Fiduciary Duty in the Gray Zone: What Boards Must Know About Converging Geopolitical and Technology Risks
Fiduciary Duty in the Gray Zone: What Boards Must Know About Converging Geopolitical and Technology Risks
Stimson Center & LeadDoAdapt Ventures
Dr. David A. Bray is a Distinguished Fellow and Chair of the Accelerator with the Alfred Lee Loomis Innovation Council at the non-partisan Henry L. Stimson Center. He is also a non-resident Distinguished Fellow with the Business Executives for National Security, and a CEO and transformation leader for different “under the radar” tech and data ventures seeking to get started in novel situations. He is Principal at LeadDoAdapt Ventures and has served in a variety of leadership roles in turbulent environments, including bioterrorism preparedness and response from 2000-2005. Dr. Bray previously was the Executive Director for a bipartisan National Commission on R&D, provided non-partisan leadership as a federal agency Senior Executive, worked with the U.S. Navy and Marines on improving…...
Read moreWhile global leaders gather in Davos to discuss "Cooperation in a Contested World," corporate Boards face a starker reality: your fiduciary duty now extends into the gray zone. This is not the world of traditional risk management. It is a domain where Advanced Persistent Threats (APTs) exploit hardware-level vulnerabilities to exfiltrate IP, where fragmented AI policies across 50 U.S. states create compliance nightmares that competitors exploit, and where nation-state actors target your brand equity as a geopolitical weapon.
The question is no longer whether your company will be targeted, but whether your Board understands that cybersecurity, AI governance, and geopolitical risk are now inseparable from corporate strategy and shareholder value.
The Convergence at Davos
In his analysis of the World Economic Forum's 2026 gathering, my friend and colleague Ray Wang posed a critical question that should keep every Board member awake at night: "In 2026 and beyond, will countries and companies have to choose a side between China vs the United States?" As Ray noted, the deepening rivalry between these powers creates a mutually exclusive relationship where strategic alignment with one comes at the expense of ties with the other. For Boards, this is not an abstract geopolitical debate. It is a daily operational reality that intersects with three immediate threats I want to address directly.
First, your hardware supply chains are compromised at levels most Boards do not yet comprehend. Second, the Balkanization of AI policy across both the United States and the rest of the free world creates strategic asymmetries that favor competitors operating under unified national frameworks. Third, gray zone conflict has made your company a target whether you realize it or not, and the attacks are designed to stay below the threshold that would trigger a traditional security response or even Board awareness.
Let me be direct: if your Board's risk committee is still treating cybersecurity as an IT issue, AI as a compliance checkbox, and geopolitics as someone else's problem, you are already behind.
Hardware Vulnerabilities: The 15-Year Systematic Campaign You Didn't Know Was Happening
During my time first as a Senior National Intelligence Service Executive and later as Chief Information Officer at the Federal Communications Commission, I confronted a reality that most corporate Boards still have not internalized. Advanced Persistent Threats are not opportunistic hackers looking for quick wins. They are nation-state operations with 15-year time horizons, systematic discipline, and one objective: position themselves so deeply in your infrastructure that by the time you discover them, it is too late.
These actors do not just exploit software vulnerabilities. They compromise hardware at the manufacturing level, embedding backdoors in chips, routers, and firmware that your security teams will never detect with conventional tools. They target the supply chain chokepoints where a single compromised component can give them access to thousands of downstream customers. And they are patient. They will sit dormant in your systems for years, exfiltrating IP, monitoring communications, and mapping your network until the moment they need to activate.
Ray's analysis highlighted that over $6 trillion will be invested in AI infrastructure by 2030. But here is what that statistic obscures: every data center, every AI accelerator chip, every network switch in that infrastructure represents a potential entry point for APTs if Boards do not demand hardware-level security verification from their vendors.
The strategic question for Boards is this: do you know where every critical component in your infrastructure was manufactured, by whom, and under what security protocols? If the answer is no, you have a fiduciary exposure that goes far beyond traditional cyber insurance.
The 50-State AI Policy Fragmentation: A Gift to Your Competitors
I have spent the past two years working with policymakers and industry leaders on AI frameworks on both sides of the aisle as well as external to the United States. What I have witnessed is a policy disaster unfolding in slow motion, and it is creating competitive disadvantages that most Boards have not yet quantified.
