Every cascade that risk management has successfully governed has had a traceable entry point. In the CrowdStrike outage, it was the endpoint update mechanism. The MOVEit breach entered through a transfer protocol vulnerability, the Bybit theft through a compromised signing interface. This traceability is the premise on which enterprise risk management (ERM) frameworks are built.
AI breaks that assumption by making attack surfaces non-enumerable. Unlike every other risk category, AI is not an event to be anticipated. It is a meta-risk, a force multiplier that operates beneath and across every other category simultaneously.
The Taxonomy Error
The World Economic Forum Global Risks Report 2026 ranks AI adverse outcomes as a top risk category alongside cyber insecurity, critical infrastructure failure, and supply chain disruption. The implicit logic is that AI risk can be bounded and scenario-planned in the same way – that organizations can identify how AI might harm them, build controls around those scenarios, and govern the residual. That logic is structurally flawed.
Model quality failures – hallucinations, drift, emergent behavior – are product development problems which represent operational risks, but not systemic ones, that the industry will eventually standardize, as with every preceding generation of enterprise technology. The greater concern is that the attack surface AI creates operates across every other risk category simultaneously.
AI is the layer that accelerates the speed of a supply chain compromise, obscures the origin of a financial transaction, or expands the sophistication of a social engineering campaign. Ranking AI as a parallel category creates the false impression that it can be governed in isolation.
AI is unique because it is simultaneously the threat actor, the exploit vector, and the vulnerable asset.
Five Cases, No Shared Entry Point
Incidents from the past two years demonstrate why. They share no common entry point, no common sector, and no common exploit class. Together, they illustrate an infinite attack surface.
In January 2024, an employee at a Hong Kong multinational wired $25 million to fraudsters after a video call with a synthetic chief financial officer. No network was breached. No credential was stolen. The attack surface was the communication layer – a tool every organization uses, now exploitable by anyone with access to publicly available synthetic media technology.
Astrid Yee-Sobraques
The 2025 Bybit breach entered through a compromised software dependency at the third level of the supply chain. Malicious code altered what authorized signers saw on screen – not the network, not the wallet, but the interface between human judgment and digital transaction. The entry point was the deception layer itself.
Beginning in 2022, Russia’s Pravda network began flooding public web archives – with more than 3.6 million pro-Kremlin articles in 2024 alone – to enter the training pipelines of large language models (LLMs). A joint study by Anthropic, the U.K. AI Security Institute, and the Alan Turing Institute found that as few as 250 malicious documents are sufficient to compromise the outputs of even large, highly capable models. Once embedded in a model’s weights, the only remediation is a full retrain. The attack surface was the model’s provenance – the data on which it was trained, assembled before deployment, invisible to the organization that later embedded it in its stack.
Mid-2025, a zero-click prompt injection vulnerability in Microsoft Copilot – subsequently named EchoLeak – allowed attackers to exfiltrate data from OneDrive, SharePoint, and Teams without any user interaction. An email with hidden instructions was sufficient. Researchers demonstrated that the AI assistant would ingest the malicious prompt, extract sensitive data, and transmit it through trusted Microsoft domains. No alert surfaced. The AI was not compromised; it followed instructions it believed were valid. The attack surface was trust itself: the implicit authorization organizations extend to the tools they integrate.
In November 2025, Anthropic disclosed that a Chinese state-sponsored group had manipulated Claude Code to conduct autonomous cyber espionage against approximately 30 global targets including financial institutions, technology companies, and government agencies. The AI handled between 80% and 90% of each operation – reconnaissance, exploit development, credential harvesting, and data exfiltration – with human operators intervening at only four to six decision points per target. The attack surface was the full operational stack, automated.
Five incidents. Five distinct exploit classes. Five different sectors. No shared entry point, no shared defense, no single control that would have covered more than one of them.
The Governance Window Is the Attack
The above incidents share one structural characteristic: The governance response arrived after the cascade had run. But the reason differs in each case – and that difference matters.
EchoLeak and Bybit represent the speed failure. The exfiltration moved through trusted channels before any alert formed. The theft was complete, and the malicious code removed, within minutes of execution. Governance was too slow to intervene.
The Pravda network represents the visibility failure. Training pipelines had been compromised for two years before systematic audits detected the presence of manipulated content in public archives. Governance never had the chance to form – not because it was too slow, but because the attack was invisible until it was already embedded.
This is the temporal dimension of the amplifier problem. AI does not merely expand the attack surface; it compresses the time between cascade onset and the point at which human governance can form a response. AI-enabled attacks are increasingly designed to ensure that detection follows the event, often by significant margins, and sometimes permanently.
AI either outruns governance or evades it entirely. The two failure modes are structurally different, but the outcome is the same: The framework arrives too late. And because the defensive response increasingly requires AI to monitor AI – automated systems detecting anomalies in other automated systems – the monitoring layer is itself an attack surface. An ERM framework designed for enumerable risks, governed at human speed, is not equipped for either failure mode.
The Infrastructure Is Already Running
The governance void – the space where risk cascades run faster than frameworks can follow – is not static. AI is filling it with speed, opacity, and attack surfaces that cannot be named in advance. The five cases above do not represent a complete taxonomy of AI-enabled risk. That is precisely the point.
What the environment demands instead is a shift in governing logic – from anticipation to adversarial resilience. That shift has three practical implications:
-- Deliberate deployment. Organizations must treat AI integration not as a software update, but as an expansion of their liquid attack surface. AI use cases warrant scrutiny proportional to what they touch. The operative question is what each tool can reach – the systems it connects to, the decisions it influences. Organizations must map the blast radius of every AI integration before deployment.
-- Integration red-teaming. The exploit, as EchoLeak demonstrated, lives in the connection between the model and the systems it is authorized to access. The question is whether the integration between AI and your data allows for exfiltration, manipulation, or unauthorized execution when the model follows instructions it believes are valid.
-- Containment velocity. In an environment where some attacks will not be prevented, speed of containment becomes the primary governance metric. Mean Time to Containment (MTTC) should be the North Star metric of the AI era. MTTC measures whether controls work at the speed the threat demands. The governance question is how many seconds elapse before you contain the risk cascade.
The amplifier is already running. The governance void cannot be closed by better taxonomies, only by faster reflexes. The organizations that navigate this decade will be those that stop trying to predict the next entry point and start optimizing for the containment of the inevitable.
Astrid Yee-Sobraques, FRM, CISSP is a senior risk executive in Enterprise Risk Management, Operational Resilience and Cybersecurity. Over 25 years at GE Capital, AIG, Citibank, and PwC, she specializes in “risk connectivity” – integrating people, processes, and data to strengthen how organizations anticipate, manage, and respond to cascading financial, operational, and compliance risks. Her current work examines how geopolitical, cyber, and financial disruptions converge into systemic risk cascades – and how governance frameworks must evolve to meet them. Astrid serves on GARP’s New York Chapter Advisory Committee. She can be reached at Astrid@therisksherpa.com.
Topics: Cybersecurity, Enterprise, Risks & Risk Factors
Astrid Yee-Sobraques