EDITORIAL NOTE: This article is a jointly commissioned work of original analysis, co-authored by Subrato Basu and Srijith KN, and published by Integrator Media as part of its Technology Leadership Series. It does not constitute legal, regulatory, investment, or security advice, and does not represent the official policy position of Integrator Media, Oxford50, or The Executive Board beyond the views expressed herein. No specific government, organisation, or individual is alleged to have engaged in any unlawful activity. Published March 2026.

If geopolitical volatility has become a structural input into enterprise technology strategy, the next question for boards and technology leaders is unavoidable: how should organisations respond?

The answer lies in a paradox that receives far less attention than it deserves. The frontier technologies most exposed to geopolitical disruption, artificial intelligence, sovereign cloud infrastructure, quantum-resilient cryptography, and agentic automation, are simultaneously the most powerful tools available for building organisational resilience against that disruption. Leaders who focus exclusively on the exposure side of this equation miss the more strategically consequential point.

Consider artificial intelligence. AI deployments built on infrastructure subject to extended regulatory jurisdiction carry real compliance exposure, as described above. Yet AI is also the most powerful accelerant available for threat detection, compliance monitoring, scenario modelling, and operational automation, precisely the capabilities that strengthen an organisation’s ability to absorb and recover from geopolitical shocks. The organisations that will navigate this environment most effectively are not those that slow AI adoption in response to geopolitical uncertainty. They are those that architect their AI infrastructure with data sovereignty and workload portability as foundational design requirements from the outset, converting a potential liability into a structural advantage.

Sovereign cloud infrastructure, whether delivered through major hyperscaler in-country residency programmes or through emerging local and regional alternatives — provides a meaningful and structurally durable buffer against vendor-level geopolitical exposure. Organisations that made this architectural decision early, as a matter of governance principle rather than in response to a specific threat event, are today in a materially stronger position than those who deferred it.

Quantum-resilient cryptography is perhaps the most time-sensitive imperative in this landscape. Advisories from government security agencies across multiple jurisdictions indicate that adversarial state actors are running long-horizon data collection programmes, systematically harvesting encrypted data today for potential decryption as quantum computing capabilities mature. For financial services enterprises, critical infrastructure operators, and government-adjacent organisations, beginning a structured transition to post-quantum cryptographic standards is a present-day governance obligation. The window to act before exposure becomes irreversible is finite.

Agentic AI and intelligent automation reduce structural dependence on specialist talent pools that may be disrupted by geopolitically driven mobility constraints. Investment in operational automation is, simultaneously, investment in organisational resilience against workforce uncertainty.

What Well-Governed Organisations Are Doing Differently

We are deliberately wary of presenting action checklists as a substitute for genuine governance change. Checklists become compliance theatre, items filed, boxes ticked, actual posture unchanged. What follows is a description of what genuinely well-governed organisations are doing differently, drawn from patterns visible in board governance practice and publicly available reporting.

They Have Made Geopolitical Risk Structural, Not Episodic

The most consequential governance shift is a reclassification, not a new process. Well-governed organisations treat geopolitical technology risk as a standing monitored variable, with an owner, a defined monitoring cadence, and a clear escalation threshold, rather than a topic that receives board attention only when a crisis forces it onto the agenda.

 In practice: the CIO and CISO present a jointly owned, geopolitically aware technology resilience posture to the board at least twice annually, with scenarios explicitly modelled and stress-tested. Geopolitical technology risk appears in the enterprise risk register as a named, measured, and actively managed exposure.

They Have Mapped Their Exposure Before Needing the Map

A geopolitical technology risk assessment that maps the organisation’s most critical technology dependencies against regulatory jurisdiction exposure, relevant cyber threat vectors, and supply chain concentration risk is not a trivial exercise. But the organisations that have completed it, and kept it current through changing conditions,  hold a decisive governance advantage. They know where they are exposed. They have already made architectural decisions that reduce that exposure. They are not discovering their vulnerabilities now they are least able to address them.

