Until last night, I always thought Jade Puffer was a green-colored fish in a brackish aquarium. But researchers at the Sysdig Threat Research Team changed that comfort when they dubbed an agentic threat actor (ATA) with the same name.
2026 is proving to be a transformational year for breach readiness.
The narrative is rapidly changing from stopping attacks at the gate to stopping the proliferation of attacks after they have bypassed the initial defenses.
- It all began with human attackers using popular LLMs to attack Mexican government websites.
- Then Claude Mythos demonstrated an unprecedented ability to analyze deep, legacy codebases and uncover a flood of severe zero-day vulnerabilities that could overwhelm traditional defenses.
- Next, researchers at the University of Toronto found that cyber defense economics could be severely disrupted by a self-propagating AI worm.
- Jade Puffer has just demonstrated that ransomware is no longer a craft for the highly skilled. All you need is an AI agent.
AI is no longer just a digital business capability.
It is now an offensive weapon in the hands of adversaries who can now scan, exploit, and move laterally through your network at machine speed, often completing the entire attack lifecycle from initial access to data exfiltration in under four hours.
Read: Build a Mythos-ready Security Program for Machine-speed Attacks
Regulators and Authorities Are Beginning to Take Notice
Today, the European Commission set out a coordinated approach to help Member States, businesses, and public authorities benefit from the opportunities offered by AI while addressing the new risks it creates through an Action Plan to provide a structured response to the risks and harness the opportunities of advanced artificial intelligence (AI) models for cybersecurity, with three complementary goals.
- Promoting the safe and responsible use of advanced AI
- Reinforcing the EU’s cybersecurity and resilience
- Scaling up Europe’s AI capabilities for cybersecurity
The Action Plan encourages organizations to use AI, including open-source models where appropriate, to detect and address vulnerabilities more quickly and improve their ability to prevent and respond to cyberattacks, and also reinforces the EU’s cybersecurity by promoting the implementation of existing EU cybersecurity legislation, including the NIS2 Directive.
The NIS2 Directive expects leadership to evolve before the next breach. This is a profound change.
NIS2 Shifted Liability for a Cyberattack to the CEO and the Board
The most significant aspect of Article 20 of the NIS2 Directive (Directive (EU) 2022/2555) is not its technical controls but its explicit assignment of accountability to CEOs and members of the management board.
For the first time, breach readiness has become a board-level responsibility, not simply because directors must oversee cyber risk, but because they are expected to understand it, govern it, and be accountable for decisions made before and during a cyber crisis.

AI-generated Image.
Article 20(1) says that Member States must ensure that the management bodies of essential and important entities:
- Approve the cybersecurity risk-management measures taken under Article 21,
- Oversee their implementation, and
- Can be held liable for infringements of Article 21.
And right on cue, Portugal has structured a three-tier infraction regime and capped individual fines for management body members at €125,000 per very serious infraction involving intent or gross negligence.
Germany’s BSIG implementation (Section 38) makes personal liability non-waivable. The company cannot indemnify executives even if it wants to.
Belgium’s CCB has set April 18, 2026, as the deadline for self-assessment submissions for essential entities and April 18, 2027, for full certification.
The NIS2 Directive makes “I was not briefed” an unenforceable defense. Approval can no longer be a mere rubber stamp. Oversight is no longer a quarterly agenda item. Awareness is no longer an optional e-learning module.
The question before boards is no longer whether the next cyberattack can be stopped, but whether, when (not if) your organization is breached (by humans or AI), your leadership will be able to keep the business operating.
This needs to be addressed with a radical approach. Recent technical developments in artificial intelligence and post-quantum computing tell us we need to look for new ways to address adversarial threats in digital and AI adoption, rather than remaining enthralled by traditional methods with newer technologies.
Read More: Access the CISO’s Guide to Containment in the Age of AI Attacks
Let Us Change the Narrative
For years, the industry default has been to say: “We suffered an unprecedented cyberattack, and we shut down our operations to protect stakeholder interests.”
