The New Frontier of Resilience: Securing Supply Chains and Autonomous Agents in 2025

Fostering Future Forward |

The New Frontier of Resilience: Securing Supply Chains and Autonomous Agents in 2025

By Alexandra Foster Published Weekly | Tech. Leadership. Foresight. May 4th, 2025 Edition

2025 is shaping up to be a pivotal year for organisational resilience. Insights from UK Cyber Week, FinTech Scotland, the AWS Executive Summit, and Fujitsu’s InNOVATION series, one message is crystal clear:

Supply chain resilience is no longer enough.

In a world of rapid digitisation, autonomous AI systems, and escalating cyber risk, organisations must build total operational resilience across suppliers, systems, and now, self-governing AI agents.

In This Edition:

• Why supply chain resilience is under intense regulatory and cyber pressure
• How AI governance, machine identity management, and new regulations (like DORA and the UK Resilience Bill) are reshaping GRC
• The emerging playbook leaders need to secure not just their partners — but their algorithms is shaping up to be a pivotal year for organisational resilience.

Supply Chain Resilience is Facing Unprecedented Pressure

Today’s supply chains are the backbone of global business, but they’ve also become its Achilles’ heel. A single weak link can threaten operational continuity, and new data only underscores this challenge:

• 93% of senior supply chain executives are redesigning for flexibility, agility, and resilience.
• 55.6% of businesses rank cyber threats as the top risk to supply chain continuity.
• 95% of UK organisations suffered negative impacts from third-party cyber incidents in the past year.

Cybersecurity is a collective effort. A single vulnerable vendor can jeopardise critical systems, making shared responsibility, active visibility, and accountability vital across every link in the chain.

Rising Regulatory Pressure

Several regulatory frameworks are now setting the bar for resilience.

• DORA (Digital Operational Resilience Act): Effective since January 17, 2025, mandates continuous third-party risk monitoring and real-time incident response.
• UK Operational Resilience Framework: Since March 31, 2025, financial firms must map, test, and remediate supplier vulnerabilities. Regulators have made it clear that meeting the March 31, 2025, date was just the beginning; firms must now adopt a proactive, ongoing approach to operational resilience-continuously monitoring, testing, and remediating supplier vulnerabilities as part of a continuous process rather than a one-time compliance exercise
• Cyber Security & Resilience Bill (UK): Implicates cloud, data, and MSP providers, granting regulators direct intervention powers.

🚨 Periodic audits are no longer enough. Continuous risk visibility is the new minimum. The base line for compliance and long-term resilience.

Transformation Pathways: Tech-Driven Resilience

Technology is reshaping how organisations build resilience. Leading practices include:

• AI-driven monitoring: Reduces threat detection times by over 50%. 🤖
• Blockchain and IoT adoption: Enables real-time telemetry and tamper-evident tracking.
• Multi-shoring strategies: Less reliance on single vendors mitigates risks. 🌍
• Resilience KPIs: Top organisations now track metrics across sourcing, operations, and technology.

Resilience is no longer reactive. It’s engineered, measured, and continuously improved. Resilience is no longer just a compliance box to tick. It’s a strategic advantage for businesses.

The Next Layer of Risk: Autonomous Agents in Supply Chains

AI-powered agents are fast becoming central players in logistics, compliance, and risk management. Yet, their very presence introduces new vulnerabilities.

Governance on Autopilot

AI-driven GRC is no longer on the horizon — it’s already here.

• By 2026, 50% of GRC platforms will embed GenAI for policy parsing, evidence generation, and real-time control testing (Gartner).
• ServiceNow Risk & Compliance, for example, now includes AI copilots that summarise regulations, detect gaps, and accelerate reporting — helping firms prepare for frameworks like DORA and UK OR.
• AWS, Microsoft Compliance Manager, SAP GRC, and Oracle Risk Cloud are all enabling similar AI-driven control and visibility architectures.

This is the dawn of autonomous resilience. By the end of 2025, more than half of major enterprises will rely on AI and machine learning for continuous compliance monitoring. This marks a dramatic leap from less than 10% in 2021.

And it’s not just policy automation.

EY is piloting agentic supply chain monitors that autonomously detect upstream risks and trigger mitigation workflows — using AI to ingest risk signals and adapt sourcing decisions in real time.

We are working with various FinTech partners on similar models — focused on enhancing these agentic systems through real-time visualisation platforms. The goal? To bring live supply chain risk intelligence directly into the boardroom. The focus is to make these insights not only machine-actionable, but executive-intelligible — empowering faster, data-driven decisions across every level of the business from compliance to crisis response.

