Today, all sectors and industries continue to face threats that impact digital trust and resilience (WEF Global Cybersecurity Outlook 2026 Report). Threats arising from:
- Digital transformation technologies
- Geopolitics
- Supply chains
- Inequity
- Environmental conditions
- Global financial operations
They affect boardrooms and strategic planning with a higher frequency year-on-year. This creates an atmosphere of constant maneuvering and innovation to achieve battle-tested resilience.
Risk is no longer solely traditional but a complex art of management, handled throughout the organization at all levels, especially by the ultimate risk owners – the board. In other words, digital liabilities have become an existential concern for all boards and executives, requiring governance, visibility, and oversight.
Thus, clearly defined and realistic risks have yet to be determined in the development, deployment, and utilization of AI. This creates emerging risks. Stated differently, a Silent Risk with uncertain outcomes, making themselves visible slowly, affecting all stakeholders – politically, economically, socially, culturally, and in some cases, physically.
Evolution of Digital Operational Resilience in the Age of AI
As AI transforms all sectors and industries, it can create emerging risks. If enterprise risk management activities and processes are not carried out thoroughly, this can lead to breaches and other business risks. Such risks can be operational, reputational, and trust losses; legal ramifications; and compliance risks related to sectoral, state, and global standards, regulations, and laws.
Risk to AI – Prompt Injection, data poisoning, software supply chain,
and cybersecurity attacks affecting availability;
affects AI trustworthiness.
That said, the world has been digitally transformed into an interconnected ecosystem. A vulnerability in a digital hub (such as; supply chains, digital public infrastructure, cloud services, e-commerce, or automation) that is exploited can cause ripple effects across the entire ecosystem system. This can impact digital economies, products, services, applications, privacy, and safety. The need for mature, capable digital operational resilience (DOR) becomes even more crucial with the integration of AI. AI trustworthiness, being lawful, ethical, and robust, is essential in digitally transformed systems to mitigate risks these systems can pose to national security, market stability, societies, and stakeholders’ confidence.
Principles for responsible stewardship of trustworthy AI (OECD AI Principles):
- Inclusive growth, sustainable development, and well-being
- Respect for the rule of law, human rights and democratic values, including fairness, and privacy
- Transparency and explainability
- Robustness, security, and safety
- Accountability
Untrustworthy AI creates risks to resilience
through misinformation and disinformation, loss of automation integrity and safety,
used as a cyberattack tool, and its impact on data protection and privacy.
The implications of AI risks are too significant to ignore and cannot be addressed solely within the ICT domain. As stated before, it is a strategic issue that can only be resolved at the board level.
Governance and the Growing Complex Global Regulatory Landscape
DOR has evolved in the AI era. AI enhances the many resilience mechanisms vital to the DOR program excellence, such as Cyber and Digital Resilience, Preparedness and Testing, and Risk Management. But risks associated with AI can put such programs in jeopardy, thereby reducing organizational resilience. Risks such as data breaches, financial fraud, data protection and privacy losses, and safety issues pose challenges within the organization’s complex compliance environment. This requires strategic oversight and resolution through risk management and resilience activities.
Practical Governance
To mitigate AI risks to DOR, AI governance is essential; to this end, boards must establish AI and digital risk management charters and policies to build, secure, and safeguard resilience. Moreover, establishing key committees (recognizing that they cannot do this alone and will need the necessary capacity to build resilience) will be essential to enhance visibility and oversight of continuous policy and methodology updates.
Data Governance
The outcomes of AI rely entirely on the quality of data used to train Large Language Models (LLMs). Moreover, data used to train LLMs must be managed responsibly, with stakeholders’ consent and safeguards against breaches and unauthorized modifications that could lead to privacy issues and harm. Thus, data risk management policies should be instituted to enhance data risk management and resilience activities and processes surrounding AI development, deployment, and utilization.
Ethical AI, Transparency, and Global Trust Requirements
Trustworthy AI is vital in its integration into financial, political, and social ecosystems. Building trust in AI requires management systems that enable organizations to govern safely and effectively, manage risk, and continuously monitor the development, deployment, and utilization of AI. Through these activities, digital trust and resilience are gained across the evolving global digital landscape.
