​Artificial Intelligence is moving at a relentless pace.
New tools. New platforms. New capabilities—appearing daily.
For organisations, the pressure is clear: adopt AI or risk falling behind.
But in the rush to embrace AI, many organisations are making a critical mistake.
They are confusing governance with documentation.
Because AI safety is not achieved by copying a policy template or publishing a procedure on the intranet.
It is achieved through effective, lived governance.
 
The Illusion of “Being Covered”
When AI enters the conversation, a common response from leadership is:
“We need an AI policy.”
And so, a document is created.
Or worse—downloaded, lightly edited, and distributed.
On paper, it looks like progress.
In reality, very little has changed.

• Staff still use unapproved tools
• Sensitive data is still being shared
• Decisions are still being made without oversight
• Leadership still lacks visibility

A policy alone does not change behaviour.
And in the context of AI, behaviour is where the real risk sits.
 
Governance Is Not a Document—It’s a System
Effective AI governance goes far beyond written rules.
It is the combination of:

• Clear accountability (who owns AI risk?)
• Practical guardrails (what is acceptable use?)
• Visibility (where and how is AI being used?)
• Ongoing oversight (how is risk monitored and managed?)

Most importantly, governance must be embedded into how the organisation operates daily—not sitting on a shelf.
If your governance doesn’t influence decisions in real time, it isn’t governance.
 
Start with Reality, Not Assumptions
Many organisations attempt to govern AI before they understand how it is actually being used.
The truth?
AI adoption is already happening—often informally.
Employees are:

• Uploading documents into AI tools
• Automating workflows without approval
• Using AI to make or influence decisions

This “shadow AI” creates a dangerous gap between perceived control and actual risk.
Good governance starts by acknowledging reality, not ignoring it.
 
Define Guardrails That People Can Actually Follow
Overly complex governance frameworks fail for one simple reason:
People don’t follow what they don’t understand.
Effective AI governance should be:

• Simple enough to guide everyday decisions
• Practical enough to apply under time pressure
• Relevant to real roles and workflows

For example:

• What data is strictly off-limits?
• Which tools are approved—and why?
• When must a human validate AI output?

Clarity reduces risk. Complexity increases it.
 
Protect Data Through Behaviour, Not Just Controls
Technology controls matter—but they are only part of the equation.
AI risk often emerges from small, human decisions:

• Copying and pasting sensitive information
• Trusting AI outputs without validation
• Using convenient tools instead of approved ones

This is why governance must connect directly to how people think and act.
A simple principle often outperforms complex controls:
“If this data left the organisation, what would the impact be?”
When employees can answer that question, they make better choices.
 
Leadership Accountability Is Non-Negotiable
AI governance cannot be delegated entirely to IT.
It is a leadership responsibility.
Because the risks are not just technical—they are:

• Reputational
• Legal
• Operational
• Cultural

Strong governance requires:

• Clear ownership at an executive level
• Regular review and challenge
• Alignment with business strategy and risk appetite

If leadership is not actively engaged, governance becomes a checkbox exercise.
 
Build a Culture That Supports Safe AI Use
Policies don’t shape culture. Behaviour does.
If employees feel:

• Pressured to be faster
• Rewarded for shortcuts
• Unsure about what’s acceptable

They will take risks—often unintentionally.
Effective governance creates an environment where:

• People feel confident using AI safely
• Asking questions is encouraged
• Accountability is shared, not feared

This is where human-centric security becomes critical.
Because AI safety is not just about controlling systems—it’s about enabling people to make better decisions.
 
Governance That Enables, Not Restricts
There’s a common fear that governance slows innovation.
In reality, poor governance does.
When organisations lack clarity:

• Teams hesitate
• Risk increases
• Trust erodes

But when governance is clear and embedded:

• Adoption accelerates
• Decisions improve
• Innovation becomes safer and more sustainable

Good governance doesn’t block AI.
It unlocks it—safely.
 
Final Thought
AI is not waiting for organisations to catch up.
It is already embedded in how work gets done.
The question is no longer:
“Do we have an AI policy?”
The real question is:
“Do we have governance that actually works?”
Because in the age of AI, safety will not come from what is written.
It will come from what is understood, applied, and lived—every day, across the organisation.

With ongoing conflict in the Middle East, and the prolonged war in Ukraine, the global environment is no longer just uncertain—it’s persistently volatile.
Layer on top of that a tightening fuel supply and rising energy costs, and the implications for business become immediate and unavoidable.
This isn’t just geopolitics anymore.
This is operational risk.
This is business continuity.
This is leadership.
And yet, many organisations are still operating as if disruption is an exception—not the norm.
So, let’s ask the uncomfortable—but necessary—questions:
1. When did you last review or update your Business Continuity Plan (BCP)?
For many organisations, the BCP sits untouched—created during COVID, filed away, and assumed to be “good enough.”
But today’s risks are different:

• Multi-region disruption
• Energy shortages
• Simultaneous cyber and physical threats

A static plan in a dynamic world is a liability.
If your BCP hasn’t evolved with the current global landscape, it’s already outdated.
 
2. When did you last review your cyber posture—including your tech stack?
Periods of geopolitical tension consistently correlate with increased cyber activity.
Not just sophisticated nation-state attacks—but opportunistic ones targeting:

• Small and medium businesses
• Under-protected systems
• Human vulnerabilities

The question isn’t whether you have cybersecurity tools.
It’s whether they are:

• Fit for purpose
• Properly integrated
• Understood by your people

Because complexity without usability creates risk—not protection.
3. Are you prepared for another sudden shift to remote work?
Fuel disruption doesn’t just affect logistics—it affects people.

• Commuting becomes difficult or expensive
• Offices become less viable
• Remote work becomes necessary again—quickly

But with that shift comes risk:

• Unsecured home networks
• Shadow IT and unsanctioned tools
• Increased phishing and social engineering

We’ve been here before.
The real question is:
Did we learn enough the first time?
4. When did you last run a tabletop exercise?
Plans don’t fail on paper.
They fail in execution.
A tabletop exercise reveals:

• Gaps in decision-making
• Confusion in roles and responsibilities
• Weaknesses in communication

Without testing your response in a safe environment, you’re relying on theory in a real-world crisis.
And theory rarely survives first contact.
5. How confident are you in your supply chain?
Global conflict and fuel instability create a perfect storm:

• Delayed shipments
• Increased costs
• Supplier disruption

But the deeper risk often sits beneath the surface:

• Third-party cyber vulnerabilities
• Lack of visibility beyond Tier 1 suppliers
• Over-reliance on single regions or vendors

Supply chain resilience is no longer just about logistics.
It’s about trust, transparency, and contingency.
The Common Thread: Preparedness vs Assumption
What links all of these questions is a single issue:
Assumption.

• “Our plan is probably still fine.”
• “Our systems should hold up.”
• “Our people will adapt.”

But in today’s environment, assumption is risk.
A Leadership Imperative
This moment doesn’t call for panic.
It calls for proactive leadership.

• Revisit your BCP
• Reassess your cyber posture
• Re-engage your people
• Re-test your response capability

And most importantly:
Shift from a technology-first mindset to a human-centric one.
Because in every disruption—whether driven by conflict, fuel shortages, or cyber threats--
it is people who make the difference between failure and resilience.
Final Thought
The world isn’t becoming more stable anytime soon.
The question is no longer:
“Could this impact us?”
It’s:
“Are we ready when it does?” 

Artificial Intelligence tools are rapidly becoming part of everyday business operations. From drafting emails and analysing data to assisting with marketing and customer service, AI offers small and medium-sized businesses an opportunity to improve efficiency and competitiveness.
But as with any powerful technology, the benefits come with risks.
Many organisations are rushing to adopt AI tools without fully considering the security, privacy, and governance implications. In practice, this can expose businesses to data leakage, compliance breaches, reputational damage, and even cyber exploitation.
The good news is that small and medium-sized businesses do not need large security teams or complex systems to use AI safely. What they do need is a clear, practical framework that protects both the business and the people using the technology.
Here are several key steps businesses should consider.
 
1. Establish Clear AI Usage Guidelines
One of the biggest risks businesses face today is uncontrolled or “shadow” AI use, where staff independently begin using AI tools without guidance.
Employees often use AI with good intentions—trying to work faster or solve problems—but without clear policies they may inadvertently upload sensitive information such as:

• Customer data
• Financial information
• Internal reports
• Intellectual property

A simple AI usage guideline should clearly define:

• What types of information must never be entered into AI tools
• Which AI platforms are approved for business use
• When staff should seek guidance before using AI for work tasks

Clarity removes uncertainty and helps staff make safer decisions.
 
2. Choose Trusted AI Platforms
Not all AI tools are equal when it comes to security and privacy.
Before adopting any AI platform, businesses should consider:

• Where the data is stored
• Whether information entered into the system is used to train the model
• What security controls the provider has in place
• Whether the platform complies with relevant privacy regulations

Choosing reputable providers with strong security practices significantly reduces the risk of sensitive information being exposed.
 
3. Train Staff on Safe AI Use
Technology controls alone are not enough.
Staff are the ones interacting with AI tools every day, and without awareness training they may not recognise the risks.
Practical training should cover:

• What AI tools can and cannot safely be used for
• The risks of sharing sensitive information with AI
• How to verify AI-generated outputs
• Recognising AI-enabled phishing or social engineering attacks

When employees understand both the benefits and the risks, they become part of the organisation’s defence rather than its vulnerability.
 