The boardroom accepted that as inevitable. The regulator accepted it as the cost of doing business. The shareholder absorbed it. AI-powered attacks render that the millstone that would shut down a thriving digital or AI business.
NIS2 is the first major regulation to reject that narrative.
We must immediately change to a more proactive breach readiness model, where the board drives the organization to anticipate cyberattacks and ensure that the effects of a cyberattack remain within an acceptable material impact by keeping a minimum viable digital enterprise operational, while invoking incident response and business continuity for the minimally affected areas. And keep such a capability monitored, governed, and continually improving.
The idea is to change that narrative to “We suffered an unprecedented cyberattack, and while the best cybersecurity experts are at work to evict the attackers in the small affected areas, our preparations helped us to preserve customer interests. We remain operational to deliver on our promises to our stakeholders.”
That is the posture the NIS2 Directive expects. That is the posture the next attacker will force, one way or another. The choice is whether you reach it by design or by accident.
Adversaries Are AI-Powered. Boards Need a New Metric: Unaffected Digital Operations
For decades, boards have monitored maturity using traditional cybersecurity metrics such as the number of vulnerabilities, patch compliance, phishing susceptibility, and mean time to detect and respond.
While these remain valuable operational indicators, they tell boards remarkably little about the organization’s preparedness for the next breach. To enrich the existing cybersecurity programs, boards must immediately consider a single agenda item: include breach readiness in every digital and AI initiative, even if retrospectively.
But gaining knowledge of and ownership of every nuance of cybersecurity technology is overkill for governing bodies. There are three indicators of breach readiness that every board can adopt in an NIS2-compliant organization.
- The Maximum Acceptable Material Impact (MAMI): The absolute worst financial, operational, and reputational damage the organization can absorb before it ceases to be viable. Not in vague terms. In dollars. In days of downtime. In lost customer contracts. NIS2 requires you to know this number because it determines what qualifies as a “significant incident” under Article 23.
- The Minimum Viable Digital Enterprise (MVDE): If 20% of your digital infrastructure is encrypted by AI-driven ransomware tomorrow, what is the smallest subset of operations you must keep running to survive? Not your entire business continuity plan. Not your 500-page disaster recovery binder. The core, the heartbeat of your digital business, must remain unaffected while you contain the breach.
- The State of Foundational Controls that ensure the MVDE: Empowering the CISO, CIO, CDO, or CAIO to focus on foundational initiatives and investments in reasonable measures and operational controls that keep the MVDE unaffected for every digital or AI initiative.
Call to Action: The First Principles of Breach Readiness
Foundational measures to ensure breach readiness in the age of AI-powered adversaries lie in the true adoption of Zero Trust to build breach readiness by design.
To change the narrative, as mentioned earlier, it is essential to assess the current breach exposure using technology.
Considering that the CFO and other CXOs responsible for the digital business aid the CIO, CDO, or the CAIO to determine the MVDE, the next step for the CISO would be to design a breach-ready digital enterprise that is divided into zones, microsegments, and conduits that can be controlled during breaches to quarantine cyberattacks and isolate and shield the MVDE from disruptions.
If you reach this point, your CISO can ensure your digital enterprise is adequately hardened so that AI-augmented cyberattacks do not have the elbow room to maneuver, even if they manage to make an initial dent by exploiting a zero-day vulnerability.
The only way to stop AI-powered adversaries is to adopt breach readiness by design. NIS2 compliance and the emergence of AI-augmented cyberattacks will force stakeholders to question the C-level.
Have we invested in capabilities that can keep our identity infrastructure, cloud environment, ERP platform, or operational technology unaffected during unprecedented breaches?
Remember that ships were not built to be anchored in port, but to be navigated at sea by leadership that gives confidence to stakeholders.
If your leadership team is assessing how to keep critical operations running through an AI-powered breach, contact us.