Cross-Border Regulatory Harmonization Challenges
Digital transformation technologies, such as AI, may not be sovereign and may span multiple jurisdictions with varying regulations and laws. Complicating this evolving compliance landscape are data protection laws and stakeholders’ privacy requirements (OECD AI, Data Governance, and Privacy). Therefore, the risk to DOR from non-compliance must be owned and governed by the board to ensure resilience, reputation protection, and avoid legal, financial, and operational losses.
Evolving Threat Landscape: Why Traditional Frameworks Fall Short
The threat landscape continues to evolve due to business requirements, technology footprints, ecosystems, and usage patterns. This landscape is further complicated by AI and its supporting ecosystems: cloud technologies, networks, hardware, and software supply chain, LLMs, etc. If anything, the evolving threat landscape is riskier; Shadow-AI and AI trustworthiness add further complexity, requiring tools, techniques, approaches, and analyses beyond those used in traditional risk mitigation.
Resilience of Cloud, Third-Party, and Supply Chain Ecosystems
AI integration across all ecosystems not only enhances operations but also can significantly improve efficiency, scale-just-in-time. For instance, JUSDA’s VMI-JIT vendor service solution, with complete integration into supply chain ecosystems, has been shown to foster adaptation and resilience. Alternatively, these AI-driven automated systems could significantly affect operations due to AI risks. As AI integration dominates these critical ecosystems, global digital economies and global security are at risk.
Incident Response (IR) in an AI-Augmented Environment
The use of AI in IR can enhance the efficiency of all aspects of IR activities and processes. AI can automate the preparation, detection and analysis, containment, eradication and recovery, and post-incident phases. However, AI risks can lead to false positives and false negatives, as well as other issues, such as data hallucinations, which can delay IR activities due to process verifications. Uncertainties in IR processes will erode IR teams’ confidence in IR activities and reporting.
AI-enabled cyber-attacks are executed at high speed (Palo Alto Unit 42 report), requiring AI defenses to counter them. There is also a complex issue of AI systems causing incidents that necessitate the evolution of IR activities and processes. For example, breaches in AI systems, including AI agents, can compromise the host organization.
AI-Specific Security Controls
AI-integrated automated ecosystems require AI-specific controls to ensure trustworthy AI operations and processes. These control objectives (ISO/IEC 42001 Annex A) are around AI risk assessment, governance and accountability, data quality and privacy, human oversight, monitoring and logging, lifecycle documentation, and continuous improvement. It is crucial that management systems evolve to manage AI risks.
Framework Convergence: Where ISO/IEC 27001, Privacy, NIST CSF, and AI Management Systems Are Unified
Achieving DOR excellence in the era of AI requires the convergence of global standards and frameworks. Standards such as the ISO/IEC 27001 can serve as the foundational structure for the information security management system, the ISO/IEC 27701 forming the foundational structure for data privacy and protection, operationalized through the NIST CSF 2.0 and made trustworthy through ISO/IEC 42001.
- ISO/IEC 27001 – Information Security Management System (ISMS)
Benefits: Provide the framework to protect the confidentiality, integrity, availability, and privacy of organizational assets and data, including entrusted data from clients, customers, etc. It improves information security through awareness and audits, measurement mechanisms that provide KPIs for management system effectiveness, and risk-based approaches to communicating suggested actions for improvement.
It also provides good governance through extensive board oversight and strategic direction, while ensuring compliance with laws, regulations, and industry standards. In addition, it helps build the organization’s reputation by adhering to strict security as an organizational value. Lastly, it can generate revenue through reduced breaches, efficient security management and operations, and business opportunities stemming from its security reputation.
- ISO/IEC 27701 – Privacy Information Management System (PIMS)
Benefits: strengthens the ISO/IEC 27001 security program by adding structured privacy information management controls that help organizations manage personal data responsibly and transparently. It supports compliance with global privacy laws, such as GDPR, improves governance of personal data, and clarifies roles for controllers and processors.
A key benefit is improved management of cross‑border data transfers, as the standard provides documented processes, accountability measures, and privacy controls that help demonstrate adequate protection when data moves across jurisdictions. It also enhances privacy risk management, builds trust with customers and regulators, and provides a repeatable, auditable framework that integrates well with broader security and AI governance systems.
