Gartner Survey Shows AI Enhanced Malicious Attacks as Top Emerging Risk for Enterprises for Third Consecutive Quarter

Survey of 286 Senior Enterprise Risk Executives Reveals Top Five Emerging Risks in the Third Quarter of 2024

Artificial intelligence (AI)-enhanced malicious attacks are the top emerging risk for enterprises in the third quarter of 2024, according to Gartner, Inc. It’s the third consecutive quarter with these attacks being the top of emerging risk. IT vendor criticality and an unsettled regulatory and legal environment are new, top emerging enterprise risks.

During the third quarter of 2024, Gartner surveyed 286 senior risk and assurance executives and managers to examine and compare emerging risks, which are those whose effects may not yet have been realized by enterprises but have the potential for significant impact. Their evolution is highly uncertain because it is rapid, nonlinear, or both.

“The two new emerging risks relate to complexities of the IT and political environment made highly visible to executives and boards by current events,” said Zachary Ginsburg, Senior Director, Research in the Gartner Risk & Audit Practice. “While the upcoming U.S. election generates headlines over the candidates’ regulatory, trade and other proposals, organizations have difficulty considering the actual risk implications from the many scenarios that might unfold. Amplifying this uncertainty are recent U.S. Supreme Court decisions on federal agencies’ authority to set and enforce regulations.”

“Beyond politics, other global events, such as the July CrowdStrike outage, have raised questions about whether organizations over-rely on their largest IT vendors. For example, customers with a concentration of services with one vendor may face elevated risk in the event of outages, or they may face unanticipated changes in services depending on new regulations or legal decisions in the EU, U.S. or elsewhere. Because third parties, like SaaS vendors, rely on other vendors, organizations may not realize the full extent of their exposure,” said Ginsburg.

Two of the top five most cited emerging risks are in the technology category and two reflect political concern related to uncertainty around the regulatory and legal environment and the outcomes of global elections (see Table 1). Misaligned organizational talent profile moved down from the fourth-place ranking in the second quarter to the fifth most cited risk in the third quarter.

Table 1: Top Five Most Commonly Cited Emerging Risks in Q3 2024

Source: Gartner (November 2024)

Increased Range of Potential Risks from Political, Legal and Regulatory Events

In the current political, legal and regulatory landscape, there is a wider range of potential risks to consider regarding legal and regulatory uncertainty. Beyond the usual legal and regulatory impacts, additional risks related to talent and employment laws, economic policies and their trade and supply chain implications also pose many potential outcomes.

Complex, interrelated political, legal and regulatory events that are contingent on a defined set of outcomes are ideal for scenario planning or similar exercises to identify and map event-based outcomes to better understand and plan for emerging risk implications.

“Political and legal events may have complex risk implications, but events that are contingent on a defined set of outcomes, like an election, are good candidates for scenario planning,” said Ginsburg.

Additional Steps to Manage Associated Risks

The first action to take when anticipating political, legal and regulatory events is to identify the risks associated with those events, and to designate which risks are more contingent on imminent events, such as elections, versus more systemic risks that are likely to persist regardless of an event’s outcome, such as logistics issues from trade route disruptions.

From there, legal and risk leaders should identify and map those risks that have the most potential to affect high-priority enterprise risks and objectives. Next, leaders should determine the value of preemptive actions to assess if planning for a potential disruption could reduce risks’ likelihood or impact.

If organizational leaders can generate specific, cost-effective actions that can meaningfully address risks over the duration of a risk event, these are ones that both have a high likelihood of mitigating risk as well as generating executive support.

Finally, beyond assessing the need to act on specific events, risk management leaders should assess organizational capacity to manage disruptions. Factors to consider include the capability to conduct preliminary impact assessment, compliance impact monitoring, and external and internal engagement.

“By going beyond specific risks events to assessing organizational capacity to manage disruption, enterprise risk leaders can both reduce their organizations’ exposure to identified risks as well as enhance resilience to unforeseen events.” said Ginsburg.