Traditional cyber attacks gave organizations days or weeks to respond; AI-driven attacks now give them 30 seconds. This is the reality boards and general counsel are grappling with — and the window to prepare is getting shorter, warns Imran Ahmad.
“Take immediate steps; not a year from now, but within the next six months,” advises Ahmad, partner, Canadian head of technology and Canadian co-head of cybersecurity and data privacy at Norton Rose Fulbright Canada LLP. “Identify these risks, understand what it means for your organization, and act on it - now.”
Beyond silos: the new face of digital risk
As a longtime practitioner in the space, Ahmad has witnessed wave after wave of technological disruption. But something has shifted. In recent years, digital risk has captured the attention of boards and senior leadership like never before. The tension between leveraging technology for competitive advantage and managing the exposure that comes with rapid adoption is no longer a back-office debate — it is a standing agenda item in the boardroom.
Digital risk defies the familiar playbook. Unlike traditional enterprise exposures — flood, fire, supply chain disruption — it is dynamic, adversarial, and constantly evolving. Threat actors are moving just as fast as the organizations trying to defend against them, making this a fundamentally different category of risk.
Canada has long been known for its measured, methodical approach to emerging technology — enthusiastic about innovation, yet deliberate about implementation. Boards tend to mirror that temperament. But the scope of inquiry must now expand to meet the moment, moving beyond siloed assessments toward a holistic view of digital exposure.
The weighting of risk varies by sector. A financial institution serving a large consumer base will prioritize privacy; a telecom deploying AI will focus intensely on cyber. But the digital risk lens, Ahmad explains, is what ties it all together — enabling boards to see the full picture rather than isolated fragments.
“The board question has fundamentally changed,” Ahmad observes. “Directors no longer want to examine cyber, privacy, or AI in isolation. They want to understand the organization’s entire digital risk profile — and they expect their advisors to help them see it clearly.”
The AI accelerant
One of the clearest inflection points in this evolution is Mythos. Developed by Anthropic, this AI agent can identify vulnerabilities in an organization’s IT environment and exploit them in real time — compressing the window between reconnaissance and weaponization to a matter of seconds.
When Mythos was rolled out — initially to select organizations in the United States — it sent shockwaves through the security community. The Bank of England, the US Federal Reserve, the White House, and Canadian cybersecurity authorities are now actively examining its implications. That coalition is significant, Ahmad notes.
“When respected organizations like Anthropic proceed with this level of caution and transparency, it signals something important,” he says. “There are almost certainly bad actors developing similar capabilities without any disclosure at all.”
This convergence of AI and cybersecurity represents an entirely new class of threat — one that fundamentally alters the risk calculus for boards and their counsel. The conversation has shifted from theoretical to urgent.
“The prospect of operational disruption in under a minute because a threat actor is leveraging AI — that is a different world entirely,” Ahmad continues. “And it is one that many Canadian boards and their advisors are now racing to prepare for.”
From awareness to action: building the governance playbook
Since Mythos emerged, one question has dominated boardroom agendas: what steps must we take now, and which can wait? Preparation is critical — but complicated. In an unsettled regulatory environment that varies across jurisdictions, boards face a second, equally pressing question: how do we ensure we will not be offside if AI regulation evolves, or if no law yet exists? For directors overseeing multimillion-dollar AI investments, that uncertainty is what keeps them up at night.
The encouraging news is that most multinational and cross-border organizations already prioritize established best practices and leading frameworks. For those with European exposure, the EU AI Act provides a clear compliance benchmark. For others, Ahmad points to two frameworks in particular: ISO 42001, an internationally recognized certification that offers a structured way to demonstrate due diligence to regulators, customers, and suppliers; and NIST, long the standard-bearer for cybersecurity and privacy, which now includes a dedicated AI framework.
The National Association of Corporate Directors has also stepped forward, producing an AI handbook to complement its established cyber governance resources. These tools reinforce what has become the baseline expectation for boards: not merely to be informed, but to be actively engaged — asking the right questions and demanding rigorous answers.
Engaging independent advisors to stress-test the information provided by a CTO or CISO adds another layer of assurance — demonstrating that board oversight is genuinely rigorous, not merely procedural. An independent review of key performance indicators helps determine whether they meet industry standards and how the organization benchmarks against its peers, Ahmad explains.
Structural questions matter as well. Who bears responsibility for digital risk oversight? While there is no universal answer, Ahmad is emphatic on one point: the approach must be recurring and systematic.
“Every board meeting agenda should include digital risk as a standing item,” he explains. “Within that, directors need to break it down: What questions will we ask? What KPIs do we want reported? What does the compliance trajectory look like over each quarter?”
Boards must also monitor regulatory developments and anticipate what lies ahead. Bill C-8, Canada's critical infrastructure cybersecurity bill, is one example. It would require boards operating in critical infrastructure such as telecoms, airports, port authorities, and financial institutions to treat cyber risk as a core organizational priority. An AI-driven attack on any of these sectors could trigger cascading effects across society. While the bill is not yet law, its trajectory is unmistakable.
For Ahmad, crisis preparation lies at the heart of the matter. He recalls the early days of running cyber tabletop exercises for clients. Now that organizations are deploying AI in operationally significant ways, they are — rightly — demanding scenario planning on that front as well. What would the liability exposure be: privacy alone, or broader regulatory consequences? What about litigation risk in other jurisdictions?
“Running those scenarios is how boards move from awareness to genuine readiness,” Ahmad says. “The goal is to be able to demonstrate accountable governance: we identified the issues, took deliberate steps to mitigate risk, and documented our process.”
When the call comes, will you be ready?
Ahmad often poses a scenario to the boards he advises. Imagine you are a director of a prominent critical infrastructure organization. A cybersecurity incident has occurred — caused by an AI agent that exploited a vulnerability in your systems. You must now call the minister’s office. How will you explain what happened?
“These conversations cannot be improvised,” he says. “They must be planned in advance.”
Ahmad is not one to sound false alarms. But he points to Mythos as a genuine inflection point. This is not a hypothetical threat; these models will proliferate, and others will replicate them. The imperative to be prepared cannot be overstated. The role of counsel is to ensure the organization can demonstrate it acted responsibly — protecting boards from regulatory investigation, litigation exposure, and reputational harm, both domestically and abroad.
“That means documentation: evidence that the board deliberated, issued clear mandates to management and third parties, and put protocols in place,” Ahmad explains. “The time to get your house in order is now — not in a year. It is how you prove you were not asleep at the switch.”
This article was produced in partnership with Norton Rose Canada Fulbright LLP