TL;DR: AI is compressing the time and cost of attacks while expanding enterprise exposure, with one panel at RSAC 2026 arguing that boards must move from static assurance to continuous, business-driven risk ownership. The governance shift is now as important as the tooling shift, because speed, third-party dependencies, and accountability have changed together.
NHIMG editorial — based on content published by SecurityScorecard: AI has made cyber risk a continuous board-level function
By the numbers:
- Attackers can move from initial access to full compromise or stealing data in just 72 minutes.
Questions worth separating out
Q: How should security teams reduce the damage from AI-assisted attacks that move in minutes?
A: They should treat access containment as the primary response objective.
Q: Why do boards need a different cyber risk conversation in the AI era?
A: Because technical status alone does not explain business exposure.
Q: What do organisations get wrong about continuous security?
A: They often assume it means more dashboards or faster reporting.
Practitioner guidance
- Rebuild board reporting around loss scenarios Replace control dashboards with scenario-based reporting that shows how credential abuse, third-party compromise, or privilege misuse would affect revenue, operations, and regulatory exposure.
- Shorten identity control cycles to match attack speed Move from scheduled access review and manual exception handling to continuous review of privileged access, service accounts, OAuth grants, and secrets rotation.
- Map third-party access paths as part of identity governance Inventory delegated access, vendor integrations, and externally managed credentials, then classify which relationships can interrupt critical services if abused.
What's in the full article
SecurityScorecard's full article covers the executive discussion and board-level framing this post intentionally leaves at the strategic level:
- The panel discussion details how the board's cyber conversation changes when AI compresses attack timelines and expands exposure across third-party ecosystems.
- It includes the speakers' direct framing of incident response, business continuity, and regulatory accountability for executive audiences.
- It expands on the communication gap between technical metrics and board decisions, including the language leaders should use instead.
- It gives the event context for why SecurityScorecard, Carahsoft, Armis, ServiceNow, and LockThreat GRC sponsored the breakfast session.
👉 Read SecurityScorecard's panel coverage on AI-era board risk and cyber resilience →
AI-driven cyber risk: what boards and CISOs need to change?
Explore further
AI has turned cyber risk into a speed problem, but identity governance still defines the blast radius. Once attackers can compress recon, privilege abuse, and lateral movement into minutes, the quality of access control matters more than the volume of alerts. That is where IAM, PAM, and NHI governance intersect with broader cyber resilience, because standing access and unmanaged delegation are the accelerants. Practitioners should treat attack speed as an access design problem, not just a detection problem.
A question worth separating out:
Q: Who is accountable when third-party compromise affects business continuity?
A: Accountability should sit with the business owner, security leadership, and governance functions together, because third-party access is now an enterprise risk issue. The organisation that granted the access owns the decision to expose critical systems to that dependency, even if the breach starts elsewhere. Boards should require clear ownership for vendor-connected identity paths.
👉 Read our full editorial: AI has made cyber risk a continuous board-level function