Chicago has a second downtown beneath the one most visitors see. The Downtown Pedestrian Walkway System, or just "The Pedway," links train stations, office towers, government buildings, hotels, stores, and civic spaces through a network of underground passages and concourses. It is practical, a little confusing, and easy to overlook until the weather turns or the streets above get crowded.

Modern organizations also run on pathways most people rarely see. Service accounts, API keys, SaaS integrations, vendor access, CI/CD pipelines, AI tools, and automated workflows move work through the business beneath the visible org chart. That hidden layer makes Chicago feel like the right city for the GCSI Annual Conference 2026.

This yearly event for the Global Cyber Security Initiative gathered hundreds of CISOs, cybersecurity experts, legal practitioners, board members, and other leaders at Illinois Institute of Technology’s Chicago-Kent College of Law and online around the globe. Across the event, we heard sessions on AI adoption, supply chain risk, board governance, and offensive automation. It was clear that cyber readiness depends on understanding the hidden routes through which decisions, data, credentials, and risk actually move.

Here are just a few of the highlights from this year's event. 

Securing Supply Chains When Visibility Breaks Down

Supply chain risk is no longer just about the vendors that an organization can see. The CxO panel "Securing supply chains amid opacity and concentration risks," hosted by Mark Rorabaugh, of InfraShield, featuring Stephen Reynolds, of McDermott, Will & Schulte, Terry Kurzynski, from HALOCK, Matt Hartzman, of Hartzman Partners, framed supply chain risk as anything outside the business that can still affect the business, including suppliers, suppliers’ suppliers, embedded software, AI models, and the services customers depend on downstream.

 That opacity is the real problem. Known risks can be managed. Unknown dependencies are harder to defend, especially for lower and mid-market organizations that do not have the same leverage or resources as larger enterprises.

The panel reminded us that "checklists are only the starting point."  They do not prove that risk is understood, reduced, or owned. Contracts, insurance, and vendor questionnaires matter, but they cannot replace the work of understanding who can cause harm, what obligations exist, and what reasonable diligence looks like.

The panel concluded that organizations cannot fully transfer supply chain risk. They need to govern themselves before they can govern partner risk. That starts with asking better questions, including which large language models are in use, what they are used for, and how new vendors or AI dependencies enter the environment without anyone noticing. Supply chains grow daily. The job is to know that you will not know everything, then build governance around that reality.

Making Cybersecurity a Board-Level Business Issue

The consensus from the panel "Board Level discussions – Elevating Cybersecurity as a Strategic Business Priority," was that cybersecurity is now a board-level priority, but many conversations still miss the mark. Laszlo Gonc, of Next Era Transformation Group, opened with the urgency of the moment and the need to leave these discussions with something that actually changes. Robert Barr, a PDA board member, noted that board conversations are improving, but too often cybersecurity is still presented as a “threat landscape” update without enough business context. Bob Kress, formerly of Accenture Security, reminded us that boards do not need a technical briefing that leaves them confused or pushes the CISO out of the room. And the panel's final member, Wendy Betts, CISO of Rotary International, gave us the most pragmatic advice for leaders, maybe of the whole event: to be a successful leader, you must be "nose in, fingers out," leaning into conversations without interfering in the execution of the strategy.  

The panel emphasized that board-ready cybersecurity leaders must understand governance. A board’s role is not to make management decisions, and technical depth can quickly derail the conversation. CISOs need to translate risk into business terms: financial impact, operational exposure, customer trust, insurance requirements, product risk, and options for managing each tradeoff. Leaders need to stay high enough to help fellow board members handle risk without getting pulled into the weeds. The strongest approach is often a joint presentation with a business leader, showing both the opportunity and the risk in language the board already uses.

The practical advice was direct. Build relationships before the board meeting. Learn the board’s language, research its members, and listen before trying to prove expertise. Cybersecurity leaders should network, pursue nonprofit board opportunities, and understand how audit committees and business priorities shape the conversation. That means immediately reviewing AI governance, understanding insurance terms beyond technical incident response exercises, quantifying downtime in dollars per hour, revisiting legacy technology debt, and knowing what tools and systems the organization actually has. Cybersecurity earns board attention when it drives better decisions, not when it wins the most technical argument.