Right now, your company must navigate conflicting AI regulations across 50 U.S. states, each with different definitions of algorithmic accountability, data privacy, and bias testing. California has one framework. Texas has another. New York is developing a third. Meanwhile, your competitors in China operate under a unified national AI strategy with clear guidelines, centralized resources, and government backing.
This is not just a compliance cost issue, though those costs are real and growing. It is a strategic speed issue. While your legal team is parsing whether your AI model meets the requirements of all 50 states, your competitors are iterating, deploying, and capturing market share under coherent national policies.
The fragmentation also creates security vulnerabilities. When compliance requirements conflict across jurisdictions, companies often default to the lowest common denominator or create patchwork solutions that leave gaps. APTs and gray zone actors exploit these gaps ruthlessly. They study your compliance posture, identify the seams between state regulations, and target the vulnerabilities that emerge from trying to satisfy everyone.
For Boards, this raises a governance question that transcends the legal department: are you building AI systems that are merely compliant, or are you building systems that are strategically resilient in a contested global environment? There is a difference, and it matters.
Gray Zone Conflict: Your Company Is Already a Target
Let me introduce you to a concept I have been writing about for years: gray zone conflict. This is the space between peace and conventional warfare where state and non-state actors use cyberattacks, disinformation, economic pressure, and IP theft to achieve strategic objectives while staying below the threshold that would trigger a military response or even public awareness.
Your company is operating in this zone right now, whether your Board acknowledges it or not. And the attacks are not random. They are targeted, systematic, and designed to achieve one of three objectives: financial gain through ransomware or extortion, brand damage to undermine market position or public trust, or access to your secrets and IP to accelerate a competitor's capabilities or a nation's strategic industries.
I have seen gray zone operations unfold in real time during my career in the intelligence community and as a federal CIO. The sophistication is breathtaking. Adversaries will spend months studying your organization, identifying key employees, mapping relationships, and crafting social engineering campaigns that exploit human psychology, not just technical vulnerabilities. They will compromise a mid-level employee's personal device, pivot to corporate systems, and exfiltrate terabytes of data over months while your security operations center sees nothing unusual.
The brand damage operations are equally insidious. Adversaries will seed disinformation about your products, manipulate social media to amplify customer complaints, or leak selectively edited internal communications to create reputational crises that tank your stock price. And because these operations stay below the threshold of overt attack, your crisis communications playbook is often useless.
Here is what keeps me up at night: most Boards do not have visibility into gray zone threats until after the damage is done. Your quarterly risk reports focus on traditional metrics like cyber incident response times or compliance audit results. But gray zone operations are designed to evade those metrics. They succeed precisely because they do not trigger the alarms your systems are designed to detect.
What Boards Must Do: From Risk Management to Strategic Foresight
I have spent my career leading what I call "near impossible missions," from modernizing legacy systems at the FCC to directing technology-enabled bioterrorism responses to 9/11, anthrax in 2001, SARS in 2003, and more. The common thread in all these experiences is that traditional risk management frameworks are insufficient when you are facing adaptive, intelligent adversaries in rapidly changing environments.
Boards need to shift from reactive risk management to proactive strategic foresight. This means three things.
First, demand hardware-level security verification. Your procurement processes must include rigorous supply chain security assessments that go beyond vendor questionnaires. You need to know the provenance of every critical component, the security protocols at every manufacturing facility, and the verification methods that ensure no tampering occurred. This is not an IT issue. It is a Board-level strategic sourcing issue that affects the integrity of your entire operation.
Second, advocate for federal AI policy leadership. The 50-state fragmentation is not sustainable, and it is not in your shareholders' interests. Boards should be vocal in calling for light-touch federal frameworks that provide clarity, consistency, and competitive parity with other nations. This is not about stifling innovation. It is about creating the conditions where American companies can compete globally without one hand tied behind their backs by conflicting state mandates.
