A Perfect Storm for Enterprise Risk: Cyber-Attacks, AI Blind Spots and Trade Friction Converge

In an era when geopolitics, regulation and innovation are colliding at high velocity, enterprises are sounding the alarm on a new breed of risk—one in which trade policy, state-sponsored cyber threats and under-governed artificial intelligence are converging to create a complex danger zone. According to the Riskonnect 2025 New Generation of Risk Report, a global survey of over 200 risk, compliance and resilience professionals reveals that traditional risk playbooks may be failing to keep pace.

Cyber & Diplomacy: Trade Policy as a Threat Vector

Sixty-two percent of risk leaders say that if the U.S. adopts more restrictive trade policies over the long-term, the biggest threat to their organization is increased cyber exposure from state-sponsored attacks and reduced federal cyber investments.

In practical terms: if trade tensions escalate, adversarial actors may interpret economic coercion as justification for cyber intrusions, while companies may face weakened national-level cyber defence support. Other downstream risks identified by respondents include higher production and indirect costs (48 %), severe supply-chain disruptions and shortages (47 %), and elevated domestic labour costs (31 %).

Political Risk Takes the Lead

Political risk is no longer a second-tier concern. The report finds that 97 % of risk leaders say political risks are already impacting business in some way; 40 % categorize the impact as “significant” or “severe”.

Shifts in hiring (37 % of organisations slowed or stalled), delayed tech investments or capex (28 %), postponed expansion plans (23 %), and supply-chain reshoring/diversification (27 %) were all cited as responses to domestic political instability.

“We’re in a new generation of risk – one where cyber, geopolitical, technology, political risk, and other factors are rapidly converging and reshaping the landscape. The impact on markets and operations is unfolding faster than many organizations can keep up,” said Jim Wetekamp, CEO of Riskonnect. “Riskonnect’s research shows that while organisations are making progress in some areas, today’s unpredictable business environment demands more than stronger defenses. It requires organisations to build resilience as a core strategic capability.”

AI: Adoption Soars, Oversight Lags

While organisations continue to adopt AI technologies at a brisk pace, oversight remains desperately under-developed. The report shows that 70 % of companies are now using or plan to use AI for risk-management (up from 62 % last year). Top applications include risk assessments (34 %), forecasting (28 %), scenario-planning and simulations (28 %), risk-register creation (28 %) and surfacing previously unseen risks (28 %).

Yet generative and “agentic” AI introduce new hazard vectors—and the safeguards are not keeping up. Forty-two percent of companies lack a policy governing employee use of AI; 72 % lack one for partner/supplier use of generative AI. A full 75 % say they do not have a dedicated plan for genAI risks (deepfakes, AI-fraud). Only 15 % have a budget earmarked for AI-related risk mitigation and just 23 % have a policy forbidding use of foreign AI models.

“Many organisations aren’t currently built to keep pace with the speed of AI’s evolution. AI demands strong governance. This is a moment for risk professionals to lead the charge on AI oversight and show their value as strategic enablers,” added Andrea Brody, CMO at Riskonnect.

Third-Party Blind Spots and Resilience Gaps

Another alarming takeaway: although 85 % of companies claim they have business-continuity and resilience plans for major outages or cyber-incidents at business-critical providers, only 8 % can assess and monitor risks at their tier-1 partners and the suppliers of those partners.

That means many organisations may be blindsided by cascade failures still buried deep in the supply chain—precisely the kind of topology that nation-state cyber-threat actors exploit.

What It All Means

The data paints a stark portrait: risk functions are elevated in status (60 % of organisations now have a chief risk officer, up from 52 %), yet budgets are stuck. Only 28 % of risk leaders say their tech budgets grew — a misalignment between the threat landscape and resources.

For tech executives, boards and strategy teams, the implications are multi-layered:

• Trade and diplomacy now permeate cybersecurity calculus: beyond tariffs and supply-chain costs, policymakers’ extraterritorial effects ripple into cyber exposure.

• AI is a double-edged sword: powerful for risk mitigation, but without governance it becomes a risk vector itself.

• Resilience matters more than defence: as Wetekamp notes, stronger perimeters aren’t enough—organisations must architect for disruption, agility and recovery.

• Supply-chain visibility remains weak: organisations must push forward visibility into ‘nth-party’ exposures or accept cascading unknowns.

• C-suite and board engagement are critical: With risk functions elevated, tech and business leadership must align on strategy, funding and accountability.

The Bottom Line

Organisations are navigating an era where trade policy, cyber-warfare, AI experiments, geopolitical volatility and supply-chain fragility are no longer isolated silos—they’re parts of an integrated risk matrix. The “New Generation of Risk” may demand more than incremental tweaks—it may require a wholesale reboot of how organisations view risk, invest in resilience and govern rapidly evolving tech.

As Wetekamp framed it:

And in a world where adversaries sense every chink in the armour, waiting to exploit the gaps between policy, tech, and governance is no longer an option. The question for many companies: are you equipped to build resilience, not just respond to disruption?

For those looking to dive deeper into the data and methodology, the full report is available from Riskonnect.