
Resilience is no longer contained within the organisation. It is distributed across an ecosystem that is only partially visible and not fully controlled.
And yet accountability remains firmly with the board.
Cyber resilience is now a core fiduciary responsibility of the board.
The board’s role is not to manage the technology. It is to ensure resilience is designed into the organisation. That means creating an environment where reporting a mistake is responsible behaviour, and ensuring AI adoption does not outpace oversight.
Success is not purely technical. It depends on whether people trust the systems they rely on and whether they feel safe challenging them when it matters.
Because when an AI-generated prompt arrives, it does not just hit a firewall. It hits a person’s instinct to be helpful, to be fast, and to be responsive. It is an exploit of our social nature, using persuasion, pressure and coercion rather than code.
In an AI-enabled environment, control is often assumed long before it is verified. Often, the appearance of control masks where decisions are actually being shaped.
Resilience, however, must be designed.
If resilience is not embedded in how decisions are made and acted on, it will not hold when the room goes quiet.