They Have Built Infrastructure for Portability and Sovereignty

The infrastructure decisions that matter most in a geopolitically volatile environment are not made under crisis conditions. They are made two or three years before a crisis, when there is no immediate operational pressure to make them. Migrating sensitive and mission-critical workloads to locally hosted or sovereign cloud infrastructure, dual-qualifying strategic hardware suppliers across non-concentrated supply lines and implementing zero-trust security architecture are decisions that appear cautious or unnecessary in stable conditions. They appear prescient when conditions change. The organisations in the strongest position today are those that made these decisions as a matter of strategic principle, not reactive necessity.

They Have Tested Their Continuity Assumptions Against Realistic Scenarios

Business continuity plans that have never been tested against simultaneous, compounding geopolitical stress scenarios, vendor service disruption, connectivity constraints, talent mobility restrictions, and elevated cyber incident risk converging rather than arriving sequentially, are not fit for purpose in the current environment. The organisations we consider genuinely well-prepared have run structured tabletop exercises against these compound scenarios, found their gaps in controlled conditions, and closed them before an actual event demanded it.

BOARD READINESS: SIX QUESTIONS TO ASK THIS WEEK Can your organisation operate critical systems for 72 hours without dependency on infrastructure subject to potential extended-jurisdiction service suspension?Do you maintain offline backups of all critical data with regularly tested, documented, and rehearsed recovery procedures?Is your incident response retainer pre-authorised, contractually current, and explicitly scoped to include geopolitically-motivated threat scenarios?Have you documented manual fallback procedures for all AI-dependent and automated workflows?Is your supply chain inventory and vendor flexibility sufficient to sustain operations through a procurement constraint window of 60–90 days?Are your key technology vendors contractually required to provide advance notice before material service changes — and have you rehearsed your internal response to receiving such notice?

A Final Word: Preparedness Is the New Competitive Advantage

There is an argument we consistently find under-made in this space, because it tends to be buried beneath the risk and compliance framing that dominates most discussions of geopolitical technology governance. We want to make it plainly.

Organisations that embed geopolitical technology risk into their governance frameworks, that build sovereign infrastructure, harden their security posture, develop resilient local talent pipelines, and rehearse continuity scenarios against compound stress events, are not simply managing downside exposure. They are building a form of operational resilience and institutional credibility that becomes a genuine, durable competitive advantage at precisely the moments when the advantage is most valuable. When conditions deteriorate, prepared organisations keep operating. They hold the trust of customers and regulators. They are positioned to capture ground from competitors who were not ready.

The structural forces generating geopolitical volatility across the global technology landscape, the intensification of great-power competition, the normalisation of technology restrictions and counter-measures as instruments of statecraft, and the sustained deployment of cyber capabilities as tools of strategic leverage, are not resolving on any near-term horizon. For enterprises operating in or near the fault lines these forces create, a ‘wait and see’ governance posture is not a neutral position. It is a choice to carry exposure that is available to be reduced.

What this moment calls for is a board and CXO community willing to apply to geopolitical technology risk the same intellectual discipline, analytical rigour, and governance seriousness it applies to financial risk: modelling it explicitly, monitoring it continuously, stress-testing it regularly, and managing it actively rather than observing it passively. The organisations that do this work now will not merely survive the next escalation cycle. They will emerge from it operationally stronger, commercially more resilient, and holding the trust and confidence that defines long-term enterprise value.

Technology leadership has always required navigating a world more complex than the tools designed to govern it. The nature of that complexity has simply changed. The discipline required to meet it has not.

In a fractured world, operational resilience is not a risk management outcome. It is a competitive strategy. The organisations that understand this distinction will define the next generation of technology leadership.

SUBRATO BASU CEO, Oxford50  |  Global Managing Partner, The Executive Board Subrato Basu advises boards and senior technology leaders across industries on governance, risk, and enterprise strategy. He brings a practitioner perspective shaped by engagements across the Asia-Pacific region and beyond, with particular focus on technology governance, go-to-market strategy, and organisational resilience in complex operating environments.

