Cybersecurity analysis and perspectives for organizations across CEE and MENA.
AI governance in practice starts with an uncomfortable number: 57% of employees actively hide their AI tool usage from their employer.
Not because they are doing something malicious. Because the policy said no, and the work still needed to get done.
I see this regularly. The policy exists. The behavior it was written to stop exists too - just invisible.
Most security teams are still thinking about AI risk as a browser tab. Someone pasting text into ChatGPT. Maybe leaking something sensitive.
Agentic AI security has become one of those problems most organizations discover too late. They did not decide to adopt AI agents - they just looked up one day and the agents were already there.
A developer installed an AI coding assistant three months ago. It runs with his credentials. It can read every file he can read. An operations team automated their reporting with an AI tool. Nobody scoped its access down from the defaults. A vendor bundled an AI assistant into a SaaS platform you renewed last quarter. It has been active since the day the contract was signed.
DORA has been in force since 17 January 2025. No transitional periods, no extensions. Supervisory authorities are collecting Registers of Information, reviewing ICT risk frameworks, and issuing observations. The first Threat-Led Penetration Testing notifications are arriving in 2026.
If your organisation is in financial services - or provides ICT services to financial entities - this regulation already applies to you or directly shapes what your clients demand from you. And what supervisors and clients are starting to find is the same gap everywhere: organisations that have documentation, but cannot defend what is behind it.
Every breach post-mortem tells the same story. An attacker gets in — through a phishing email, a stolen credential, an unpatched edge device. That initial foothold is rarely the catastrophe. The catastrophe is what happens in the next hours: the attacker moves east-west across a flat network, reaches systems the initial compromise had no business touching, and only then does the damage become irreversible.
We have been defending the perimeter for decades. We have largely lost that argument. The question worth asking now is not whether the perimeter will be breached — it will — but whether your internal architecture assumes that it already has been.
Poland submitted its KSC Act amendment to the Sejm in November 2025. Enforcement is expected in 2026. Most organizations are waiting for the final text before acting. That is a mistake.
The window between law passage and enforcement will be short — and the organizations that will struggle are not those lacking tools. They are those lacking the three artifacts that make execution possible.
Delays in NIS2 readiness rarely stem from technology gaps. In practice, they stem from three missing documents: