The World Economic Forum’s latest Global Cybersecurity Outlook warns that rapid artificial intelligence deployment, geopolitical division and fragile supply chains are reshaping cyber risk, drawing a strong response from security and compliance specialists who say traditional frameworks are already under strain.
Two senior industry figures said the findings mirror what they are seeing in the field, as organisations struggle to connect cybersecurity, privacy and AI governance against a backdrop of diverging regulatory regimes and rising cross-border tensions.
AI risk
Chris Newton-Smith, Chief Executive of IO, said the report underlines converging pressures from information security, privacy and AI oversight.
“The report very much captures a trend we have been seeing clearly in our own work at IO with regards to the intrinsic linkage of information security, privacy and AI governance for organisations and their risk profile. With the vast increase in AI adoption, companies are facing new technical vulnerabilities as well as having to deal with growing governance and compliance challenges, such as data leakage and model misuse, to accountability, oversight and regulatory readiness,” said Chris Newton-Smith, CEO, IO.
Organisations are scaling AI in core operations, customer engagement and decision-making. This expansion is exposing new attack surfaces, including data inputs, model training pipelines and integration points with legacy systems. It also coincides with uncertain regulatory expectations on issues such as transparency, auditability and the handling of personal and sensitive data in machine learning models.
Geopolitical fragmentation
Newton-Smith said these technical and governance challenges sit on top of a more fractured geopolitical environment and evolving state and non-state threats.
“Map the above challenges alongside the geopolitical fragmentation the WEF report highlights, cyber risk is really being challenged in ways many traditional compliance frameworks were not designed for, via issues such as sovereignty, supply-chain and third-party exposure. In this environment, resilience absolutely depends on an organisation’s ability to integrate cyber security, information security, privacy, and AI governance into a single risk picture, and to connect that with their technology decisions, regulatory obligations, business impact, and geopolitical context. This resilience loop, as we call it at IO, will be key to creating the robust foundations required to provide strong security and the ability to keep operating if the worst should happen,” said Newton-Smith.
The World Economic Forum report highlights an environment in which critical technologies and data traverse jurisdictions with conflicting rules and political interests. Governments are asserting digital sovereignty and data localisation. Vendors are restructuring supply chains. Organisations are trying to understand their exposure across partners and service providers that operate in multiple legal systems.
Supply chains
Megha Kumar, Chief Product Officer and Head of Geopolitical Risk at CyXcel, said the report lands at a moment when global technology supply chains and the cyber threat landscape are increasingly intertwined.
“The World Economic Forum’s Global Cybersecurity Outlook 2026 is a timely reminder of the changing nature of risks in cyber space, especially the impact of rapid deployment and innovation of AI, geopolitical fragmentation and vulnerability of supply chains,” said Megha Kumar, Chief Product Officer and Head of Geopolitical Risk, CyXcel.
Hardware, software and cloud services now rely on dispersed design, manufacturing and operational ecosystems. Attackers exploit this complexity. They target upstream providers, third-party tools and managed services. Organisations then face cascading operational and reputational impacts when a supplier experiences a breach or disruption.
Policy divides
Kumar said the nature of cyber threats demands collaborative responses across borders, but major economies remain split on regulation and joint defence.
“Technology supply chains are globally integrated and the hostile cyber market also operates from across multiple national borders. This requires cross-nation cooperation, but the response is going in the opposite direction. Growing geopolitical division between the United States and Western democracies, in particular, is impeding joint defensive action against cyberattacks and policy harmonisation on technologies such as social media and AI,” said Kumar.
The World Economic Forum report points to uneven progress on common rules for incident reporting, data protection and AI oversight. This divergence complicates compliance for multinational firms and can slow the sharing of threat intelligence or coordinated action against malicious actors.
AI regulation
Kumar highlighted AI as a focal point of regulatory disagreement, with different blocs weighing innovation and risk in distinct ways.
“Indeed, this geopolitical divergence is especially problematic in the case of AI. Leading AI technologies are being developed in the United States but the UK and EU, for example, favour regulation whereas the US federal administration is determined to prioritise innovation and economic growth. The UK-US dispute over Grok AI is an example of that divergence. Both sides appreciate the social damage caused by the misuse of AI tools, and recognise this damage will increase, but what we are seeing is a response on a case-by-case basis rather than an integrated approach,” said Kumar.
Regulatory fragmentation around AI is emerging alongside an increase in reported misuse. This includes deepfakes, automated disinformation, fraud, model theft and prompt injection attacks, as well as concerns over opaque automated decision-making.
Rising uncertainty
The World Economic Forum warns that these trends are likely to intensify over the outlook period. Kumar said the political environment in major economies will add further complexity for businesses attempting long-term planning.
“The rift among advanced economies will almost certainly intensify over 2026, not least due to the Trump administration’s agenda, leaving businesses to deal with uncertainty over digital policy & responsible AI deployment and a needlessly high compliance burden. This doesn’t mean organisations should give up on managing the risks, rather it means that risk management needs to be elevated to take an integrated view of cybersecurity, regulation, technology, supply chain, geopolitics and AI,” said Kumar.