- NIST CSF 2.0
Benefits: Provides a flexible, risk-based framework that helps organizations efficiently meet multiple regulatory requirements (like HIPAA or FISMA) through a common cybersecurity language. It enables proactive gap identification, resource prioritization, and continuous improvement, reducing audit costs and building trust with regulators and customers.
- ISO/IEC 42001 – AI Management System (AIMS)
Benefits: Provide the framework for developing, deploying, and utilizing trustworthy AI (OECD principles for trustworthy AI), through the realizations of AI governance and risk management, improving stakeholder trust and reputation, regulatory compliance and preparedness, operational efficiency and cost savings, competitive advantage, and integration with existing management systems. In essence, the AIMS standard builds AI digital trust and resilience.
Framework Convergence Mapping – ISO/IEC 27001, ISO/IEC 27701, NIST CSF 2.0, and ISO/IEC 42001
for Unified Digital Operational Resilience
| DOR Pillar | ISO/IEC 27001:2022 ISMS | ISO/IEC 27701:2025 PIMS (Ed. 2) | NIST CSF 2.0 | ISO/IEC 42001:2023 AIMS | Unified DOR Outcome | Example Artefacts and Accountable Owner |
| 01 Governance and Leadership | Cl.5, 6 Board-mandated ISMS scope, security policy, roles, and responsibilities, risk ownership | Cl.5, 6 PII processing policy; privacy roles and responsibilities; board-level privacy governance charter | GV.OC, GV.RM Organizational context, risk strategy, cybersecurity roles aligned to board direction | Cl.5, A.2 AI governance charter, board AI risk ownership, accountability for AI development and deployment | Unified board-level governance policy covering information, cyber, privacy, and AI risk with clear accountability at every level | Digital and AI Risk Governance Charter Board-approved Information Security Policy AI Ethics and Acceptable Use Policy RACI matrix for risk ownership; Board risk committee ToR Owner: Board / CRO |
| 02 Risk Management | Cl.6.1, A.8 Information security risk assessment and treatment; asset, vulnerability, and threat management | Cl.6.1, 7.2 Privacy risk assessment for AI data processing; PII controller/processor obligations integrated into enterprise risk register | ID.RA, ID.AM Risk identification, asset inventory, threat intelligence integration, risk register | Cl.6, A.1 AI-specific risk assessment: bias, hallucination, prompt injection, data poisoning, model drift | Integrated enterprise risk register combining ICT, privacy, cyber, and AI-specific risks — continuously updated with named owners | Unified Enterprise Risk Register (ICT + AI) AI Risk Assessment Reports (per system) Statement of Applicability (SoA) Risk Treatment Plan; Threat intelligence feed log Owner: CRO / CISO |
| 03 Data Governance and Privacy | A.8.2, A.8.3 Data classification, handling, and retention; privacy controls aligned to GDPR & sectoral law | Cl.6–8, Annex A (PII controllers) / Annex B (PII processors) PII inventory & categorization; lawful basis for processing; data minimization; consent management; DPIA requirements; cross-border transfer mechanisms | ID.AM-5, PR.DS Data asset management, data-at-rest and in-transit protection, data integrity | A.3, A.4 Training data quality, consent management for AI training data, data provenance, LLM data lifecycle governance | Single data governance framework ensuring quality, privacy, and integrity of data across ICT and AI systems — from collection through LLM training to disposal | Data Classification & Handling Policy Data Protection Impact Assessment (DPIA) Training Data Provenance Register Data Retention and Disposal Schedule; Consent management records Owner: CDO / DPO |
| 04 Security Controls | A.5–A.8 (93 controls) Access control, cryptography, physical security, network security, SDLC | Cl.6–8, Annex A & B Privacy-by-design controls; PII access restriction; pseudonymization; data subject rights management | PR.AC, PR.IP Identity & access management, awareness training, data security, protective technology | A.6, A.7 AI-specific controls: adversarial input defense, model access control, output filtering, human oversight | Layered security controls covering people, processes, technology, and AI systems — mapped to a unified control library with Zero Trust as the governing architecture | Unified Control Library (ISO 27001 + AI controls) Access Control & IAM Policy; AI Model Access and Authorization Matrix Zero Trust Architecture design document Security Awareness Training records Owner: CISO / Head of Cyber Security |
| 05 Threat Detection and Response | A.8.15, A.8.16 Security monitoring, event logging, incident detection, and reporting (ISO/IEC 27035:2023) | Cl.9.1, Annex A & B Privacy incident detection; breach notification obligations (GDPR Art. 33/34); PII-related incident classification | DE, RS Continuous monitoring, anomaly detection, incident response planning, and execution | A.8, A.9 AI system monitoring, model degradation detection, and AI false positive/negative management | AI-augmented SOC with unified detection and response covering cyber events and AI system incidents — single classification, single escalation path | Incident Response Plan (IRP) AI Incident Classification Runbook SOC Monitoring and Alerting Playbooks Post-Incident Review (PIR) reports; SIEM/SOAR configuration baseline Owner: CISO / SOC Director |