SRIJITH KN Senior Editor, Integrator Media Srijith KN is Senior Editor at Integrator Media, covering enterprise technology, cybersecurity, and digital transformation across the Middle East and Asia. He brings an editorial perspective drawn from tracking technology leadership decisions across markets in periods of rapid change, and a sustained focus on how organisations translate strategic risk into governance action.

By Javvad Malik, Lead CISO Advisor at KnowBe4

There is a specific moment in every security professional’s career when they realise the traditional rulebook hasn’t just been ignored—it’s been torn to pieces. Mine arrived last week while watching a colleague engage in a debate with an AI agent over expense policy, while simultaneously being phished by what was almost certainly another AI posing as IT support.

For decades, the cybersecurity industry has clung to a comfortable, binary premise: humans work inside the walls, threats exist outside, and our job is to keep the two apart. It was a tidy worldview that made for excellent spreadsheets, even if we knew it was fiction.

Then, AI walked into the office without knocking. It’s a reboot of the classic 2010 iPad launch, where executives demanded connection to the corporate network, heralding the age of “Bring Your Own Disaster”.

The Multi-Species Workforce

The most uncomfortable truth facing modern organizations is that they no longer employ just humans.

Your current headcount includes Peter from Accounts Payable, his three AI assistants (two sanctioned, one very much ‘shadow’), a recruitment algorithm, and whatever experimental automation Marketing has hooked up to Slack to bypass a slow internal process.

They are all making decisions. And they are all sharing data.

When Peter’s AI hallucinates a rogue clause into a vendor agreement, or a chatbot leaks PII because a prompt-engineer asked nicely, where does the buck stop? Traditional security loves clean lines—User vs. Admin, Internal vs. External. But we are now operating in a world that has gone full analogue. We have created a workforce that is part human and part silicon, yet the risk remains entirely ours to manage.

The Futility of Punitive Security

Historically, we have managed security like a digital Alcatraz. If a user clicks a phishing link, we chastise them. If they use unapproved software, we discipline them.

But punishing people for being human is like shouting at water for being wet. It provides a few seconds of emotional release for the security team, but it doesn’t change the outcome. You cannot discipline your way to a secure culture, and you certainly cannot punish an AI agent into making safer choices.

So, what happens when your workforce is 60% human, 40% AI, and rising?

Navigating the Shadow AI Explosion

Shadow AI isn’t born from malice; it’s born from friction. Employees use unsanctioned tools because the approved versions are often slow, restrictive, and designed by people who think ‘user-friendly’ as a type of malware.

If your IT ticket for an AI request won’t be resolved until Q3 2027 but the free version of ChatGPT is open in a browser tab right now, the choice for a busy employee is a foregone conclusion.

To manage this hybrid reality, we need to view the workforce as a single, unified, complex adaptive system. Here is the framework for securing the blur:

• Govern the Decision, Not the Entity: We need governance frameworks that apply to the action, regardless of whether the actor is carbon-based or cloud-hosted. If a human isn’t allowed to export customer data to a personal drive, their AI assistant shouldn’t be able to either.
• Design for Invisible Perimeters: Assume you will never have 100% visibility again. Security must shift toward real-time behavioral monitoring and anomaly detection that tracks patterns across both human and machine activity.
• Build Intuitive Culture, Not Just Compliance: You teach a child to cross the road by explaining traffic lights, not by screaming at them every time a car passes. The same applies here. You cannot train culture into an AI model, but you can design systems where humans and AI operate within a framework that makes security intuitive.
• Treat Shadow AI as a Signal: If half your workforce is using unsanctioned AI, that isn’t a compliance failure—it’s a sign your current tools are failing your people.

The question is no longer if your workforce will become a hybrid of human and machine. It already is.

The real question is whether our security models will evolve to meet this reality, or if we will keep building expensive walls around a perimeter that vanished years ago. The workplace has changed; our job is to design security that works with human nature, rather than against it.

