Modern Threats, Outdated Boards: Analysis of Emerging IT Risks and Governance Challenges

Author: Sanjay Chadha, Partner, SAV Associates PC

Modern Threats, Outdated Boards

In 25 years of working in IT risk and governance, I’ve never witnessed threats change so quickly or carry so much uncertainty.

Cybersecurity risks evolve by the day. Managing them now requires an ongoing, enterprise-wide effort — whether an organization is just beginning its cyber journey or already has a mature program. Boards can no longer treat cyber risk as an isolated IT issue; it is a core business risk that can materially impact revenue, reputation, and compliance.

Yet many governance structures remain static. Just as a small leak can sink a great ship, minor oversight gaps can quietly escalate into major incidents before leadership even realizes there’s a problem. To adapt, boards must recognize emerging IT risks, address governance blind spots, and align oversight practices with modern frameworks and enterprise risk management (ERM) principles.

This article expands on key themes from the AICPA feature, “Analysis of Emerging IT Risks and Governance Challenges”, offering practical guidance for directors seeking to modernize their cybersecurity governance.

Emerging Threats Reshaping the IT Risk Landscape

Today’s threat landscape is defined by both novel attack methods and familiar risks reborn through technology convergence:

Generative AI Misuse

The rise of artificial intelligence is a double-edged sword. While AI enhances defenses, threat actors exploit it to automate and personalize attacks.
Over half of cyber leaders believe that emerging technologies like AI give an advantage to attackers, with fewer than 9% seeing benefits for defenders. New AI-driven threats — from deepfakes and data poisoning to AI-generated phishing campaigns — are already testing corporate resilience.

AI-generated phishing emails now mimic real communication with unnerving accuracy. Boards must understand that AI is not merely an innovation trend — it is a new risk domain when misused.

Cloud Sprawl and Shadow IT

The explosive growth of cloud and SaaS ecosystems has scattered corporate data across multiple providers. This cloud sprawl creates visibility gaps that complicate oversight.

Unmanaged or “shadow IT” services often go unnoticed — until they’re breached. A single misconfigured storage bucket or forgotten virtual server can expose millions of records. Without disciplined governance, organizations risk flying blind in an ever-expanding digital ecosystem.

As highlighted in the AICPA’s analysis of emerging IT risks, unchecked cloud adoption remains one of the leading sources of board-level exposure.

Ransomware’s Evolution

Ransomware continues to dominate executive concern lists. Nearly half of global executives rank it as their top cyber threat.
Attackers have industrialized ransomware through “as-a-service” operations and double extortion tactics — encrypting data and threatening to leak it.

From hospitals to supply chains, we’ve seen organizations brought to a standstill. Paying the ransom rarely ensures safety. Boards must now plan for inevitability: not if they’re attacked, but how well they can recover.

Supply Chain Fragility

Digital supply chains are now the Achilles’ heel of enterprise security. According to the World Economic Forum’s Global Cybersecurity Outlook 2024, most major incidents in 2023 originated through third-party compromises.

Attackers target the weak links — vendors, subcontractors, and software partners — that connect into larger systems. This fragility demands that boards treat vendor security as seriously as internal controls.

Continuous third-party monitoring is no longer optional; it’s a board-level fiduciary responsibility.

Regulatory Convergence and Compliance Risk

The regulatory landscape is converging faster than boards can adapt. Governments worldwide are strengthening mandates around data protection and cyber governance:

• The U.S. SEC now requires disclosure of board cyber expertise and timely breach reporting.

• The EU’s NIS2 and DORA frameworks impose strict operational and risk management standards.

These overlapping regulations redefine compliance as a minimum threshold, not a mark of excellence. Falling short invites not just reputational damage but also legal and financial penalties. Boards must anticipate that today’s best practices will soon become tomorrow’s baseline expectations.

Governance Gaps and Lessons from Recent Failures

Despite heightened awareness, many boards still operate with blind spots in IT risk oversight.

One of the most common gaps is the disconnect between technical metrics and business risk appetite. Reporting vulnerabilities without translating them into financial or operational context leaves directors unable to gauge true exposure.

Similarly, many internal audit programs still focus on checklist compliance (e.g., password complexity or firewall configurations) while ignoring strategic threats like API exposure or cloud sprawl. SAV Associates has observed cases where organizations passed audits yet suffered breaches because critical vendor integrations were never assessed.

It’s like locking all the doors while leaving the windows open — the oversight looks good on paper but fails in practice.

Another governance weakness lies in board composition and culture. Not every director is fluent in technology, and few boards include a designated cyber-risk expert. This leads to over-reliance on management and delayed responses.

As I noted in the AICPA’s main article, boards must abandon the “tell us when it’s fixed” mindset. Delegation without understanding is no longer defensible governance.

Aligning ERM, Internal Audit, and IT Governance for Resilience

Cybersecurity is now a core pillar of enterprise risk management (ERM). Digital threats can damage cash flow, brand value, and operations as profoundly as supply chain failures or currency shocks.

Boards should demand:

• A risk register mapping cyber threats to business impact.

• Heat maps showing how events like cloud outages or ransomware attacks disrupt revenue or service.

Frameworks such as NIST IR 8286 help translate technical vulnerabilities into business risk metrics. This enables directors to assess whether controls truly match the organization’s risk appetite.

Once that visibility exists, accountability and assurance must follow.
Boards should appoint a cyber-literate director to sponsor quarterly reviews on posture, control maturity, and measurable tolerance thresholds (e.g., maximum downtime hours or acceptable data loss).

Internal audit teams then validate these safeguards under realistic conditions — for instance, by simulating a third-party breach or a cloud misconfiguration. Findings should include clear impact statements, named owners, and remediation timelines.

Strong IT governance also depends on adopting reference models such as:

• NIST Cybersecurity Framework 2.0

• ISO 27001

• COBIT

These frameworks create a shared language for identity management, incident response, and supply chain oversight. When ERM, audit, and governance reinforce one another, organizations evolve from reactive defense to measurable resilience.

Closing Thoughts

In today’s volatile threat environment, cybersecurity oversight can no longer be reactive or siloed. Boards must evolve from passive observers to active stewards of digital risk — equipped with the right frameworks, fluency, and foresight.

Resilience isn’t just a technical achievement; it’s a governance imperative.
Because when the threats are modern, but the boards are outdated, the gap itself becomes the organization’s greatest vulnerability.

For a deeper examination of these governance challenges, see the full AICPA article: “Analysis of Emerging IT Risks and Governance Challenges.”