Where AI Agents Are Already Delivering Value:

• Policy intelligence — turning regulations into actionable control tasks
• Control testing — automating evidence checks and compliance scoring
• Risk sensing — identifying upstream supplier threats in real time
• Incident triage — generating regulator-ready response reports autonomously

This is what we call autonomous resilience.

The SaaS Wake-Up Call: Concentration Risk in a Machine-Led World

As Pat Opet CISO of JPMorganChase, warned in his recent open letter:

“Modern integration models have dismantled decades of carefully architected security boundaries… collapsing authentication and authorisation into overly simplified interactions.”

⚠️ The Dangers of SaaS has created convenience at the cost of control, embedding concentration risk deep into global infrastructure:

• A single breach of a SaaS or AI service provider can ripple across hundreds of enterprises.
• Authentication tokens and API roles, often seen as “read-only,” can expose sensitive data or decision paths.
• At JPMorgan, supply chain incidents have forced immediate vendor isolation and massive mitigation efforts.

A single SaaS compromise can now ripple through entire industries.

“SaaS has become a single point of failure with potentially catastrophic system-wide consequences.” — Patrick Opet

His Call to Action: 💡

• Demand secure-by-default architectures
• Reject insecure integration models
• Prioritise authorisation, transparency, and telemetry over speed of deployment

Organisations must reject insecure-by-design architectures and demand secure-by-default platforms with embedded visibility, isolation, and resilience.

The Invisible Supply Chain: Code, Cloud & Trust

Beyond vendors and SaaS, every business now relies on an invisible software supply chain — from code repositories and build pipelines to AI model registries and cloud services.

One compromised package or unaudited dependency can ripple through your deployed agents, your APIs, and your boardroom.

This isn't theoretical. Breaches like SolarWinds, 3CX and CodeCov have proven how quickly compromised can cascade through entire ecosystems.

Modern resilience means securing not just what you build or buy — but what your systems depend on.

The Emerging Risk: Identity and Integrity in an AI World Emerging Risk:

• Machine identities now outnumber humans 80:1
• Most remain unmanaged, unaudited, and invisible and deeply embedded across cloud, SaaS, and supply chains.
• AI agents are introducing new attack surfaces via Persistent tokens and unscoped permissions.
• API abuse and model compromised are now flagged as priority threats by intelligence groups.
• 75% of machine identities lack clear ownership, creating vast, unmonitored vulnerabilities.

Organisations like Venafi, Gartner, and NIST are calling machine identity governance a critical frontier in governance, risk, and compliance (GRC). 77% of security leaders expect AI-powered supply chain breaches within 18 months (Venafi)

Identity isn’t just about employees anymore. It’s about knowing which machines, models, and services have access to your operations.

Framing the Accountability Challenge

As cybersecurity leader Jane Frankland MBE recently asked:

“If AI systems are writing policies, making decisions, and accessing infrastructure — who’s governing them, and who’s accountable?”

That question cuts to the heart of modern resilience.

My answer

⏩ Start with visibility.

⏩ Scale with governance.

⏩ End with trust - not just in people, but in the machines, the signals they process and models that are now part of our digital workforce.

✅ Final Takeaways: Building Integrated Resilience

To thrive in a digital, AI-powered world, organisations must reframe resilience — not as a static compliance goal, but as an adaptive leadership practice. Here's how to lead with intent:

✅ Continuously monitor supplier and agent risks — don’t stop at onboarding.

✅ Treat machine identities as first-class citizens in Identity & Access Management (IAM).

✅ Strengthen API and SaaS integrations with continuous visibility and intelligent authorisation.

✅ Embed resilience KPIs into board reporting, procurement decisions, and crisis planning.

✅ Demand secure-by-design platforms from every vendor, partner, and internal team.

💡 Leadership Insight At the Amazon Web Services (AWS) ExecLeaders Summit, we heard a powerful provocation from Richard Hua Miriam McLemore and Rahaf Harfoush their challenge to us:

Be an EPIC Rebel — lead with Emotional Intelligence, Purpose, Integrity, and Courage.

In an AI-driven world, resilience isn’t just technical — it’s cultural.

The most effective leaders don’t just manage complexity — they humanise it.

This mindset is as vital for risk leaders as it is for innovation teams. Because truly resilient organisations aren’t just secure — they are human-led, transparent, and values-driven at every layer of complexity.

🧭 Reflection

How prepared is your organisation to secure both its supply chain and its autonomous agents?

What new controls, collaborations, and cultural shifts will define your leadership in this era of AI-powered operations?

💬 Let’s continue the conversation. Together, we can shape a future grounded in trust, transparency, and integrated resilience.

As always, Take care, Alex