Attributed by Osama Alzoubi, Middle East and Africa VP at Phosphorus Cybersecurity

As Saudi Arabia races ahead in digital healthcare transformation, a quieter vulnerability lingers in the background: medical imaging systems that can be found – and sometimes accessed – directly from the public internet. Imaging infrastructure, diagnostic platforms, and hospital information systems are being modernized at speed improving outcomes, accelerating workflows, and bringing advanced clinical capabilities to more communities. But beneath this progress lies a quieter risk that rarely makes headlines: medical imaging systems being exposed on the public internet due to simple configuration errors.

Not a dramatic cyberattack. Not a threat actor breaching a firewall. Just avoidable misconfigurations that leave sensitive patient data reachable by anyone who knows where to look.

Medical imaging systems in Saudi Arabia face a persistent security challenge that differs from dramatic cyberattacks. Patient data exposure often occurs through configuration errors that leave systems accessible on the public internet. These technical oversights represent a significant vulnerability in healthcare’s digital infrastructure.

The Kingdom’s Personal Data Protection Law (PDPL) establishes strict requirements for handling health data. This legislation, modeled after international standards, mandates enhanced protection for medical information and imposes penalties for unauthorized disclosure. Hospitals must implement organizational and technical measures to prevent data exposure.

Radiology departments increasingly use digital platforms for case discussions and second opinions. Without proper configuration, these systems might allow unintended access to patient records. Teleradiology services, which expanded significantly during the pandemic, require secure transmission protocols to protect data during remote consultations.

When we hear about data breaches, we often imagine skilled hackers penetrating security systems. The reality is often simpler and more preventable. “Exposed” typically means a system is reachable from the public internet due to setup choices, not a sophisticated intrusion.

This happens in real-world healthcare settings for straightforward reasons: rushed deployments to meet clinical deadlines, vendor-supplied default configurations that were never changed, remote support access left open for convenience, and legacy systems that were connected to modern networks without proper security reviews.

The scale is significant. Research has identified over 1.2 million reachable devices and systems globally, including MRI scanners, X-ray systems, and related medical infrastructure. These are not theoretical vulnerabilities. They represent actual systems that can be found and accessed from anywhere with an Internet connection.

What gets exposed is more than images

Medical imaging files are not simply pictures. They carry identifiers and metadata that can connect scans directly to real people. Patient names, dates of birth, identification numbers, and clinical details often travel alongside the diagnostic images themselves.

This matters for several reasons. Beyond the obvious privacy violation, exposed patient imaging data creates risks of identity fraud, potential coercion or blackmail, serious reputational damage to healthcare institutions, and erosion of the trust patients place in their medical providers.

Security monitoring platforms have documented cases where exposed systems allowed direct access to both images and patient data—offering a level of detail that should never be open to anyone outside the clinical team.

Why this keeps repeating worldwide

Hospitals everywhere use similar device types and manage comparable data flows. The result is that the same setup mistakes appear repeatedly across different countries and healthcare systems. What starts as one hospital’s misconfiguration becomes everyone’s common failure mode.

The medical devices themselves often come with similar default settings. Imaging servers, picture archiving systems, and diagnostic viewers are deployed in comparable ways. When basic security steps are skipped during installation, the exposure follows a predictable pattern.

Health sector cybersecurity guidance from international authorities emphasizes the need for repeatable baseline controls precisely because these patterns recur. Reducing exposure requires not innovation, but consistent application of known protective measures.

Healthcare organizations face a common vulnerability pattern. A major healthcare provider addressed similar challenges across hundreds of hospitals, discovering that default passwords, vulnerable firmware, and device misconfigurations created entry points that threatened patient care and hospital operations across more than 500,000 connected medical and operational devices.

The Saudi-specific layer: connectivity at cluster scale

Saudi Arabia’s healthcare transformation includes the expansion of health clusters that connect multiple facilities into integrated networks. This approach improves care coordination and resource sharing, but it also means that one weak link can affect multiple sites.

