The Coming Wave: Why AI-Fueled Cyber Crime Demands a New Layer of Risk Management

IRM Navigator™ Maturity CurveAutonomous IRMCybersecurity
Written By John A. Wheeler

In June 2024, a ransomware attack on Synnovis—an NHS diagnostics provider—led to thousands of canceled surgeries, long-term patient harm, and yet barely registered in the headlines. A year later, an attack on Marks & Spencer, which temporarily left Percy Pig sweets and Colin the Caterpillar cakes off supermarket shelves, wiped £600 million off the company’s market cap and triggered nationwide panic.

This juxtaposition, as Misha Glenny eloquently observes in his Financial Times Weekend article, reveals something uncomfortable about both society’s perception of cyber risk and our structural ability to respond to it. But it also points to a larger and more pressing reality: AI is about to turn every cyber threat vector into a force multiplier—and the defensive tools most organizations rely on are no longer fit for purpose.

As AI matures into autonomous, agentic forms, we’re not just dealing with more attacks—we’re dealing with smarter, faster, and more scalable ones. The solution isn’t just better cybersecurity. It’s Integrated Risk Management (IRM)—and it must evolve as rapidly as the threat landscape.

The Illusion of Defense

Traditional cybersecurity investments focus heavily on perimeter defense, endpoint monitoring, and incident response. These tools are important, but increasingly inadequate on their own. As I argued in Beyond the Firewall, they assume a linear threat path—detect, respond, contain. But ransomware doesn’t follow linear logic anymore. It blends deepfake-enabled social engineering, compromised third-party infrastructure, and real-time learning through generative AI.

The attack on M&S, orchestrated by the Scattered Spider group, was not a brute-force intrusion. It was a psychological exploit targeting both people and processes—a human vulnerability masked as a technical breach. And the real damage wasn’t just encrypted files or service outages—it was operational paralysis, consumer trust erosion, and executive crisis management under duress.

This is where Integrated Risk Thinking (IRT)—enabled through the IRM Navigator™ Model—becomes not just helpful but essential.

The IRM Navigator™ Response: From Control to Continuity

At its core, the IRM Navigator™ Model reframes risk management through four strategic outcomes:

  • Performance (driven by ERM)

  • Resilience (enabled by ORM)

  • Assurance (delivered through TRM)

  • Compliance (supported by GRC)

Cybersecurity, as it stands today, resides almost exclusively in the TRM domain. But modern threats—especially those accelerated by generative and agentic AI—don’t stay confined to technology. They ripple into every quadrant of risk:

  • ERM (Goals): What’s the risk to strategic delivery if ransomware halts core services?

  • ORM (Processes): Can business continuity protocols withstand autonomous malware that rewrites its own behavior?

  • TRM (Assets): Is third-party infrastructure (e.g., Tata Consultancy Services in the M&S breach) being continuously evaluated for attack surface exposure?

  • GRC (Policies): Are regulatory obligations like incident reporting, data protection, and cyber insurance tied into a unified response plan?

The FT article lays bare the truth: cybercrime is now systemic. It is no longer just a technology problem. It’s a management failure waiting to happen if organizations fail to connect the dots across risk domains.

Agentic AI and the Shift to Autonomous IRM

What makes this moment different—and more dangerous—is not just the scale of cybercrime but its evolving nature.

“If cybercrime were a legitimate economy, it would be the third-largest in the world.”

—John Fokker, Trellix, RSAC 2025

As Glenny recounts, the next frontier is agentic AI—systems that can think, plan, and execute without human instruction. These aren’t tools. They’re threat actors. And they are already being used to:

  • Exploit zero-day vulnerabilities

  • Run deepfake vishing campaigns

  • Generate and deploy polymorphic ransomware

  • Obfuscate transaction trails with crypto mixers

The problem? Most cybersecurity playbooks don’t even account for this level of autonomy. But an evolved form of IRM—Autonomous IRM—can.

Autonomous IRM doesn’t mean replacing human risk managers. It means equipping them with AI-driven decision support, real-time threat modeling, and continuous risk alignment across the enterprise. Instead of reacting to an attack, IRM becomes a predictive and adaptive layer that helps organizations stay ahead of threats, not just respond to them.

Why the IRM Navigator™ Maturity Curve Must Now Include Autonomous IRM

To address this shift, we’ve expanded the traditional IRM maturity curve to reflect five phases of Integrated Risk Thinking:

IRM Navigator™ Maturity Curve

Where is your organization on the IRM Maturity Curve today? Where do you want to go?

Most firms today operate between Core and Enterprise. But the threat landscape is now Autonomous. The gap between where risk teams are—and where cyber attackers are going—is widening by the day.

What’s at Stake

The Synnovis and M&S attacks revealed two critical truths:

  1. Risk is no longer confined within firewalls or compliance checklists.

  2. AI is no longer just a productivity tool—it’s an adversary, a weapon, and a new risk category all at once.

Organizations can no longer afford to think of cybersecurity as a standalone discipline. They must integrate it across strategic, operational, and third-party risk dimensions. They must shift from defensive postures to proactive, integrated, AI-aware risk management.

That is the promise of the IRM Navigator™ Model—and the imperative of our time.

Final Thought

We cannot wait for a “Level 1” cyber incident to rethink how risk is managed. AI won’t wait. Neither will the threat actors building tools faster than boards approve budgets.

The organizations that thrive in this era will be those who stop treating cybersecurity as a moat—and start managing it as a mission-critical layer of enterprise risk. That means aligning cyber with business performance, embedding resilience into operations, and activating intelligent, integrated systems that can think—and act—as fast as the threats they face.

Further Reading & References

  • Cyber crime is surging. Will AI make it worse? – Misha Glenny, Financial Times Weekend, June 2025. Link

  • Beyond the Firewall: Why Integrated Risk Management is the Missing Layer in Cyber Defense – John A. Wheeler, RiskTech Journal. Read here

  • The IRM Navigator™ Model – Wheelhouse Advisors. Learn more


John A. Wheeler

John A. Wheeler is the founder and CEO of Wheelhouse Advisors, a global risk management strategy and technology advisory firm. A recognized thought leader in integrated risk management, he has advised Fortune 500 companies, technology vendors, and regulatory bodies on risk and compliance strategies.

https://www.linkedin.com/in/johnawheeler/
Next

Where Autonomous IRM Begins—And Where It Must Go Next