4. Verify AI Outputs
AI-generated content can be incredibly helpful—but it is not always accurate.
Businesses should encourage staff to treat AI outputs as a starting point rather than a final answer.
Important considerations include:

• Checking factual accuracy
• Reviewing for bias or misleading information
• Ensuring outputs align with company policies and legal obligations

Human oversight remains essential.
 
5. Protect Sensitive Business Information
Businesses should establish clear boundaries around what information can be used with AI tools.
Sensitive information that should generally never be entered into public AI platforms includes:

• Customer personal data
• Financial records
• Strategic plans
• Internal security processes
• Intellectual property

Where AI is required to process sensitive information, businesses should consider enterprise-grade or private AI environments designed with stronger security protections.
 
6. Integrate AI into Cybersecurity Governance
AI should not exist outside the organisation’s existing cybersecurity framework.
Instead, it should be incorporated into governance structures including:

• Risk management processes
• Data protection policies
• Cybersecurity oversight at the leadership level

Even small businesses benefit from periodically reviewing how emerging technologies like AI impact their security posture.
 
7. Foster a Responsible AI Culture
Ultimately, safe AI adoption is not just about policies or technology—it is about culture.
Businesses that succeed with AI encourage:

• Curiosity and innovation
• Responsible use of technology
• Open discussion about risks
• Staff feeling comfortable asking questions

When people feel supported rather than restricted, they are far more likely to use AI responsibly.
 
The Opportunity
AI is not something businesses should fear. Used correctly, it can be a powerful tool for growth, efficiency, and innovation.
However, the organisations that benefit most from AI will be those that adopt it thoughtfully—balancing technological opportunity with human awareness and good governance.
For small and medium-sized businesses, protecting your people while using AI is not about complex security systems.
It is about clear guidance, informed staff, and leadership that understands both the power and the responsibility that comes with new technology.
Because in the end, the safest and most resilient organisations are not just those with the best tools — but those with people who know how to use them wisely.
​

​In today’s cybersecurity marketplace, organisations are bombarded with promises.
Artificial intelligence.
Autonomous threat detection.
Next-generation platforms.
“Military-grade” security.
The language is impressive. The dashboards look sleek. The demonstrations are often compelling.
But here’s the uncomfortable truth many organisations eventually discover:
The most sophisticated cybersecurity solution is not always the most effective one for your business.
And in many cases, choosing technology because it looks impressive can actually create new risks.
The Cybersecurity Buying Trap
When leaders invest in cybersecurity tools, they often focus on three things:
• Features
• Technology sophistication
• Vendor promises
What is often overlooked is a much more important question:
Will this solution actually work in our environment, with our people, and within our business operations?
A platform may perform brilliantly in a lab or enterprise environment, but struggle inside a small or mid-sized business that has:

• Limited IT resources
• Staff who are not cybersecurity specialists
• Competing operational pressures
• Little time for complex system management

If a security tool is too complex, too disruptive, or poorly understood by staff, it quickly becomes under-used, misconfigured, or ignored.
At that point, the organisation may feel protected — but in reality, the risk has simply changed shape.
Cybersecurity Isn’t Just a Technology Problem
One of the most common blind spots in cybersecurity investment is forgetting that people are part of the system.
Even the most advanced security platform still relies on human interaction:
Someone must configure it.
Someone must monitor alerts.
Someone must respond to warnings.
Someone must follow the processes it creates.
If the technology does not fit naturally into how your people work, the solution can quickly become friction rather than protection.
This is why many cybersecurity incidents occur despite organisations having security tools in place.
The technology existed.
But it wasn’t embedded into the way the organisation actually operates.
The Right Solution is the One That Fits
Effective cybersecurity solutions are not necessarily the most expensive or advanced.
They are the ones that align with:
Your business size
A 10-person company needs a very different solution than a 500-person enterprise.
Your operational reality
Security tools must integrate with daily workflows rather than disrupt them.
Your people and culture
Technology should support employees, not overwhelm them.
Your governance capability
If your organisation cannot realistically manage a complex platform, a simpler, well-managed solution will often be far more effective.
In short:
Cybersecurity should fit the organisation — not the other way around.
Human-Centric Cybersecurity Matters
This is where a human-centric approach to cybersecurity becomes essential.
Rather than starting with technology, organisations should begin by asking:

• How do our people interact with systems?
• Where are the natural points of risk in daily work?
• What security measures will employees realistically follow?
• How do we build protection without creating friction?

When security solutions are designed around human behaviour, they become:

• Easier to adopt
• Easier to manage
• More consistently used
• And ultimately far more effective.