National interoperability initiatives support the sharing of imaging and diagnostic reports across the healthcare system. The Saudi health ministry has established specifications for imaging data exchange through the national health information exchange platform, enabling providers to access patient scans regardless of where they were originally performed.

This connectivity is essential for modern healthcare delivery. It allows specialists to review scans remotely, supports second opinions, and ensures continuity of care when patients move between facilities. However, it also increases the need for consistent configuration rules and security standards across all connected sites.

When imaging systems within a cluster are not uniformly secured, the exposure risk multiplies. A misconfigured system in one facility can potentially provide access to data from across the entire cluster network.

A practical checklist hospitals can act on

Healthcare institutions can take concrete steps to reduce exposure risk. These are not theoretical recommendations but proven measures that address the most common vulnerabilities.

First, create a complete inventory. Every hospital should maintain a current list of what is connected to its network, including imaging devices, storage servers, viewing stations, web portals, and remote access tools. You cannot protect what you do not know exists.

Second, check external exposure. Verify that nothing sensitive is reachable from the public internet. This requires technical scanning from outside the hospital network to identify systems that respond to external queries. Many organizations discover exposures they did not realize existed.

Third, restrict remote access properly. Remote connections for maintenance and support should be tightly controlled, require strong authentication methods, and be removed entirely when no longer needed. Convenience should never override security when patient data is involved.

Fourth, implement safe setup procedures. Develop standard build guides for imaging systems, change all default passwords and settings, clearly document who owns each system, and establish responsibility for applying security patches and updates. Industry experience shows that default credentials remain one of the lowest barriers for attackers seeking entry into healthcare networks.

Fifth, conduct continuous checks. Exposure scanning should happen after any network changes, not just once annually. Healthcare networks evolve constantly, and new vulnerabilities can appear whenever systems are added or reconfigured.

These steps align with guidance from international cybersecurity authorities and health sector regulators, which emphasize reducing exposed services and strengthening baseline controls as priority actions for healthcare organizations.

The governance fix: make secure setup part of how clusters run

Individual hospital efforts are necessary but not sufficient. At the cluster level, governance structures must embed security into standard operations.

This begins with cluster-wide minimum standards for imaging systems and remote access. Every facility within a cluster should follow the same baseline security requirements, ensuring consistent protection regardless of which site a patient visits.

Clear ownership must be established for every system. Someone specific should be responsible for applying patches, approving access requests, and regularly checking for exposure. When accountability is diffuse, critical tasks get overlooked.

Procurement processes offer another leverage point. Purchase agreements should require vendors to provide secure default configurations, enable comprehensive logging capabilities, and commit to supported update cycles for the life of the equipment. Security should be a selection criterion, not an afterthought.

These governance approaches reflect sector framework guidance that encourages structured programs and repeatable controls rather than ad hoc responses to individual incidents.

Saudi Arabia has invested heavily in national cybersecurity frameworks and regulatory oversight across critical sectors, including healthcare. The foundation exists. The next step is ensuring those protections extend fully to the expanding ecosystem of IoT and IoMT devices — where simple configuration gaps can undermine otherwise sophisticated digital progress.

Prevent avoidable incidents

The goal is not perfection. Healthcare systems are complex, and some level of risk will always exist. The goal is removing the easiest path for data exposure: systems sitting openly on the public internet waiting to be found.

In connected healthcare, the quickest wins come from two simple principles: visibility and access control. Know what you have connected, and shut the doors that do not need to be open.

For Saudi Arabia’s health clusters, this represents an achievable objective. The infrastructure investments being made across the Kingdom’s healthcare sector create an opportunity to build security into expansion rather than retrofitting it later.

Medical imaging systems serve an essential clinical purpose. They should not also serve as unintended windows into patient data. With practical steps and consistent governance, hospitals can fix this quiet risk before it becomes a public incident.

In digital healthcare, exposure is rarely a mystery. It is usually a configuration. The question is not whether hospitals can fix it, but whether they will do so before patients pay the price.