| 06 Resilience and Recovery | A.8.13, A.8.14 Information backup, redundancy, business continuity integration (ISO 22301:2019) | Cl.9.1, Annex A & B Privacy continuity: ensuring PII availability and integrity through recovery; data subject rights preserved post-incident | RC.RP, RC.CO Recovery planning, post-incident improvements, and communications during disruption | A.10 AI continuity: model rollback, retraining pipelines, fallback to non-AI processes, recovery testing | Adaptive recovery architecture — rapid restoration of ICT and AI capabilities with self-healing, post-incident learning, and PII rights preserved throughout | Business Continuity Plan (BCP) Disaster Recovery Plan (DRP) AI System Continuity and Rollback Procedure BCP/DRP test and exercise reports; RTO/RPO register per critical system Owner: Chief Resilience Officer / CTO |
| 07 Supply Chain and Third Parties | A.5.19–5.22 Supplier security policy, supplier agreements, ICT supply chain risk monitoring | Cl.6–8, Annex A & B Third-party PII processor agreements; sub-processor oversight; data transfer mechanisms (SCCs, BCRs); vendor privacy audits | ID.SC Supply chain risk management: supplier identification, contracts, monitoring, response plans | A.5, A.6 Third-party AI model risk, open-source LLM due diligence, AI vendor accountability, and audit rights | End-to-end supply chain resilience spanning hardware, software, cloud, and AI model providers — single assessment cycle, unified contract clauses | Third-Party Risk Assessment (TPRA) register Supplier Security and AI Clauses (contracts) AI Vendor Due Diligence Questionnaire Critical supplier tiering matrix; Supply chain incident log Owner: Chief Procurement Officer / CISO |
| 08 Transparency and Ethical AI | Cl.7.4 Stakeholder communications, audit and review reporting | Cl.7.4, 9.1, Annex A Privacy notices & transparency reports; data subject rights fulfilment (access, erasure, portability); OECD privacy principle alignment | GV.SC, RS.CO Transparency in cybersecurity posture, stakeholder communications, incident disclosure | A.2, A.11 Explainability, bias management, OECD AI Principles compliance, human oversight, impact assessment | Stakeholder trust program, transparent AI disclosures, ethical review boards, bias audits embedded in governance | AI Transparency and Disclosure Statement Algorithmic Impact Assessment (AIA) AI Ethics Review Board minutes Bias audit reports (per model); Stakeholder trust and communication plan Owner: Chief AI Officer / Chief Ethics Officer |
| 09 Compliance and Audit | Cl.9, 10 Internal audit, management review, nonconformity and corrective action, PDCA | Cl.9, 10 Privacy audit cycle; GDPR/CCPA conformity assessment; PII processing register review; corrective action for privacy nonconformities | GV.OC-5, ID.RA Regulatory alignment (DORA, GDPR, SEC, HIPAA, FISMA), cross-framework gap analysis | Cl.9, 10 AI system audits, EU AI Act conformity assessment, AI risk review cadence, continuous model evaluation | Integrated GRC program, single audit cycle, harmonized evidence, unified regulatory compliance across DORA, GDPR, EU AI Act, SEC, Basel III | Integrated GRC Program Plan Internal Audit Schedule and Reports EU AI Act Conformity Assessment record Regulatory compliance matrix (DORA, GDPR, etc.); Corrective Action Register Owner: Chief Compliance Officer / Internal Audit |
| 10 Measurement and Maturity | Cl.9.1 KPIs for ISMS effectiveness, security metrics, and management system performance evaluation | Cl.9.1, Annex A & B Privacy KPIs: DPIA completion rate, data subject request response times, breach notification timeliness, PII processing accuracy metrics | GV.RM-7, ID.RA Cybersecurity KRIs, maturity tiers (Partial to Adaptive), and continuous improvement targets | Cl.9.1, A.12 AI performance metrics, trustworthiness KPIs, model accuracy/drift thresholds, improvement cycles | Unified UDOR Maturity Model — board-level KPI/KRI dashboard spanning security, privacy, cyber, and AI dimensions with a single aggregate maturity score | DOR Maturity Assessment Report Unified KPI/KRI Dashboard (board-level) AI Model Performance Scorecard Continuous Improvement Log; Annual Management Review Report Owner: CRO / CISO / Chief AI Officer |
Practicality of Resilience: The Unified Framework Architecture
The evolving complexities of digitally transformed ecosystems necessitate a convergence of frameworks to achieve operational excellence. When frameworks’ lifecycles change occurs every couple of years, their combined unified application can build, safeguard, and sustain digital trust and resilience globally.
