The Executive's Map of Operational Risk
A strategic frame for leaders navigating cybersecurity in regulated environments.
Operational risk in regulated industries has four axes worth mapping at the executive level: external threat, internal misuse, third-party dependency, and model risk. Most organizations score themselves well on one or two and quietly ignore the rest. The pattern is consistent enough that the gaps are predictable: financial services tend to be strong on external threat and internal misuse and weak on model risk; technology companies tend to be strong on model risk and external threat and weak on third-party dependency; regulated healthcare tends to be strong on internal misuse and weak on everything else. The shape of the gap is usually the legacy of the executive who last cared about it.
Mapping the four axes deliberately, with the same rigor across each, is the executive contribution that no team below the C-suite can substitute for. The teams know their domains; what they cannot do without leadership is reconcile across domains. The reconciliation is where the strategic risk actually lives, and it is the work that distinguishes a security program from a security org chart.
External threat: known shape, evolving execution
The external threat axis is the most familiar and the most over-instrumented. Most organizations have invested in the controls that address the threats of the previous decade: endpoint detection, perimeter monitoring, email security, vulnerability management. The investment has been real and the results have been real. The risk on this axis is not absence of investment; it is over-investment relative to the marginal threat reduction it produces, while other axes go under-resourced.
The execution of external threat is evolving. Adversaries are using AI to scale phishing, to generate plausible synthetic identities, to write malware variants that defeat signature-based detection, and to operate at hours and volumes that exceed what human-staffed defenses can absorb. The defensive response is symmetrical: defensive AI that triages, correlates, and responds at machine speed, with humans operating at the policy layer rather than the alert layer. Programs that have not made this shift will find their external-threat posture quietly degrading despite increasing spend.
The new variant of the external threat worth particular attention is the supply-chain-mediated attack on AI systems themselves. Poisoned training data, malicious model weights distributed through nominally legitimate channels, compromised retrieval sources, and prompt-injection campaigns delivered through user-generated content are all being observed in the wild at increasing scale. The traditional external-threat controls do not address these vectors directly, and the AI-specific controls that do are still maturing. Programs that recognize the gap early and invest in the AI-specific defenses are noticeably ahead of programs that treat AI systems as just another endpoint to monitor.
Internal misuse: the underweighted axis
Internal misuse is the axis where the most damaging incidents originate and the least proportional attention is paid. The reasons are organizational: investigating internal actors is uncomfortable, the controls feel adversarial to employees, and the metrics are hard to publish externally. The result is that programs invest heavily in keeping outsiders out and lightly in noticing what insiders do once they are in.
The mature posture treats internal misuse as a probability to be measured rather than an event to be reacted to. Data access patterns are baselined per role. Deviations are surfaced to the user's manager rather than escalated to security as a default, which preserves trust while creating a feedback loop. Privileged access is time-bound and justified, with the justification logged. None of this presumes malice; all of it produces the evidence that distinguishes a mistake from a misuse when the question eventually arises.
The introduction of AI agents acting on behalf of employees adds a new dimension. An agent that has been given a user's permissions can be steered by a malicious input the user never saw. The action looks like the user, the audit trail looks like the user, and the user is genuinely uninvolved. Programs that have not extended their internal-misuse thinking to cover agent-mediated actions are carrying a risk they have not yet named.
The legal and HR implications of the new variant are unsettled. An employee whose agent was steered into an exfiltration cannot reasonably be held responsible for the action, but the action occurred under their identity and produced consequences for the business. The organizations that are working through this carefully are establishing explicit policies that distinguish user-authored actions from agent-mediated actions, with different response protocols for each. The organizations that are not addressing the distinction are accumulating a class of incidents that will eventually produce difficult conversations with employees and their representatives.
Third-party dependency: the supply chain question
Third-party dependency is the axis that has changed the most in the last five years and the least in most programs' risk registers. The supply chain that an enterprise depends on now includes SaaS providers holding production data, model providers running inference on private prompts, observability vendors holding logs that contain everything the system did, and a long tail of smaller integrations that individually look harmless and collectively constitute a substantial fraction of the platform.
The highest-leverage investment for most enterprises today is third-party assurance — because the vendors you ship through have become an extension of your attack surface and your AI supply chain at the same time. The assurance that matters is not a SOC 2 report on file; it is a real-time understanding of which vendors hold which data, what their incident response commitments are, and how quickly your organization could detect and contain a breach that originated on their side of the boundary.
