2025 Risk Reality Check: Enterprises Dangerously Underprepared for Next-Gen Cyberthreats

The newly-released Riskonnect 2025 New Generation of Risk Report reveals organizations remain perilously unprepared for emerging threats despite some progress in risk management. Political instability, AI-driven automation, and third-party vulnerabilities are converging to redefine business resilience in a landscape where only 17% of companies feel "very prepared" for political disruptions.

The Triple Threat: Politics, AI, and Supply Chain Vulnerabilities

Geopolitical volatility creates fertile ground for cyberattacks

Political risk has surged into the top three corporate threats for 2025, with 97% of risk leaders reporting impact and 40% describing it as significant or severe. The consequences extend beyond economic uncertainty, with nearly four in ten organizations stalling hiring or technology investments due to political instability.

"Geopolitical volatility creates conditions ripe for cyberattacks," the report warns, with 62% of risk leaders believing trade wars and restrictive policies will trigger cyber incidents. These attacks, often state-sponsored, specifically target intellectual property and supply chains, exploiting digital vulnerabilities particularly when oversight weakens.

The findings highlight a dangerous disconnect: while companies can anticipate many policy shifts well in advance, preparedness remains alarmingly low. Organizations must prioritize comprehensive cybersecurity risk assessment frameworks that account for geopolitical factors as core threat indicators.

AI: Transforming both risks and opportunities

The emergence of agentic AI—autonomous systems operating with minimal human input—represents a critical inflection point in enterprise risk management. Nearly 60% of companies are exploring these technologies, but 55% admit they haven't assessed the associated risks.

"Agentic AI is a new and critical category of enterprise risk," explains Riskonnect CEO Jim Wetekamp. "The autonomous execution of tasks brings tremendous efficiency gains—but also the potential for runaway processes or cascading failures if not managed properly."

The readiness gaps are substantial:

• Only 12% of organizations feel "very prepared" for AI risks
• 42% lack an employee-use AI policy
• 72% have no GenAI policy for partners or suppliers
• 75% lack a dedicated AI risk plan
• Just 15% allocate budget to mitigate AI-related risks

These vulnerabilities create a new insider threat category: shadow AI. Nearly 90% of workers use AI tools without IT approval, creating an unseen web of ungoverned data flows and potential security breach points.

Nicole Carignan, SVP at Darktrace, emphasizes that "organizations must develop governance structures that can keep pace with the complexity and continued innovation of these technologies. However, there is no one-size-fits-all approach."

The persistent blind spot: Third-party risk management

While 85% of companies claim to have business continuity plans for vendor-related outages, most can only assess their Tier 1 suppliers. A mere 8% have visibility into their suppliers' suppliers—a critical blind spot that Riskonnect calls "an incomplete picture of digital supply chain risk."

This gap persists despite major disruptions like the MOVEit and CrowdStrike incidents prompting widespread policy reviews. For cybersecurity leaders, this represents a significant resilience liability as attackers increasingly leverage small, peripheral vendors to compromise larger ecosystems.

Chad Cragle, CISO at Deepwatch, warns that "companies that skip vendor risk assessments are essentially giving autonomy to software they don't fully understand."

Building effective cyber resilience strategies requires organizations to extend visibility beyond immediate vendors to identify cascade failure points throughout their digital supply networks.

Bridging the Preparation Gap

Progress in AI-powered risk management

On a positive note, risk teams are increasingly adopting AI to strengthen their own operations. Seventy percent of companies are now using or planning to use AI in their risk programs, up from 62% last year. Key applications include:

• Risk assessment (34%)
• Forecasting (28%)
• Scenario simulations (28%)

These technologies allow teams to test complex "what-if" scenarios at scale, identifying vulnerabilities before disruptions occur—a practice cybersecurity teams can extend into attack simulation and resilience planning. However, 39% of organizations still haven't conducted worst-case scenario simulations, a critical preparedness exercise.

The resource paradox: Rising expectations meet stagnant budgets

Risk management is gaining strategic importance, with 60% of organizations now employing a Chief Risk Officer, up from 52% last year. Yet this elevated status hasn't translated to increased resources—only 28% report any rise in technology spending for risk management.

This creates a critical paradox: risk expectations are growing faster than available resources, forcing security leaders to innovate under constraints. The situation makes AI-driven automation and cross-functional risk integration essential for scaling defenses without increasing costs.

Small and medium businesses face particularly acute challenges in this environment, often lacking dedicated risk teams altogether. Implementing practical cybersecurity measures for smaller organizations becomes increasingly important as they face the same threat landscape with fewer resources.

Implications for cybersecurity leaders

The report outlines several critical actions for security professionals:

1. Connect geopolitical risk with cyber posture by integrating political risk forecasting into threat intelligence.

2. Establish AI governance frameworks defining policies, ownership, and response procedures before incidents become unmanageable.

3. Map digital supply webs beyond Tier 1 vendors to model dependencies across the full ecosystem.

4. Embed resilience exercises simulating not just traditional cyber threats but also AI system failures, supplier breaches, and geopolitical disruptions.

5. Elevate risk management to a business enabler by translating cyber posture into business risk language for board-level discussions.

"The new generation of risk isn't defined just by the threats themselves, but by how quickly companies can adapt, act, and recover when they strike," Wetekamp summarized.

Action Plan for Security Professionals

Security professionals can leverage these insights by:

• Developing integrated risk assessment models that connect geopolitical trends with specific cyber threat scenarios for your industry

• Creating a comprehensive AI governance framework that addresses both the use of AI tools by employees and the deployment of autonomous AI systems

• Implementing supply chain mapping exercises that extend beyond direct vendors to identify critical dependencies and potential attack vectors

The Riskonnect report makes one reality unavoidable: risk management maturity doesn't equal preparedness. The organizations that thrive will be those treating risk as a strategic discipline rather than a compliance checkbox in an increasingly volatile threat landscape.

Enhanced recommendation for implementation: Organizations should consider establishing cross-functional risk committees that meet quarterly to review emerging threats and coordinate response capabilities across security, operations, and business continuity teams. According to the National Institute of Standards and Technology (NIST), organizations with integrated risk frameworks demonstrate significantly higher resilience during actual disruptions.

Additionally, security leaders should develop tiered response playbooks specific to different risk scenarios identified in the report, particularly for AI system failures and third-party breaches where traditional incident response procedures may prove inadequate.