16 June 2026
Why Systems Thinking matters for Resiliency in the Age of AI?
By Vinayak Godse, CEO, Data Security Council of India
Resiliency emerged as a distinct strategic domain, extending beyond cyber security. While security focuses on preventing, detecting, and responding to security attacks, resiliency demands organizations continue to function, adapt, recover, and retain trust even when prevention fails.
Systems are increasingly complex, interdependent, and open. The volume and velocity of development and deployment are increasing faster, challenging capacity of organizations to assess risk, assure safety, and govern systemic consequences.
In 2026, advancing capabilities AI poses unimaginable challenges to security. Capabilities that previously belonged to nation- state APTs become accessible to any motivated actor.
Defense assumptions like our information are fragmented, there is scarcity of specialists to carry advanced attacks, attacks are complex, systems are isolated, and one needs zero days for creating significant impact collapsing against the advanced AI models such as Mythos and Chatgpt5.5. The world for which we built the current model of cyber security and business continuity no longer exists.
Canvas of programs, initiatives, elements, tasks, efforts, and operations required to manage the challenges of security, more importantly, resiliency is expanding exponentially.
Assessment and assurance remained as dominant area for managing security. However, volume and velocity of digitization, innovation, and transactions on the one hand, and increasing asymmetry of equation between attacker, required to be successful one out of millions attempts, and defender, required to defend millions our of millions, on the other hand, changed the game in favour of managing
problems more real time basis.
Many security technology capabilities emerged to help you doing it and many ways and methods evolved to ensure excellence in security operations. It works when systems relatively bounded, slower-moving, and failures were more traceable. Continuous monitoring and operational intervention alone are failing short of maintaining desired level of governance as digital systems are too complex, too interconnected, and too fast-changing. Regulators started realizing this.
EU Digital Operational Resilience Act, DORA and SEBI’s Cybersecurity and Cyber Resilience Framework, CSCRF, are the key testimony of it. Regulators are no longer concerned their regulated entities can prevent or detect cyber incidents. They are increasingly concerned about whether critical functions can continue when they are attacked, customers are manipulated, third-party dependencies fail, fraud scales through automation, or trust in digital systems is disrupted.
To build resiliency, focusing what is seen on the surface or doing what is being asked for by compliance requirements wouldn’t help. Going underneath surface or symptoms, unveiling multiple causality, examining bottlenecks and dependencies ,and uncovering systemic factors would be required.
Complex systems scaled significantly and thriving on interdependencies often demonstrate emergent behaviour. With AI becoming central in business functioning, emergent behaviour becomes core resiliency concern. What tools, methods, and instruments would help business, tech, and security leaders? Answer lies in thinking and finding ways to build it.
Systems thinking is emerging as a critical pathway in understanding of how failure propagates, how trust degrades, how controls interact, and how organisations recover under uncertainty. If you are required to browse through interactions across data, workflows, complex underlying infrastructure, human judgements, third-party dependencies, agentic and automated decisions, market incentives, and expanding regulatory obligations systematically and govern them at nuanced and macro levels, systems thinking is the way forward. The science and methods of systems thinking is evolving; leaders need to adopt them for building assuring resiliency.
