In June 2025, procurement vendor Chain IQ Group AG was hit by a sophisticated cyberattack. Hackers accessed data from Chain IQ and at least 19 of its clients, uploading files to the dark web shortly afterward, exposing over 130,000 employee records from firms including UBS and Pictet. None of those firms had hired the attackers’ actual entry point. They had hired Chain IQ.
The numbers came quickly. On February 20, 2026, Anthropic introduced Claude Code Security. Within hours, JFrog dropped nearly 25%. CrowdStrike and Cloudflare each fell about 8%. Losses extended to GitLab, Palo Alto Networks, and Zscaler. It was the second time in a month that a single AI announcement had rattled the entire cybersecurity industry.
Risk is an ever-present feature of enterprise operations. Whether it manifests as operational disruption, regulatory change, strategic misalignment, or the volatility of emerging threats, risk is embedded in the daily conduct of business. Yet it is not the presence of risk that should concern us most, but the way in which it is understood, managed, and integrated into the lifeblood of planning and decision-making.
In one of the latest articles on my website, I argued that GRC platforms must re-architect around digital twins, knowledge models, and agentic intelligence if they intend to survive the coming decade. But there is a deeper implication that deserves equal attention.
Almost half of all GenAI use now occurs through personal accounts like ChatGPT, Claude, Perplexity, and others, entirely outside corporate oversight or control. This isn’t about a few rogue users acting in secret. We’re seeing widespread bypassing of approved tools across entire organizations, with the average company experiencing 223 shadow AI incidents each month, twice as many as just a year ago.
When the Digital Services Act entered into force two years ago, it was framed as a reset for the online economy. The rhetoric focused on safer digital spaces, stronger protections for fundamental rights, and curbing manipulative or harmful platform behavior.
There is a particular moment in every technological transformation when enthusiasm gives way to recognition. It is not the moment when innovation falters, nor when critics grow louder. It is the moment when institutions begin to understand that what has been built is now too consequential to remain loosely governed.