On the surface, artificial intelligence (AI), post quantum (PQ), and Zero Trust (ZT) all sound very technical in nature and likely best managed by the appropriate technology domain experts rather than the C-suite or board. Well, think again!
AI, PQ, and ZT immersion for business leaders
Each topic – AI, PQ, or ZT – on its own has the potential to disrupt and reinvent entire industries, from healthcare to banking to manufacturing to defense and beyond. Together, they are an existential force demanding strong governance from senior leadership teams and boards to ensure organizations make the right decisions for continued growth and prosperity, while also keeping employees, customers, and other key stakeholders safe.
Plus, these same technology forces are driving an increasingly complex global regulatory landscape, with senior executives often being held personally liable for security and data privacy incidents. This is why senior leaders and boards are immersing themselves in AI, PQ, and ZT – including how to seize the associated opportunities while mitigating the risks. Let’s look at each in more detail.
GenAI – the trifecta for cybercriminals
2024 was the year AI went mainstream. AI was posited as the solution to every problem and the force behind every cyberattack. Generative AI, or GenAI, which uses machine learning to create new credible content – including imagery, video, audio, and text – has led to an explosion in hyper-realistic deepfakes and synthetic identities. As we pointed out in two previous blog posts, “Generative AI Marks the End of Cybercrime Amateur Hour” and “Rise of Sophisticated Fraud and Deepfakes at Scale,” the rapid development of GenAI has been the perfect trifecta for bad actors – increasing the effectiveness and scale of attacks while also reducing the skill level required. At the same time, savvy organizations are harnessing the power of GenAI to ward off these attacks with highly sophisticated AI-powered biometric identity verification.
GenAI – the productivity tool with a bite
Many organizations are also turning to GenAI tools like Microsoft Copilot, OpenAI ChatGPT, and Google Gemini to grow workforce productivity while also improving customer service. However, this comes at the risk of employees inadvertently sharing sensitive information with these tools, which could then also be subsequently used to train these same AI models. Indeed, one study found that nearly one in 10 GenAI prompts by business users disclosed potentially sensitive information.
The complex AI regulatory landscape
Then there’s the complex AI regulatory landscape. Similar to its landmark GDPR, the EU passed the first comprehensive AI legal framework in 2024 with the EU AI Act. Meanwhile, U.S. President Donald Trump repealed the previous administration’s AI executive order on day one of his new term, signaling a decidedly more pro-business, pro-innovation approach. All the while, different states are pursuing their own AI regulatory agendas.
A call for AI governance
From an AI governance perspective, boards and senior leaders are cautioned to tread carefully. With AI models and applications quickly evolving, along with the absence of consistent regulations, organizations desperately need boards and senior execs to provide express strategic guidance and oversight to ensure the safe and ethical development and deployment of AI systems. This includes the development and implementation of AI risk management and incident response provisions with commitments for compliance audits and assessments.
The PQ era is here
PQ is a global challenge, an imminent threat that promises to break the conventional encryption algorithms (ECC, RSA) that safeguard our digital universe today. And while commercially viable quantum computers are still on the horizon, “Harvest Now, Decrypt Later” style attacks that target long-life data like financial records and government intelligence are already here. These attacks also target long-life devices – such as industrial sensors and medical devices – increasing security concerns around critical infrastructure.
With rising geopolitical tensions and the global race to quantum supremacy between the U.S. and China well underway, the stakes for public safety, national security, and the global economy could not be higher. And with Chinese researchers publishing a method using quantum computers to break RSA encryption this past October, the time to prepare is now!
PQ governance
Without commercially viable quantum computers, many organizations continue to put off PQ preparations, citing more immediate priorities such as AI. However, boards need to actively shift this conversation from “we’ll prepare when quantum computing becomes reality” to more actionable questions like:
- Where is your quantum readiness roadmap?
- Has a cryptographic inventory been compiled?
- What is the timeline to deploy NIST’s new post-quantum cryptography (PQC) standards in production systems?
- How have vendors been engaged in the organization’s PQC journey?
Failure to prepare is akin to playing Russian roulette with business continuity and shareholder value.
Zero Trust is a must for cyber resilience
Zero Trust is not a product to buy or box to check. It’s a strategic approach to improve cyber resilience that can also increase organizational agility, reduce compliance costs, and decrease IT complexity and total cost of ownership. The fundamental principle behind Zero Trust is “never trust, always verify,” which is essential to minimizing business risk and protecting shareholder value.
NIST and CISA link ZT to governance
Reinforcing the strategic link between ZT and governance is NIST’s updated Cybersecurity Framework (CSF) 2.0, which added “Govern” to the other five critical framework functions of Identify, Protect, Detect, Respond, and Recover. NIST’s focus on governance reinforces the fiduciary responsibility of senior leadership and the board related to cybersecurity. Also, CISA’s updated Zero Trust Maturity Model 2.0 expressly reinforces that governance of cybersecurity policies, procedures, and processes within and across the five pillars (Identity, Devices, Networks, Data, Applications) is essential to improving cyber resilience and maintaining regulatory compliance. This means that pursuing an enterprise-wide Zero Trust strategy, while long considered a cybersecurity best practice, is also an express requirement for strong corporate governance by both NIST and CISA.
AI, PQ, and ZT governance for organizational success
So, there you have it. AI, PQ, and ZT are all inextricably linked together, with governance being a must for organizational success and safety. With strict access controls, comprehensive visibility, and continual monitoring, Zero Trust is the linchpin for organizations to be able to effectively navigate AI and PQ with identity-centric security. As such, boards and senior leadership teams have a fiduciary responsibility to invest in Zero Trust, providing the strategic guidance and oversight that also naturally encompasses AI and PQ.