When Attackers Move in Parallel, Defenders Need a Flywheel

In the final keynote session, Evan Pena, Founder of Armadin, presented the offensive side of AI as a force multiplier that reduces the barrier to entry and changes the cadence of attacks. He pointed to “hyperattacks” as the next phase, in which agent-based mass attacks enable adversaries to move faster, run more paths in parallel, and reduce the human bottlenecks that once slowed them down.

He was careful not to overstate what AI can do today. AI may help find vulnerabilities, but full autonomous exploitation still depends on context, access, tooling, and the environment. Give AI source code, detailed Common Vulnerabilities and Exposures (CVE) data, known cases, and documentation, and the job gets easier. Put it in a black-box environment with little context, and the problem becomes harder. 

Humans are single-threaded. Agents can be multi-threaded. That means parallel hunting, faster credential attacks, broader reconnaissance, and more pressure on defenders to assume breach and understand impact before an attacker does.

Evan explained the defensive approach to this problem as a flywheel: detection engineering, security operations center workflows, and automated remediation, all reinforcing one another. Teams should be asking how often they test all attack paths, not just sampled ones. We should be finding where AI can remove expertise, coverage, or time as operational bottlenecks. We need to understand the current reality of how AI is already being built into security workflows. He stressed that the AI shift is not coming. It is here. Defenders need to prepare for attackers operating at AI speed and scale, then use the same force multiplier to close gaps faster than manual processes ever could.

Governance Has to Become Concrete

Across the day, governance kept showing up as a translation problem. Board members need business language. Legal teams need evidence of diligence. Security teams need technical detail. Business leaders need room to move. The friction appears when each group assumes the others understand its vocabulary.

The sessions pointed toward a more useful model. Governance works when it produces decisions people can act on. That means clear ownership, measurable risk, financial framing, tested assumptions, and a shared view of what is changing. AI governance, supply chain governance, and identity governance all fail when they stay at policy altitude.

AI Is Compressing Time

The event’s most consistent pressure was time. AI shortens the distance between idea and prototype, vulnerability and exploit, request and deployment, vendor capability and enterprise dependency. That compression changes how security teams should think about review cycles and control placement.

The old rhythm of annual assessments and periodic reviews cannot carry the whole load. Organizations need continuous discovery, faster patching, better observability, and tighter credential hygiene. They also need to know which controls can safely be automated and which decisions still require accountable human judgment.

Identity Is Becoming the Operating Layer

Several sessions were framed around AI, boards, supply chains, and regulated industries. Underneath those topics sat identity. Which person, service, vendor, agent, workflow, or system can do what? Which credentials are exposed? Which permissions survived a project, acquisition, vendor change, or proof of concept?

As AI agents become part of ordinary work, non-human identities become more central to enterprise risk. The future shape of security operations will depend on how well organizations inventory, govern, rotate, and retire the credentials that let machines act. Secrets sprawl is a symptom of a deeper issue: digital work now moves through identities that multiply faster than traditional governance can track.

Readiness Lives in the Hidden Layer

GCSI 2026 made it clear that cybersecurity readiness is no longer defined by what an organization can see on the surface. The real work happens in the hidden layer, where vendors inherit risk from other vendors, AI tools gain access to sensitive workflows, service accounts move through systems, and credentials quietly become business-critical infrastructure. That layer is where speed, opacity, and concentration risk now meet.

The answer is not another checklist. It is governance that can survive contact with reality. Boards need risk translated into business decisions. Legal teams need evidence of diligence before an incident, not just contracts after one. Security teams need the authority and visibility to test the paths attackers will actually use. And as AI accelerates both offense and defense, organizations need to know which identities, tools, models, and automated workflows are already operating inside the business.

In enterprise security, much like The Pedway, visible structure still matters, but resilience depends on understanding the routes underneath. The organizations that do this well will not be the ones that claim perfect visibility. They will be the ones that keep discovering, keep governing, keep rotating, and keep asking the harder question, like "what is moving through our business that we cannot afford to overlook?"