Gibson's recent Harvard Business Review piece reframes AI cyber risk as a fiduciary problem rather than a technical one, and argues that the operating environment now fits the BANI lens — brittle, anxious, nonlinear, incomprehensible — more cleanly than the VUCA shorthand boards have leaned on for two decades. His response framework, ACTS — assume breach, cultivate AI fluency, tie investment to operations, strengthen governance — is a sound posture for senior leadership, and the data he cites is consistent with what we see in the field.
ACTS gives senior leadership the right posture. Pairing it with a technical anchor — where, on the AI stack, defense begins for organizations now deploying GenAI — completes the picture. In our work, that anchor is consistent: the input layer. Prompt injection, jailbreak chains, payloads embedded in retrieved documents and uploaded images, and social-engineering content shaped specifically to be parsed by an assistant — these are the entry points where defense has the highest leverage. Detecting them in real time is the technical counterpart to the governance posture ACTS describes, and it sits earlier in the stack than output filtering or incident response.
Gibson closes with four readiness questions for the boardroom. They are good ones. We would add a fifth — one that sits earlier in the stack than the others, and which, in our experience, most boards cannot yet answer:
If the honest answer is no, the governance conversation pairs naturally with an immediate engineering one. Brittleness, in a BANI environment, doesn't announce itself. It's parsed. The prompt is where governance meets the threat — and where the technical work begins.