Third, build gray zone resilience into your governance model. This means expanding your risk committee's mandate to include geopolitical threat intelligence, not just cyber metrics. It means conducting tabletop exercises that simulate gray zone scenarios like IP theft campaigns, brand sabotage operations, or supply chain compromises. And it means developing decision elasticity, which is the ability to respond rapidly to ambiguous threats without waiting for perfect information or consensus.
The Agency Paradox and the Future of Corporate Governance
Throughout my work, I have observed what I call the Agency Paradox. As our technological tools become exponentially more powerful, our collective sense of human agency often feels increasingly fragile. For Boards, this paradox manifests in a troubling way: the more data and AI capabilities you have, the more you may feel overwhelmed by complexity and uncertainty rather than empowered by insight.
The solution is not to retreat from technology or to hand over decision-making to algorithms. The solution is to develop what I call decision elasticity, which is the ability to use AI and data to gather intelligence at scale while maintaining the nuanced, ethical judgment that only humans can provide. In the context of gray zone threats, this means using AI to detect anomalies and surface threats, but relying on human judgment to interpret ambiguous signals, assessing strategic context, and making decisions that balance security with values like privacy, transparency, and due process.
The most forward-thinking Boards I work with are already making this shift. They recognize that cybersecurity, AI governance, and geopolitical risk are not separate silos. They are interconnected dimensions of a single strategic challenge: how do we build resilient organizations that can thrive in a contested, rapidly changing world while preserving the human agency and ethical judgment that define great companies?
In Part 2 of this series, I will explore how Boards can operationalize this strategic foresight through AI-augmented defense and human-machine partnerships that balance speed with wisdom.
An Invitation to Deeper Dialogue
If your Board is grappling with these converging threats, if you recognize that traditional risk frameworks are insufficient, or if you simply want to stress-test your current approach against the realities of gray zone conflict and geopolitical competition, I invite you to engage in a deeper conversation.
My work as both as a Board Member and a senior advisor is major compaies is dedicated to helping Boards develop the strategic foresight and decision elasticity needed to navigate what I call "tech tectonics," which are the seismic shifts beneath the surface of global business. This is not about selling you a technology solution or a compliance framework. It is about building the governance capacity to make wise decisions in conditions of radical uncertainty.
The stakes could not be higher. As Ray noted in his Davos analysis, we are entering an era where the nature of work, the meaning of human existence, and the future social order are all in flux. For corporate Boards, the question is whether you will shape that future proactively or react to it after your competitors, your adversaries, and the market have already moved.
I have spent my career wrestling with these challenges, and I use the word "wrestling" deliberately. Leadership in this era is not a graceful dance. It requires constant engagement, humility, and a commitment to co-creating a future where technology serves human dignity rather than constraining it.
Your fiduciary duty now extends into the gray zone. The question is whether your Board is ready to govern accordingly.
Dr. David Bray is both Chair of the Accelerator and a Distinguished Fellow at the non-partisan Stimson Center as well as Principal and CEO at LeadDoAdapt Ventures, Inc. He previously served as a non-partisan Senior National Intelligence Service Executive, as Chief Information Officer of the Federal Communications Commission, and IT Chief for the Bioterrorism Preparedness and Response Program. Business Insider named him one of the top “24 Americans Changing the World” and he has received both the Joint Civilian Service Commendation Award and the National Intelligence Exceptional Achievement Medal. The U.S. Congress invited him to serve as an expert witness on AI in September 2025. He also advises corporate Boards and CEOs on navigating the convergence of AI, cybersecurity, and geopolitical risk.
Board Strategy Data to Decisions Digital Safety, Privacy & Cybersecurity Future of Work Innovation & Product-led Growth New C-Suite Tech Optimization Next-Generation Customer Experience Leadership Security Zero Trust ML Machine Learning LLMs Agentic AI Generative AI AI Analytics Automation business Marketing SaaS PaaS IaaS Digital Transformation Disruptive Technology Enterprise IT Enterprise Acceleration Enterprise Software Next Gen Apps IoT CRM ERP finance Healthcare Customer Service Content Management Collaboration Chief Executive Officer Chief Financial Officer Chief Information Officer Chief Supply Chain Officer Chief Information Security Officer Chief Technology Officer Chief Experience Officer Chief Privacy Officer Chief AI Officer Chief Data Officer Chief Analytics Officer Chief Product Officer