Programs that have done this well maintain a small, current registry of their critical third parties, the data each one touches, the controls each one is contractually committed to, and the gap between the contract and the operational reality. The registry is queryable and the queries are wired into the same incident response process that handles internal incidents. The registry is not glamorous and it does not produce a press release; it is the difference between a vendor breach that is a footnote and one that is the front page.
The fourth-party problem — the vendors of your vendors — is the dimension most programs have not yet engaged with. A SaaS provider that holds your data may itself depend on a model provider that holds it next, with a hosting provider holding it after that. The chain is rarely transparent, the contractual obligations attenuate at each step, and the breach that affects you may originate three layers away from the boundary you contracted at. The programs that are working on this are beginning to require their tier-one vendors to disclose their own critical dependencies, with the goal of building a multi-layer map that supports realistic risk assessment rather than the single-layer fiction that most assurance work currently produces.
Model risk: the new axis
Model risk is the axis that did not exist in most enterprises five years ago and is now the fastest-growing source of operational uncertainty. The risks are familiar in their categories — accuracy, bias, drift, security, availability — but their interaction with the rest of the business is new. A model that quietly drifts can produce thousands of decisions that look correct in any individual instance and are systematically wrong in aggregate. A model that is prompt-injectable can be steered by an adversary who never touches your network. A model whose provider changes terms can produce a sudden architectural problem that no other dependency can produce at the same scale.
Managing model risk requires the same instrumentation as the rest of operational risk — evaluations, telemetry, incident response — applied to a substrate that is statistical rather than deterministic. The executives who handle this axis well do not need to understand the math; they need to insist on the operating model. A named accountable owner per model. A forum that can pause a deployment without negotiation. A reporting line that surfaces model incidents to the same level of leadership that hears about traditional security incidents. The structure does the work; the technical depth lives below it.
The model-risk function in mature organizations is increasingly distinct from both the security function and the data science function, in the same way that operational risk is distinct from credit risk in a bank. The function owns the framework for evaluating models, the registry of production models, the incident response runbooks for model failures, and the relationships with regulators on model-specific topics. The function works closely with both security and data science but is accountable to a different reporting line, often the chief risk officer rather than the CISO or the CTO. The structural separation is what allows the function to maintain independence of judgment when the model in question was built by the team it is evaluating.
Reconciliation across the four axes
The reconciliation that only executive leadership can perform is the comparison of investment across the four axes against the actual risk profile of the business. The investment is rarely proportional, because the legacy of past incidents and past leaders distorts the allocation. The reconciliation is uncomfortable because it requires admitting that the program has been over-resourced in some areas and under-resourced in others, often for years.
A simple exercise that has produced clarity for the leadership teams we have worked with: for each axis, name the last incident that touched the business, the cost of that incident, and the current investment in controls for that axis. The mismatches are usually visible within an hour. The reallocation that follows is the strategic act; the rest is execution.
The exercise has to be repeated annually, because the risk profile shifts as the business changes. New product launches expand the third-party surface. New AI deployments expand the model-risk surface. New geographies expand the regulatory surface. The reconciliation that was accurate last year may be off this year, and the leadership teams that revisit it on a fixed cadence are the ones whose allocation tracks the reality of their risk. The teams that perform the reconciliation once and treat the result as durable end up with allocations that drift quietly out of alignment.
The role of the board
The board's contribution to operational risk is not to manage it but to insist that it is being managed coherently. The most useful board questions are about the operating model rather than the specific incidents: who owns each axis, how are the owners coordinated, what evidence is being produced, and how does the leadership team know that the evidence is honest. Boards that ask these questions consistently across several quarters tend to find that the management team converges on the kind of cross-axis discipline that produces real risk reduction.
Boards that ask about specific incidents without asking about the operating model tend to produce a reactive program that is strong wherever a recent incident occurred and weak everywhere else. The pattern produces visible activity in response to each incident and weak overall posture, because the underlying structure never matures. The boards that have learned this lesson — usually through a regulatory action or a public incident — are the ones whose questions shift from specifics to structure.
