E80 - From Knowing to Doing

Posted on February 24, 2026 • 10 min read • 1,934 words
WEF   AI Governance   Quantum Security   Cyber Fraud   Ransomware   NIST   EU AI Act   Risk Management   Leadership  
WEF   AI Governance   Quantum Security   Cyber Fraud   Ransomware   NIST   EU AI Act   Risk Management   Leadership  
Share via
WEF Roundup: Three reports in one week expose the same gap — organizations know the risks but aren’t acting fast enough. 87% flag AI vulnerabilities. Fewer than 1% govern AI responsibly. Quantum harvest-now-decrypt-later is already underway. What leaders need to hear to close the gap.
What You Need to Know   The Cyber Threat Landscape: Awareness Without Alignment   AI Governance: Less Than 1% Are Ready   Quantum Security: The Risk That’s Already in Motion   What This Means for You   What We’re Watching   The Bottom Line  
E80 - From Knowing to Doing

What You Need to Know  

In a single week this February, the World Economic Forum published three articles that tell the same story from three different angles: organizations understand the risks they face — but understanding has not translated into action at the pace the threat landscape demands.

Eighty-seven percent of leaders flag AI-related vulnerabilities as their fastest-growing cyber risk. Fewer than 1% have fully operationalized responsible AI practices. And adversaries are already collecting encrypted data they expect to decrypt once quantum computing matures.

These are not hypothetical scenarios. They are measurable gaps between awareness and execution — and they have real consequences for the security and fraud teams tasked with defending organizations that haven’t yet given them the resources, governance structures, or leadership support to do the job effectively.

This edition unpacks all three WEF reports together, because the pattern matters more than any single finding. The question for leaders is no longer do you understand the risk? It’s what are you doing about it — and who have you empowered to act?

INTEL [TREND]: The WEF’s February 2026 output reveals a consistent theme across cybersecurity, AI governance, and quantum readiness: the gap between organizational awareness and operational response is widening, not narrowing. Leaders who close this gap will define the next generation of resilient enterprises.

The Cyber Threat Landscape: Awareness Without Alignment  

The WEF’s Global Cybersecurity Outlook 2026, based on data from 800 global leaders, identifies three forces reshaping cyber risk: accelerating AI adoption, geopolitical fragmentation, and widening cyber inequity.

The numbers paint a clear picture:

FindingStat
Leaders citing AI vulnerabilities as fastest-growing risk87%
Organizations assessing AI tool security before deployment (up from 37%)64%
Large organizations (100K+ employees) that changed strategy due to geopolitical volatility91%
Respondents personally affected by cyber-enabled fraud in 202573%
FCC-reported increase in telecom ransomware since 20214x

Two findings deserve particular attention from organizational leaders.

The CEO-CISO disconnect. When asked about their organization’s greatest cyber risk, CEOs ranked cyber-enabled fraud and phishing at the top. CISOs ranked ransomware. This is not a disagreement about facts — it’s a misalignment on priorities that filters down into budget decisions, staffing, and incident response planning. When leadership and security teams are not aligned on what matters most, resources get spread thin and response times suffer.

The regional confidence gap. Eighty-four percent of respondents in the Middle East and North Africa expressed confidence in their country’s ability to respond to a major cyber incident. In Latin America and the Caribbean, that number was 13%. The WEF calls this “cyber inequity” — and it applies inside organizations too, not just between nations. Smaller teams, underfunded departments, and organizations without dedicated security leadership face the same structural disadvantage.

The US Federal Communications Commission underscored the point in January, issuing guidance to telecoms companies after documenting a fourfold increase in ransomware attacks since 2021. The FCC’s recommendations — zero trust architecture, network segmentation, endpoint detection, third-party risk assessment — are sound. But they require investment, leadership buy-in, and teams with the capacity to execute.

INTEL [SECTOR ALERT]: The FCC’s January 2026 alert specifically called out small-to-medium telecom providers as increasingly targeted by ransomware. Organizations in regulated industries should review whether their security teams have the resources to implement baseline controls like network segmentation and EDR — not just whether a policy exists on paper.

AI Governance: Less Than 1% Are Ready  

The second WEF article, drawing on the Forum’s Advancing Responsible AI Innovation playbook, presents a statistic that should reframe how leaders think about AI adoption: fewer than 1% of organizations have fully operationalized responsible AI practices.

That is not a readiness gap. It is a governance vacuum.

The article’s central argument is structural, not technical. AI governance fails when it arrives late — after models are deployed, after data pipelines are built, after decisions are already being made by systems no one fully understands. As the article puts it: governance added after the fact is “like pouring concrete after the residents move in; hairline cracks today, structural problems tomorrow.”

What the WEF playbook recommends:

  • Named AI stewards with clear accountability for AI decisions within the organization
  • Cross-functional governance councils that bring together technical, legal, risk, and business perspectives
  • A phased governance model that starts centralized and matures into federated oversight as organizational capability grows

The technology to support governance is advancing. EQTY Lab, working with NVIDIA, has developed “Verifiable Compute” — cryptographic receipts anchored on distributed ledgers that create tamper-proof records of how models are trained and how they generate outputs. ProveAI provides training data lineage documentation aligned with emerging regulations like the EU AI Act.

Meanwhile, governments are moving. The UK’s reintroduced AI Regulation Bill proposes an AI Authority and mandatory AI Officers to oversee responsible deployment. The EU AI Act is enforcing compliance across the bloc. These regulatory frameworks will eventually require what the WEF is recommending organizations adopt voluntarily now.

The message for leaders: the organizations that build governance into their AI strategy from the start will not only reduce risk — they will move faster and more confidently than those forced to retrofit accountability later.

