Research by cybersecurity consultancy CyXcel shows that 29% of UK businesses have only now put in place their first AI risk management strategy, and 31% have no governance framework for artificial intelligence at all. This gap comes as one third of firms identify AI as a potential cybersecurity threat. At a time when many companies are racing to roll out chatbots, predictive platforms and generative AI, the absence of clear policies could expose them to data leaks, system breakdowns and penalty charges for non-compliance.
CyXcel’s latest poll, which reached respondents in the UK and US across sectors such as finance, manufacturing and retail, finds that 18% of organisations have made no preparations against AI data poisoning—a cyberattack that corrupts machine learning training sets. A further 16% lack measures to guard against unauthorized code cloning or deepfake incidents, leaving their AI-driven applications vulnerable to manipulation.
Megha Kumar, Chief Product Officer and Head of Geopolitical Risk at CyXcel, described a catch 22 scenario: “Organisations want to use AI but are worried about risks – especially as many do not have a policy and governance process in place.”
She pointed to CyXcel’s Digital Risk Management (DRM) platform as a response to this trend. “The CyXcel DRM provides clients in all sectors, especially those that have limited technological resources in house, with a robust tool to proactively manage digital risk and harness AI confidently and safely.”
CyXcel’s DRM platform is built to shed light on emerging AI hazards by merging cybersecurity, legal, technical and strategic expertise into a unified solution. It offers companies a way to strengthen digital resilience while setting up clear policies and governance controls suited to their risk profile.
Through a unified interface, teams can access risk management programs covering:
- AI: threats to machine learning models and training data
- Cybersecurity: automated scans, vulnerability checks and threat updates
- Supply Chain: oversight of software and hardware partners
- Geopolitics: alerts on global events affecting operations
- Regulation: updates on local, regional and international laws
- Technology (OT/IT): protection for industrial control and IT systems
- Corporate Responsibility: guidance on AI ethics and data privacy
Key legal and technical insights are encoded within the platform, allowing users to monitor emerging threats, forecast potential impacts and receive recommended approaches for addressing weak points and exposures.
The DRM package includes a “full-spectrum dispute resolution and litigation service” designed to cut the time organisations spend meeting compliance and legal requirements tied to various digital risks. That service provides legal reviews, expert witness coordination and mediation support to help businesses address regulatory requirements and dispute challenges across multiple jurisdictions.
The framework supports 26 industries that fall under the EU’s NIS2 directive and the Digital Operational Resilience Act (DORA). These range from energy providers and financial firms to transportation networks and telecommunications carriers, all classified as Critical National Infrastructure in regions like the US, UK and EU.
Edward Lewis, CEO of CyXcel, noted that regulatory demands are becoming more detailed and exacting. “Governments worldwide are enhancing protections for critical infrastructure and sensitive data through legislation like the EU’s Cyber Resilience Act, which mandates security measures like automatic updates and incident reporting. Similarly, new laws are likely to arrive in the UK next year which introduce mandatory ransomware reporting and stronger regulatory powers.”
Even the most secure organisations face relentless cyber threats. CyXcel acknowledges that it too runs on systems that could attract attacks, which is why it uses its own DRM solution to power its defences and compliance checks.
Clients of CyXcel are subject to strict cybersecurity regulations; failures can trigger hefty fines or damage to brand trust. If CyXcel’s guidance misses critical updates or an incident slips through, the firm itself could face legal and reputational consequences.
CyXcel stresses that risk management is more than a service offering—it’s a practical necessity for its own operations. In its marketing materials, the company makes clear that digital risk oversight is ‘personal’, not merely advisory.