Where to invest next
The pattern in the data is consistent. Most organizations are over-invested in external threat controls relative to the marginal risk they reduce and under-invested in third-party assurance, model risk, and the internal-misuse signals that AI agents will increasingly produce. The reallocation is rarely a budget increase; it is a redirection of resources already committed to controls whose marginal contribution has plateaued.
The highest-leverage move for most enterprises today is to stand up a real third-party assurance function, with a current registry, real-time monitoring of vendor security posture, and a contractual right to evidence that the vendor's controls are operating as claimed. The second is to build a real model-risk function with named owners, evaluation gates, and an incident response process that handles model failures with the same rigor as traditional security incidents.
Both moves require executive air cover, because both displace investments that have champions. The displaced investments are not wrong; they are simply past their point of marginal return. The leadership work is to make the reallocation and to defend it long enough for the new controls to produce the evidence that justifies it. The organizations that do this in 2026 will be visibly more resilient by 2028. The organizations that do not will be visibly more exposed in the same window.
The hardest part of the reallocation is the political work, not the analytical work. The teams whose budgets are being trimmed will produce reasonable arguments for why the trim is misguided. The vendors whose contracts are being downsized will produce reasonable counterproposals. The executives whose programs are being restructured will produce reasonable concerns about timing and execution risk. All of the arguments will be partially true, and none of them will be reason enough to defer the reallocation. The leadership work is to listen, adjust where adjustment improves the outcome, and proceed where the underlying analysis is sound. The organizations whose leaders can do this consistently are the ones whose risk posture compounds in the right direction over the next five years.
Scenario planning as a board discipline
The four axes of operational risk interact in ways that single-axis analysis cannot reveal. A third-party incident that affects a vendor holding training data also affects model risk through poisoned inputs, internal misuse risk through compromised credentials, and external threat through the new attack surface the incident creates. The boards that have adopted cross-axis scenario planning treat these interactions as the primary subject of the exercise, with each scenario tracing the propagation through the four axes and naming the controls that would interrupt it at each step.
The scenarios that have produced the most leadership insight are the ones constructed from the organization's own near-misses rather than from generic industry hypotheticals. A scenario rooted in an incident the company actually experienced — even one that was contained before it produced material harm — carries the credibility that generic scenarios lack, and the corrective actions that emerge from the analysis are calibrated to the organization's actual risk profile rather than to an idealized one. Programs that maintain a quiet inventory of their near-misses and revisit them as scenarios get more value out of the exercise than programs that conduct scenario planning from a clean sheet of paper.
The cadence that has worked is annual scenario planning at the board level, with quarterly updates from management on the controls the scenarios surfaced as priorities. The quarterly cadence prevents the scenarios from becoming a one-time exercise that gets filed and forgotten. The annual cadence preserves enough distance that the scenarios are refreshed rather than rehearsed. The combination produces a board conversation that is grounded in the same evidence the management team is grounded in, which is the prerequisite for governance that actually changes the organization's posture rather than ratifying decisions that were already made.
Talent as the underlying constraint
Across all four axes, the binding constraint is talent. The people who can reason across external threat, internal misuse, third-party dependency, and model risk simultaneously are rare, and the organizations that depend on them are usually depending on a small group whose departure would set the program back by a year. The leadership response is to build the bench deliberately, by rotating engineers across the axes, by hiring against the cross-axis profile rather than the single-axis specialist profile, and by creating internal forums where the cross-axis perspective is practiced even when no specific incident demands it.
The talent investment is the one most often deferred because it does not produce a quarterly artifact. The compounding payoff is real and arrives over three to five years, which is exactly the horizon at which most of the rest of the operational risk program will need it. The CISOs and chief risk officers who have made the investment consistently are the ones whose programs survive leadership transitions and external shocks; the ones who deferred the investment are the ones whose programs visibly regress when their senior practitioners move on.
The talent question also has a cultural dimension. The organizations that retain cross-axis practitioners tend to be the ones whose internal incentives reward the breadth that the role requires, rather than the depth that promotion ladders traditionally optimize for. The cultural shift is harder to engineer than the hiring shift, because it requires explicit changes to the performance evaluation, compensation, and promotion processes that govern how the practitioners are treated by the rest of the company. The organizations that complete the cultural shift end up with deep benches and stable programs; the organizations that complete only the hiring shift end up rebuilding the bench every few years as the practitioners follow the incentives elsewhere.
