AI and global supply chains, CyXcel comments 

​​​​

In an era of hyper-connectivity, the digital and physical worlds have become inseparable, making cybersecurity the linchpin of global stability.  As organizations embrace rapid digital transformation, they face a sophisticated landscape defined by AI-driven threats, ransomware-as-a-service, and increasingly volatile geopolitical tensions.  These trends have fundamentally shifted the risk profile of global supply chains.  A single vulnerability in a third-party vendor can now trigger a cascading failure, disrupting the flow of essential goods and services worldwide.  

As critical trends and systemic challenges continue to reshape the cyber frontier, we talk to Megha Kumar, Chief Product Officer and Head of Geopolitical Risk, CyXcel about the profound implications for global commerce.

"AI is developing beyond generative AI tools such as ChatGPT and Microsoft Copilot, with the latest development being Agentic AI.

Agentic AI tools use complex reasoning and planning algorithms to autonomously execute intricate, multi-step tasks.  For example, such tools can independently analyse transaction patterns, detect irregularities in data sets and take actions in real-time.  The emergence of Agentic AI is expected to transform the cybersecurity and technology landscape as it will not only suggest solutions to problems but also execute specified solutions.  

Unlike Generative AI, Agentic AI systems are more autonomous and therefore demand a higher degree of integration with data processing, decision-making and execution with less human input.  This requires robust frameworks that can handle dynamic inputs, analyse them and execute decisions while not amplifying biases from training data or delivering other problematic outcomes.

More concerning however, is that threat actors are also enhancing their techniques using Agentic AI.  Personalized phishing emails crafted using scraped data, automated exploitation of vulnerabilities and AI-driven ransomware attacks have already been observed and used successfully, providing a low-effort, high-reward approach for cybercriminals.

Companies and organizations will need to develop robust processes and a multi-layered defence strategy to ensure that these risks, and security-related risks from Agentic AI, are duly mitigated.

Today, many organizations still operate under the assumption that their supply chain is secure.  UK government statistics show that still only 36% of businesses have undertaken cyber security risk assessments in the last year with only 10% saying they review the risks posed by immediate suppliers – this alone is alarming.  Supplier contracts might mention vague cybersecurity requirements but lack the teeth to enforce compliance.  Vendor assessments may be infrequent or overlook digital risks entirely.  Trust, for many, is still based on reputation rather than verifiable security practices.  It’s a bit like trusting the cook at your favourite restaurant because they’ve been open for years – without realizing they’ve never once cleaned the kitchen.
 
The NIS2 regulation that came into effect late last year has forced a change to that.  Cybersecurity can no longer be viewed as a distant concern – it’s about to become a fundamental part of how supply chains operate.  For many organizations, navigating and complying with NIS2 will require more than just a tweak to existing processes; it will demand a fundamental shift in how cybersecurity is integrated into supply chain management.
 
The first step for businesses is to gain a comprehensive understanding of their current supply chain security posture.  This involves mapping out and tiering all suppliers, assessing their cybersecurity measures, and identifying potential points of vulnerability.  By prioritizing the highest-risk areas, organizations can focus their efforts where they will have the greatest impact.
 
Beyond this, companies will need to develop and implement robust cybersecurity policies and procedures.  Tailored cybersecurity requirements for suppliers, building security into contract negotiations, and ensuring that both parties are held accountable for compliance are key.  Regular penetration testing, real-time monitoring, and detailed incident response plans are all critical in mitigating the impact of a cyberattack.
 
Training and awareness are also essential. Even the most sophisticated security systems can be undone by human error, and NIS2 recognizes this by including specific provisions for employee training.”
 
Overall, there are several key trends accelerating supply chain vulnerability.  The integration of the Internet of Things (IoT) and Operational Technology (OT) into manufacturing and shipping has bridged the gap between the digital and physical worlds.  While these innovations offer unprecedented efficiency, they also provide “backdoor” entry points for threat actors to sabotage physical infrastructure or hold critical production lines for ransom.   Furthermore, the democratization of Artificial Intelligence has armed cybercriminals with sophisticated tools to automate phishing campaigns and discover zero-day vulnerabilities at a pace that human defenders struggle to match.

However, the challenge is not merely technical; it is structural.  Modern supply chains are characterized by “n-tier” complexity, where a primary manufacturer may have visibility into their direct suppliers but remains blind to the security practices of those supplier’' suppliers.  This lack of transparency creates a “trust deficit” that is increasingly difficult to manage.  Organizations are now grappling with the monumental task of implementing Zero Trust architectures across entities they do not own or control, while simultaneously navigating a fragmented global regulatory environment that demands stricter data protection and incident reporting.

The impact of these challenges is profound.  Beyond the immediate financial sting of a breach and the cost of remediation, cybersecurity failures in the supply chain erode consumer trust and can lead to long-term brand devaluation.

Increasingly, rising to meet these challenges is no longer an option for companies.  The UK government has made it clear that voluntary action from the private sector on cybersecurity and digital risk management is no longer sufficient; after all, cyber threats now threaten national security and the stability of essential services, from energy grids to healthcare delivery.  The UK Cybersecurity and Resilience Bill, currently under parliamentary consideration and likely to become law later this year, will make proactive cybersecurity a regulatory obligation.  The new bill proposes to impose mandatory incident reporting requirements and require companies to seek government advice before paying ransom.

The convergence of these trends is forcing a fundamental rethink of risk management.  It is no longer enough to secure the perimeter; organizations must now build “resilience by design,” fostering a culture of collective defence where cybersecurity is treated not as an IT expense, but as a strategic pillar of global trade.  The following sections will analyse the most pressing threats, the evolving regulatory response, and the emerging technologies that promise to secure the invisible threads that hold our global economy together."