The Boardroom Question
For boards and senior leaders, the key question is not:
“What is the most advanced cybersecurity solution available?”
The real question is:
“What cybersecurity solution will our organisation actually use, manage, and sustain effectively?”
Because cybersecurity resilience is not created by impressive technology alone.
It is created when technology, people, and governance work together.
And often, the best solution is not the one with the flashiest marketing.
It is the one that quietly fits your organisation — and works every single day.

​In recent discussions with several senior managers, business owners and CEOs, three worrying themes surfaced.
Not technical weaknesses.
Not budget constraints.
But leadership assumptions.
And in 2026, assumptions are the biggest cyber risk of all.
1. “Cybersecurity Isn’t My Remit — That’s for IT”
One CEO told me directly that he didn’t want to discuss cybersecurity because it sat with his tech team.
That mindset might have worked 15 years ago.
It doesn’t work now.
Cybersecurity is no longer a technical control issue. It is:

• A governance issue
• A reputational issue
• A financial risk issue
• A regulatory exposure issue
• A culture issue

Boards don’t delegate financial accountability to the finance team and then disengage.
They don’t outsource health & safety responsibility and refuse to discuss it.
Yet many still treat cyber risk as if it’s a firewall configuration problem.
Frameworks such as National Institute of Standards and Technology’s Cybersecurity Framework and ISO’s ISO/IEC 27001 are explicitly structured around governance and leadership accountability — not just technical controls.
If cyber is not on the CEO agenda, it is not truly embedded in the organisation.
And attackers understand that.
2. “We Don’t Use AI — I Blocked It”
Another leader confidently stated that no one in the organisation used AI-linked tools because IT had blocked them.
The reality?
AI adoption is bottom-up, not top-down.
Staff are already using platforms such as OpenAI’s ChatGPT, Microsoft Copilot, Google Gemini, and dozens of AI-enabled SaaS tools — often through personal devices, browser plugins, or embedded features inside systems you already pay for.
Blocking public AI websites does not remove:

• AI embedded inside productivity platforms
• AI inside CRM systems
• AI features automatically activated in software updates
• Staff experimentation from home

This is what many now call “Shadow AI”.
The more restrictive the policy, the more invisible the behaviour becomes.
And invisible risk is unmanaged risk.
3. “AI Is Safe — Staff Know What’s Expected”
The third view was equally concerning: AI tools were considered safe, and senior oversight was unnecessary because “staff know what’s expected.”
Unfortunately:

• Most employees cannot clearly articulate what data is confidential vs sensitive vs public.
• Many assume AI tools do not retain, learn from, or store prompts.
• Very few understand intellectual property leakage risks.
• Almost none have been trained in structured AI risk decision-making.

Trusting staff without equipping them is not empowerment — it is exposure.
Leadership oversight is not about mistrust.
It is about setting guardrails, defining acceptable use, and aligning innovation with governance.
4. “Cybersecurity Is an Irritation — It’s Overhyped”
Perhaps the most revealing comment came from a business owner who described cybersecurity as an irritation — a non-issue exaggerated by specialists to generate revenue.
It’s understandable.
Cybersecurity messaging has often leaned heavily on fear.
But dismissing risk does not remove it.
In New Zealand and across Australasia, we are seeing:

• Increased ransomware targeting SMEs
• Supply chain compromise
• Business email compromise
• AI-assisted phishing attacks that are almost indistinguishable from legitimate communication

Cyber risk today is less about dramatic movie-style breaches and more about:

• Operational disruption
• Revenue loss
• Regulatory scrutiny
• Reputational erosion

And increasingly — AI-driven acceleration of all of the above.
The Real Issue: A Leadership Gap
Across all four conversations, the pattern was not technical immaturity.
It was governance distance.
Cybersecurity and AI risk now sit at the intersection of:

• Strategy
• Culture
• Technology
• Human behaviour
• Brand trust

When leaders disengage, block blindly, over-trust without oversight, or dismiss the issue entirely, they create exactly the conditions attackers rely on:
Complacency.
A More Mature Leadership Response
A balanced executive stance looks different:

1. Cyber is a board-level discussion.
2. AI use is acknowledged, mapped, and governed — not denied.
3. Staff are trained, not simply trusted.
4. Risk is assessed pragmatically — not exaggerated, but not ignored.
5. Technology decisions are evaluated through a human-centric lens.

Because at its core, cybersecurity is not about firewalls.
It is about people making decisions — every day — often under pressure.
And AI simply accelerates the consequences of those decisions.
The Strategic Question for CEOs
Not:
“Is this IT’s job?”
But:
“Do we have governance visibility, cultural alignment, and practical guardrails around how technology and AI are being used across our organisation?”
If the answer is unclear, the risk already exists.
Cybersecurity is no longer a technical inconvenience.
It is a leadership responsibility.
And the organisations that understand that — will be the ones that remain resilient.