INTEL [REGULATORY]: The convergence of the EU AI Act, the UK AI Regulation Bill, and the WEF’s governance playbook signals that AI accountability requirements are moving from voluntary to mandatory. Organizations that invest in governance structures now — named stewards, cross-functional councils, data lineage — will be positioned to meet compliance requirements rather than scramble to catch up.

Quantum Security: The Risk That’s Already in Motion  

The third WEF article, authored by AWS quantum security leads, reframes quantum computing from a future technology problem to a present-day risk management obligation.

The core concept is “harvest now, decrypt later.” Adversaries can — and likely do — capture encrypted data today with the expectation that future quantum computing capabilities will enable decryption. This means organizations with data that must remain confidential for years or decades — intellectual property, financial records, government communications, healthcare data — may already be exposed without any visible breach.

The Global Risk Institute’s Quantum Threat Timeline Report recommends that organizations evaluate three timelines simultaneously:

  1. How long must the data remain secure?
  2. How long will migration to quantum-safe cryptography take?
  3. When might quantum capabilities arrive?

When the first two timelines exceed the third, exposure already exists — even before a cryptographically relevant quantum computer is built.

Despite NIST finalizing its first set of post-quantum cryptography (PQC) standards in 2024, preparedness remains limited. The majority of organizations have not begun a structured response to the post-quantum cryptographic transition.

What leading organizations are doing:

  • Treating post-quantum migration as a phased, multi-year program — not a single upgrade event
  • Starting with cryptographic discovery — inventorying where and how cryptography is used across systems
  • Prioritizing data in transit and long-lived cryptographic roots of trust
  • Building cryptographic agility — the ability to replace algorithms without redesigning systems

The WEF article frames quantum security as a governance question, not a technology curiosity. Regulators, customers, and partners increasingly expect credible long-term data protection strategies. Leaders who can articulate a clear quantum readiness posture demonstrate maturity in enterprise risk management. Those who cannot will face growing scrutiny.

INTEL [EMERGING RISK]: Quantum readiness is becoming a governance expectation. NIST’s 2024 PQC standards formalize the transition from theoretical to actionable. Organizations should begin with cryptographic discovery — understanding where cryptography lives in their systems — and build a phased migration roadmap. The goal is not to solve quantum security overnight but to demonstrate a credible, structured response.

What This Means for You  

If you’re a CEO or board member: The WEF’s data shows a measurable disconnect between executive awareness and organizational readiness. Your security and fraud teams likely understand these risks. The question is whether they have the budget, the headcount, and the governance authority to act on that understanding. Ask your CISO and CTO directly: what would you do differently with 20% more resources? The answer will tell you where the knowing-doing gap lives in your organization.

If you’re a CISO or security leader: These three reports give you concrete, third-party data to support the business cases you’ve been making. The WEF’s 87% AI vulnerability stat, the sub-1% governance readiness figure, and the quantum harvest-now-decrypt-later framework are board-ready talking points. Use them. The shift from “we need more budget” to “the World Economic Forum says organizations like ours are exposed” changes the conversation.

If you lead a fraud or financial crimes team: The CEO-CISO disconnect on fraud vs. ransomware priorities directly affects your resources. Seventy-three percent of respondents reported personal exposure to cyber-enabled fraud in 2025 — phishing, vishing, smishing. That number validates the front-line reality your team sees daily. Frame your resource requests around this data. The WEF has made the case that fraud is a C-suite concern, not just an operational one.

If you lead AI initiatives: Governance is not a brake on innovation — it’s the foundation that allows innovation to scale. The WEF playbook’s recommendation for named AI stewards and cross-functional councils gives you a proven model to propose. Start with a centralized approach and build toward federated oversight as your organization matures.

If you manage risk or compliance: Quantum readiness should be on your risk register now, even if quantum computing feels distant. Begin with cryptographic discovery — understanding where your organization relies on cryptography that quantum computing could compromise. A phased migration plan demonstrates governance maturity to regulators, auditors, and partners.

What We’re Watching  

The knowing-doing gap as a competitive differentiator. As regulatory requirements tighten around AI governance (EU AI Act, UK AI Regulation Bill) and quantum readiness (NIST PQC standards), the organizations that acted early will have a structural advantage — in compliance posture, in operational resilience, and in the trust they’ve built with customers and partners.

CEO-CISO alignment as a leading indicator. The WEF’s finding that CEOs and CISOs prioritize different risks is a signal worth monitoring. Organizations where leadership and security teams are aligned on risk priorities tend to respond faster, allocate resources more effectively, and recover more quickly from incidents.

Quantum migration timelines vs. capability timelines. The Global Risk Institute’s three-timeline framework will become increasingly important as quantum computing advances. Organizations that have not begun cryptographic discovery by the time quantum capabilities mature will face compressed, high-risk transitions.

Cyber inequity within organizations. The WEF’s regional confidence data maps to an internal reality: smaller teams, underfunded departments, and organizations without dedicated security leadership face disproportionate risk. Closing this internal equity gap is as important as closing the external one.

The Bottom Line  

The World Economic Forum published three articles in one week that deliver the same message: organizations know what’s coming, but most have not translated that knowledge into action. The data is unambiguous — 87% recognize AI as their top cyber risk, yet fewer than 1% govern it responsibly. Quantum threats are already being collected against future decryption, yet most organizations haven’t started planning. Fraud is the number one concern for CEOs, yet the teams defending against it often lack the resources to match the threat.

This is not a technology problem. It is a leadership problem. The cybersecurity professionals, fraud analysts, and risk teams inside your organization understand these threats. Many of them have been raising these issues for months or years. What they need is not more awareness — it’s authority, resources, and organizational commitment to move from knowing to doing.

The gap between awareness and action is where risk lives. Closing it is a leadership decision.

Find all editions: FIR Risk Tuesday

Source: GitHub - FIR Risk Intelligence

On this page: