I wrote a piece recently for the ISACA Now Blog on AI and cyber risk governance, and it ties directly to a talk I’ll be giving at the ISACA North America Conference in Las Vegas:

Balancing Cyber Risk Governance in the Age of AI
Thursday, May 7 | 1:45–2:45 PM

The core idea is simple: AI doesn’t break risk management. It breaks weak risk management.

AI makes both attackers and defenders faster. It compresses decision cycles. It increases scale. It shifts where uncertainty shows up. But it doesn’t change the fundamental nature of risk. What it does expose is how many governance models still assume slow, mostly static systems.

In the article, I argue that we don’t need a brand-new “AI risk framework.” We need to get much better at doing the basics well: framing scenarios, stating assumptions, quantifying probable impact, and communicating uncertainty in business terms. My conference session builds on that. Less theory, more mechanics. How AI enabled threats show up in a risk register. What good executive reporting looks like when models and systems evolve continuously. How to talk to boards about AI without drifting into either hype or fear.

And if you’re interested, here’s the article:
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2025/balancing-the-scales-what-ai-teaches-us-about-the-future-of-cyber-risk-governance