The annual report by Riskonnect paints a stark picture in relation to state sponsored cyber threats, agentic AI threat preparedness, and supply chain risk.
According to Riskonnect’s latest annual risk report, political uncertainty is climbing, geopolitical shocks and cyberattacks are impacting on businesses, economic uncertainty persists, and AI is advancing faster than governance can keep up.
“Agentic AI – the latest wave of AI technology – is already here,” states the report, “yet many companies are still wrapping their heads around generative AI and its risks three years into the technology hitting the mass market.”
Combined, these dynamics are ushering in a high-stakes environment that requires faster, sharper, and more proactive risk management responses.
In compiling the 2025 New Generation of Risk Report, Riskonnect surveyed over 200 risk, compliance, and resilience professionals globally to identify the most pressing threats and organisations’ preparedness in relation to them.
Read it in the magazine…
The report reveals that while progress is being made in important areas, such as worst-case scenario planning, AI adoption, and building plans for geopolitical risk, critical gaps remain.
“The data paints a clear picture that risk management is increasingly viewed as a strategic business function,” states the report. “But it’s in a pivotal state of transition, and companies must invest decisively to realize its full potential and strengthen its impact.”
Trade wars could trigger cyberattacks
According to the survey, 62% of risk leaders say that increased exposure to state sponsored cyberattacks will result if the US was to adopt more restrictive trade policies or engage in open protracted conflict with other nations.
“Nation-state actors typically target companies to steal intellectual property or sensitive data for political or economic gain,” explains the report. “When trade frictions escalate, hostile actors have greater incentives to attack. Many of these attacks infiltrate through digital vulnerabilities at third parties.”
Other serious ripple effects of a prolonged restrictive trade environment identified include higher production and indirect costs (48%), severe supply chain disruptions and shortages (47%), and higher domestic labour costs (31%).
Agentic AI Is entering the risk landscape
Nearly 60% of risk leaders say their companies are considering incorporating agentic AI solutions into their operations or products, yet 55% of these haven’t assessed the risks.
Furthermore, 15% of risk leaders say they don’t know whether their organisation is considering incorporating agentic AI into its operations or products – which Riskonnect describes as a risk in and of itself.
“This lack of risk management and oversight over agentic AI is dangerous,” states the report. “AI needs to be treated like any other enterprise risk and built into risk management frameworks, governed proactively, and managed with the same rigor as cybersecurity, compliance, and other risk domains.”
According to survey respondents, the biggest risks they foresee from deploying agentic AI are data privacy and security issues (68%), autonomous decisions that conflict with business goals, strategy, and/or legal requirements (52%), and unintended actions from runaway processes (38%), such as unauthorised transactions, incorrect pricing changes, or installing the wrong software update.
Only 12% of companies today say they feel very prepared to assess, manage, and recover from AI and AI governance risks, which is concerning given that many organisations are actively testing and adopting generative AI tools.
Organisations are still overlooking critical areas when it comes to AI oversight, states the report: 42% don’t have a policy in place to govern the use of AI by employees; 75% say they don’t have a dedicated plan to specifically address genAI risks, including deepfakes and AI-driven fraud attacks; and only 23% have a policy against using foreign AI models such as Deepseek.
Nevertheless, 32% of companies claim that they have trained or briefed their entire organisation on risks related to genAI, which is up from 19% in 2024 and 17% in 2023. But clear policies and controls are missing. 26% of respondents report having no policies, formal training, budgets, or dedicated plans to address AI risks.
Critical third-party exposures persist
Companies remain dangerously vulnerable to third-party and nth-party risks, states the report, but many risk leaders appear to be underestimating the exposure.
85% of those surveyed say they have a business continuity and resilience plan in place to keep their organisation operating in the event of a major IT outage or cyber incident at one of their business-critical service providers.
“But upon a deeper look, the data shows a fundamental weakness: Their ability to assess and monitor supplier risks stops at their immediate suppliers, leaving hidden vulnerabilities buried deeper in the digital supply chain.”
Specifically, 45% of risk leaders say they can only assess and monitor their tier 1 tech partners; 8% say they can assess and monitor their tier 1 partners, their suppliers, and their suppliers’ suppliers; and 16% admit they can’t monitor and assess the risks of their critical third-party tech partners at all.
“That last number is especially concerning, particularly for large enterprises,” states Riskonnect. “Every company needs to at least be able to assess and monitor their immediate tier 1 partners. In an environment where hackers often exploit third parties, this lack of visibility isn’t just risky, it’s reckless.
“While companies might have business continuity and resilience plans on paper, in practice they are relying on an incomplete picture and assumptions about third-party reliability.”
This leaves organisations vulnerable to disruptions throughout the entirety of their supply chain, and it hampers their response and recovery efforts when incidents occur. “30% say third-party and nth-party risks aren’t having an impact or are just having a minimal impact on their business – evidence that many still underestimate the danger.”
