Cyber, AI, and Third-Party Risks Top the Executive Agenda for 2026-2028

Executive Risk Outlook: Cyber, Third-Party Exposure, and AI Lead 2026-2028 Priorities

A new global survey of 1,540 board members and C-suite leaders from the NC State ERM Initiative and Protiviti sets a clear agenda. Near-term risk is dominated by cybersecurity, third-party exposure, tech debt, and AI implementation pressure. The same leaders also flagged customer disruption, security/privacy, and AI deployments as the biggest decade-out concerns.

Top 10 Near-Term Risks (2026-2028)

• Cyber threats (Operational)
• Third-party risks (Operational)
• Adoption of emerging technologies requiring workforce upskilling (Strategic)
• Legacy IT infrastructure performance gaps (Operational)
• Economic conditions, including inflation (Macroeconomic)
• AI implementation risks (Operational)
• Talent acquisition and retention challenges (Operational)
• Regulatory uncertainty and fragmentation (Strategic)
• Labor availability (Macroeconomic)
• Global market and trade policy changes (Macroeconomic)

Five of the top risks are operational, signaling a push for internal resilience and reliable execution. Macroeconomic pressure shows up in labor availability, inflation, and trade policy. Strategic friction points-workforce transformation for new tech and regulatory fragmentation-carry outsized impact.

What Different Leaders Rank Highest

• Board Members: Cyber threats; skills and talent acquisition; talent and labor availability
• CEOs: Talent and labor availability; skills and talent acquisition
• CFOs: Cyber threats; third-party risks; legacy IT and operations
• CIOs/CTOs: Cyber threats; third-party risks; legacy IT and operations
• CHROs: Talent and labor availability; skills and talent acquisition; increases in labor costs

Translation: cyber, talent, and tech debt are shared problems. Align your board agenda, capital plan, and operating model around those three pillars.

A Decade Out: Where Leaders Expect the Biggest Shifts

• Customers and competition: No. 1 by 17%; Top 3 by 42%
• Security and privacy: No. 1 by 17%; Top 3 by 40%
• AI deployments: No. 1 by 13%; Top 3 by 39%
• Markets and economies: No. 1 by 13%; Top 3 by 36%
• Talent challenges: No. 1 by 9%; Top 3 by 32%

The long view is customer disruption, security/privacy, and scaled AI. Markets and talent still matter, but the competitive edge will come from how well you serve customers with secure, trustworthy AI-enabled experiences.

AI: Value Is Clear, Governance Is the Gate

• Data risks and cybersecurity exposure - 31%
• Integrating AI with existing tech, processes, and workforce - 31%
• Equipping the workforce to realize AI's value - 29%
• Inability to deploy AI at a competitive pace - 28%
• Lack of governance and accountability for AI deployments - 24%

Set an AI control framework early: data access and lineage, model inventory, risk classification, human-in-the-loop controls, and post-deployment monitoring. The NIST AI Risk Management Framework is a practical starting point for policy, roles, and metrics.

Growth Is Still on the Table

Nearly 7 in 10 organizations are optimistic about short-term revenue growth. 62% expect to expand strategic alliances and partnerships, and 52% see upside in foreign markets.

That mix calls for smart ecosystem plays: co-sell partnerships, data-sharing agreements with clear risk controls, and regional go-to-market experiments with rapid feedback loops.

Where Investment Dollars Are Going

• Cybersecurity: 15% No. 1; 43% Top 3
• Business process improvements: 13% No. 1; 35% Top 3
• Infrastructure modernization: 14% No. 1; 33% Top 3
• Data privacy: 13% No. 1; 29% Top 3
• Customer experience: 14% No. 1; 27% Top 3

This signals a practical playbook: reduce tech debt, harden controls, clean up data, and fund the customer journey where AI can produce measurable gains.

Boardroom Action Plan for the Next 12-18 Months

• Cyber and third-party defense: Validate incident response, adopt zero-trust principles, test backups, and tighten vendor risk reviews. Consider CISA's Secure by Design guidance for procurement and architecture decisions.
• AI governance: Approve enterprise policy, define RACI, set model risk tiers, require red-teaming for sensitive use cases, and track model performance post-release.
• Upskilling at scale: Map critical roles, set AI and data skill baselines, and fund applied training tied to live projects. For structured programs by job role, see Complete AI Training.
• Modernize core infrastructure: Prioritize systems that bottleneck security, data reliability, and AI integration. Time-box migrations and retire legacy components decisively.
• Ecosystem discipline: Expand alliances, but bake in clear SLAs, shared controls, and exit plans. Score partners on security and operational maturity.
• Macro and labor resilience: Run scenarios on inflation, labor scarcity, and trade volatility. Pre-plan cost levers, pricing moves, and supply shifts.
• Metrics and reporting: Standardize dashboards for cyber posture, AI impact, tech debt burn-down, and talent pipeline health.

Bottom Line

The signal is consistent: protect the core, fix tech debt, and deploy AI with discipline. Leaders who do this while building smart partnerships will capture the upside without exposing the enterprise to avoidable risk.