Javier Conejo
18 nov 2025
A Strategic View of Digital Risk, AI Oversight, and Corporate Responsibility
On November 11, the Cybersecurity and AI Governance Day held at the Cajalmendralejo Auditorium in Badajoz brought together leading CISOs, AI governance experts, and technology executives to discuss how organizations must adapt to a world where digital risk and artificial intelligence increasingly challenge corporate decision-making. The event blended strategic insights, practical frameworks, and reflections on new risks and regulatory demands that will redefine how companies operate.
Our CEO and founder Juanjo Martínez Pagán, introduced the main topics and facilitated the discussions and the roundtables with a highly pragmatic perspective. In his introduction he emphasized the rapidly increasing sophistication of cybersecurity threats and a non always desired acceleration of the AI adoption, with the challenges this poses to organizations. And he invited the speakers to present their views about how organizations can deal with them.
1. Cybersecurity in the Boardroom: Governing Digital Risk Wisely - Keynote by Rosa Kariger
Rosa Kariger emphasized a shift that many organizations are only beginning to recognize: cybersecurity is no longer a technical issue but a business-critical risk, requiring direct oversight from the Board.
Her core message was unequivocal:
The Board must set the strategy, supervise execution, approve major security measures, and be accountable. The three questions that need to be understood are:
What could happen to us?
How could we help it?
Which actions will we undertake?
Under NIS2 and DORA, directors are personally responsible for cybersecurity governance and must receive ongoing training.
Resilience depends on properly identifying, protecting, detecting, responding, and recovering.
“Zero risk” is impossible. Decisions need to be made at the business level for every risk to accept, mitigate, transfer or avoid.
Cybersecurity must include both IT and OT, ensuring industrial environments are protected and aligned with corporate governance.
Kariger positioned digital risk as a corporate priority on par with finance, compliance, and operations—one that must be embedded directly into the governance model of the organization.
2. A Vast and Distributed Digital Exposure — ENTHEC (Kartos / Qondar)
ENTHEC presented the reality facing companies today: there is no longer a defined perimeter. Exposure is continuous and multidimensional, involving cloud services, distributed systems, third-party dependencies, and human factors.
Their approach is to provide continuous external vigilance, monitoring:
leaked credentials
exposed vulnerabilities
phishing and impersonation
social engineering footprints
third-party risk
ENTHEC also expanded the discussion to personal exposure through Qondar, which protects executives and key individuals by tracking identity misuse, sensitive asset exposure, and digital reputation.
The takeaway: organizations cannot protect what they cannot see — visibility must span not just infrastructure, but people.
3. AI Requires an Entirely New Governance Model — Keynote by Ana Jiménez Castellanos
Ana Jiménez Castellanos challenged traditional assumptions about AI oversight. AI, she argued, is not merely a collection of models but part of a broader cognitive infrastructure: probabilistic, dynamic, evolving, and distributed across teams and functions.
For this reason, it cannot be governed like classical IT.
The main risks are organizational, not technical:
Shadow AI and isolated initiatives
Excess committees with no accountability
Fragmented decision-making
Lack of real-time oversight
Poorly defined ownership
Ethical risk of unappropriated use or biased decisions.
Her proposed model centers on:
Continuous governance rather than episodic review
Adaptive controls, real-time monitoring, and automated inventories
A cross-functional AI Committee coordinating ethics, strategy, risk, deployment, and value creation
With the upcoming EU AI Act, this governance will soon shift from recommended to required — and organizations must build the structure now.
4. Data as the Core of Compliance and Security — AREXDATA
AREXDATA highlighted the blind spot shared by most organizations: they do not know where their critical data is, who accesses it, or with what permissions.
Their approach relies on:
automated classification
continuous audit
granular permission control
end-to-end traceability
These capabilities underpin compliance with NIS2, DORA, ISO 27001, and GDPR, and support the Zero Trust principle of minimum privilege and early incident detection.
The message: governance frameworks are meaningless if the organization cannot control its data.
Roundtables: Responsibility and the Future of AI Governance
Roundtable 1 — Who Owns Cyber Risk?
With contributions from Rosa Kariger, Juanjo Martínez Pagán, and Inés Rodríguez (CISO), the panel reached a clear conclusion:
Cybersecurity is not the CISO’s responsibility alone — it is a business responsibility.
Key insights:
Digital risk is strategic, not technical.
The CISO enables and advises, but the ultimate owner is the business.
Active Board involvement is non-negotiable.
Organizational culture and role clarity matter as much as technology.
Continuous Board training is essential.
The panel firmly established cybersecurity as a shared responsibility requiring governance discipline at every level. Emphasizing that cybersecurity cannot rest solely on the CISO’s shoulders, but must be owned by the business as a whole. He highlighted that digital risk is fundamentally strategic risk, and therefore must be governed at the corporate level, with a clear distribution of responsibilities across the Board, executives, and technical teams. Martínez Pagán stressed that technology is only part of the challenge: organizational culture, decision-making processes, and continuous leadership training are equally critical to building resilience. His intervention reinforced the idea that the CISO’s role is not to carry the entire burden, but to enable the business, and that only with true Board-level involvement can organizations manage digital risk in a mature and effective way.
Roundtable 2 — Should the CIO Govern AI?
Participants Ana Jiménez Castellanos, José Antonio Martínez Guillén, and Arturo Marín agreed: AI governance cannot sit solely with the CIO.
Main conclusions:
AI affects every function — it demands shared governance between business and technology.
The complexity of the AI ecosystem (models, data, integrations, humans, context) requires flexible, distributed structures.
A cross-functional AI Committee prevents bottlenecks, shadow AI, and misaligned decisions.
The EU AI Act will enforce formal governance in the coming months – urgency is key.
AI governance, they emphasized, must be systemic, real-time, and strategic, not simply technical.
General Conclusion
The key message from the conference was unmistakable:
digital risk and artificial intelligence can no longer be managed from traditional silos.
They are reshaping corporate governance, organizational culture, and the way decisions are made.
To succeed, both business and technology must share responsibility through modern, adaptive governance frameworks that reflect the complexity of today’s digital environment.
The future of corporate resilience will belong to the organizations that treat cybersecurity and AI governance not as technical functions—but as core pillars of strategy, leadership, and enterprise value.