IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Modern energy control room cyber threat monitoring global network
#
Digital Transformation
#
IoT Security
#
SOC

AI & supply chain risks top cyber security agenda

Tue, 13th Jan 2026
Author image
By Melania Watson, Interview Editor

Supply chain disruption and artificial intelligence risks have moved higher on the agenda for security leaders, as new figures highlight growing concern about third-party exposure and uneven readiness for AI-driven change.

Data cited from the World Economic Forum's Cybersecurity Outlook for 2026 shows 78% of organisations say third-party and supply chain vulnerabilities present their greatest challenge in becoming cyber resilient. The same dataset says 65% have seen an increase in supply chain disruption.

The figures also point to heightened concern around major incidents affecting critical national infrastructure. They show 31% of organisations are not confident they can respond to a major cyber incident targeting CNI. This compares with 26% in 2025.

On AI, the same set of findings places AI vulnerabilities as the top concern for CEOs and CISOs. It also reports that 94% of organisations anticipate AI will be the most significant driver of change in cybersecurity.

Rob Demain, CEO of e2e-assure, said the shift in emphasis reflects how attackers increasingly reach targets through external suppliers and service providers rather than direct compromise of a well-defended enterprise.

Supply chain risk

"Geopolitical cyber risk is increasingly realised through supply chains rather than direct attacks," said Rob Demain, CEO, e2e-assure.

Demain pointed to exposure through software providers, managed services and operational technology partners. He said cross-border technology dependencies and differing legal jurisdictions create additional complexity for organisations.

"Even organisations with strong internal security can be exposed through software providers, managed services or operational technology partners operating in different jurisdictions," said Demain.

He described the UK as particularly exposed because complex supply chains underpin public services and sectors including manufacturing and energy.

"This is particularly relevant in the UK, where complex supply chains support everything from public services to manufacturing and energy," said Demain.

Demain framed resilience as a wider issue than internal controls and policies at a single organisation.

"As a result, cyber resilience is becoming an ecosystem challenge, not an organisational one," said Demain.

He said organisations now focus more on ongoing oversight of third-party environments and faster identification of issues that could trigger broader disruption.

"Continuous monitoring and shared visibility across third-party environments are now essential to understanding where real risk sits and responding before disruption cascades," said Demain.

He also linked this focus to policy changes in the UK. He cited planned regulation that would widen expectations for resilience beyond a single enterprise and into supplier networks.

"This change is being reflected in regulatory updates," said Demain.

"In the UK the upcoming Cyber Security and Resilience Bill aims to bring supply chains under more regulation and limit supply chain risk, including the technologies and utilities that are integral to critical business operations," said Demain.

Demain also made the point that cyber resilience depends on weaker links across an extended chain of providers, contractors and digital platforms.

"Large organisations may have strong defences, but are only as resilient as their smallest suppliers," said Demain.

He said attackers already exploit third-party routes into larger organisations, including commercial software and outsourced technology operations.

"State-linked and criminal actors increasingly exploit third-party software, SaaS platforms and OT vendors," said Demain.

He said governance expectations also continue to move upward, as boards face more scrutiny around resilience obligations and assurance over key suppliers.

"UK regulatory focus (CSRB, NIS2 alignment) will increasingly treat supply chain resilience as a board-level responsibility," said Demain.

AI security gap

Alongside supply chain exposure, Demain said AI adoption creates a widening gap between organisations with strong security visibility and those that lack it.

"Artificial intelligence is already reshaping the cyber landscape, but not evenly," said Demain.

He said organisations should not treat AI as a replacement for security teams. He said it will instead highlight which organisations can observe and manage security events and which cannot.

"It won't replace security teams, but it will expose which organisations have visibility and which don't," said Demain.

Demain said many organisations now recognise AI as a major factor in cybersecurity change. He said fewer have put in place the structures required for secure deployment.

"While many organisations recognise AI as the most significant factor affecting cyber security over the next year, far fewer have the governance, visibility or processes in place to deploy it securely," said Demain.

He said this disparity will shape which organisations adopt new technologies confidently and which add new weaknesses through rushed or poorly governed implementation.

"This gap risks widening the divide between organisations that can confidently adopt new technologies and those that unintentionally introduce new vulnerabilities," said Demain.

Demain said AI has a clearer place when integrated into security operations, rather than deployed without oversight.

"In practice, AI delivers the most value when it is embedded within security operations, improving detection, reducing noise and supporting faster response. Rather than being adopted in isolation without oversight," said Demain.

He also said attackers already move faster than many organisations' governance processes and controls.

"Attackers are operationalising AI faster than defenders can govern it," said Demain.

Demain said near-term risks centre on insecure deployment and a lack of visibility into how AI systems operate and connect to other systems.

"The biggest near-term risk is not "rogue AI", but insecure AI adoption and poor visibility," said Demain.

He said managed detection and response and security operations centre services will become more central as organisations adapt their security models to AI-driven environments.

"MDR and SOC services will increasingly act as the control plane for AI-driven environments," said Demain.

Related stories
Airwallex unveils AI assistant to streamline finance tasks
Motorola opens Cork R&D hub for public safety radio
Genetec report finds healthcare ramping up hybrid-cloud and AI security
Bitdefender warns OpenClaw AI skills rife with malware
Boomi hits 30,000 customers as AI integration surges

Top stories

North West firms step up apprentice hiring after reforms
Record rise in digital squatting fuels phishing wave
BT opens 2026 tech careers at flagship Salford hub
Governance gaps stall Microsoft automation at scale
SYTECH workshop sparks global interest in digital forensics