Zero Trust and AI Systems
One of the key components in building DOR excellence is trust. In today’s systems, implicit trust can create grave security risks. Therefore, identity and access management strategies are vital to systems, especially AI-integrated ones. AI tools, agents, services, etc., should not have free rein over networks and access to data. Implementing the necessary unified trust policy will reduce AI-related risks, build compliance, and strengthen stakeholder confidence in the organization’s transparent use of AI.
Automation for Cyber and Operational Resilience
Through the unified framework that assures trustworthy AI to strengthen Cyber and Operational Resilience, the organization will be able to respond to, adapt to, and recover from risks more quickly and efficiently. It can also provide self‑healing capabilities and continuous improvement without compromising trust or operability.
Global Compliance Landscape for AI and Operational Resilience
The current digital threat landscape in the AI era underscores the need for risk mitigation to safeguard all stakeholders. Hence, in the global compliance landscape, there are many laws, regulations, and standards to adhere to, such as the GDPR, EU AI Act, DORA, the USA SEC, Basel III, ISO/IEC 27001, ISO/IEC 42001, ISO 22301, and NIST CSF 2.0. The aim of compliance, in essence, is to safeguard and sustain resilience in digital environments, protecting business integrity and benefiting mankind. Regrettably, these varying laws, regulations and standards create an evolving, complex compliance environment that requires a unified global harmonized framework. This framework should be committed to reducing fragmentation and improving the efficiency of business activities, and societal well-being and development.
Supply Chain Resilience
The security of global supply chains is essential to today’s digital economies and societies. Global supply chain risks can trigger existential events that create national security issues, including threats to people’s safety and well-being. Therefore, with the integrated use of AI and AI automation in supply chains, and their associated risks, it is vital for supply chains to adapt, respond, and recover efficiently and effectively to sustain digital trust and resilience. Attaining this outcome requires a unified framework.
Measurement and Maturity Models
Achieving resilience with a “compass” is vital in reducing compliance risk and building reputation and market confidence. KRIs and KPIs are crucial to resilience programs and vital for monitoring and continuous improvement. Therefore, developing and implementing an operational resilience maturity model that utilizes a unified framework will sustain and mature DOR excellence in today’s AI era.
Conclusion: Toward a Unified Global Resilience Architecture
The convergence of ISO/ 27001, ISO/IEC 27701, NIST CSF 2.0, and ISO/IEC 42001 offers organizations, governments, agencies, and NGOs a unified framework that will meet the governance, security, privacy, and AI trustworthiness demands of the AI era. Trust and resilience across all ecosystems, digital and physical, can only be assured through standardization, attestation, and certification. This direction demands strong leadership, accountability, and social responsibility.
It is, therefore, clear that this is not primarily a technological challenge but a governance one. Through board awareness, charters, unified policies, and trust and resilience activities assessed against the 10 pillars of the Unified DOR Maturity Model, organizations can build digital ecosystems that deliver the global trust and resilience the world now requires and deserves.







