The weakest link is outside your company

Cyber security is no longer an internal issue. In 2026, attacks do not happen more directly against large corporations, they infiltrate where there is less resistance: technology suppliers, third-party platforms and business partners.A recent example is the attack on Nahga Claim Services, which compromised medical data of more than 181 thousand people. The risk is not in the software you develop, but in what you hire.

Why the digital supply chain is so vulnerable

Companies operate with hundreds of external dependencies, often invisible to the areas of GRC and IT. The trust in these suppliers is still based on unique questionnaires, punctual audits or a simple “everything is fine for now”. But, like the silent use of AI by third parties and the integration of opaque systems, risks accumulate without any visible warning, until a departure exposes everything.

The illusion of 'good or enough'

According to experts consulted by the WSJ, the problem is cultural: security tends to lose space for cost, convenience and growth, while risk seems abstract. “Good enough” is still accepted as the standard, until a crisis forces change. This creates a false sense of control, especially among companies that can't even map which third parties access which critical assets.

Where AI comes in to crisis prevention

Artificial Intelligence is redesigning that scenario. Today, it is already possible to use AI to:

• Mapping the software dependency chain, even in deep, hidden layers.
• Detect vacancies or exposed credentials, before a supplier officially discloses the failure.
• Analyze variations in the behavior of integrated systems, with proactive diversion alerts.
• Correlate chatter on dark web and private forums, anticipating reputational and operational risks.

This continuous visibility allows you to get out of reactive mode and take control before a supplier's vulnerability becomes your crisis.

The new role of the RCMP is to orchestrate trust

Managing third-party risks in an AI-driven scenario requires more than forms. It requires continuous monitoring, access segmentation, automated permission review and integration with predictive tools. This is how the GRC ceases to be a checking department and becomes an intelligent decision-making center.

‍