I recently spent two days in Amsterdam at the ServiceNow NEXUS event. The event focused on security together with its close friends governance, risk and compliance. However, the most interesting discussions quickly moved beyond tools and features.
Instead, the focus was on something broader: how organizations stay resilient and keep moving forward in a world shaped by AI, geopolitical uncertainty and continuous disruption. Across sessions and conversations, the same theme surfaced repeatedly. Security is no longer primarily about preventing everything from happening. It is about enabling organizations to move faster by building systems, processes and teams that can withstand disruption and recover quickly.
Three themes stood out in particular:
- Resilience enables speed. The most successful organizations are not trying to eliminate all risk. They design systems and operations so the business can continue moving even when disruption happens.
- Risk management must support decisions. Instead of becoming complex compliance exercises, risk frameworks should help leadership understand real business impact and prioritize what matters.
- AI must be governed, measured and used responsibly. AI itself is not the risk — unmanaged AI is. Organizations that succeed treat AI like any other capability: governed, measurable and aligned with real outcomes.
Below are a few insights that stood out during the event.
Resilience Enables Speed
For a long time, security has often been framed as a cost or a brake on the business. At NEXUS, that thinking was challenged quite directly. The most resilient organizations are not the ones trying to eliminate every possible risk. Instead, they assume that incidents will happen and design their systems, processes and operating models accordingly. The goal is not perfection, but the ability to continue operating even when something breaks.
When resilience becomes the focus, security and IT start acting as enablers rather than blockers. Organizations that can recover quickly and continue operating are able to move faster and make decisions with more confidence.
One comment during the event summarized this thinking well:
“Two times cheaper or two times faster? Faster always wins.”
Speed does not come from cutting corners. It comes from systems, processes and people that are designed to handle disruption and keep moving forward.
Risk Management Needs to Become Practical (and Fun)
Risk management was another topic that surfaced repeatedly during the event. Interestingly, the discussion moved away from traditional compliance-driven thinking. Many organizations have frameworks, policies and controls in place, yet those structures often become complex exercises that do not necessarily support better decisions.
A recurring message at NEXUS was that risk management does not need to be overly complicated or reduced to a checkbox exercise. At its best, it becomes a practical way to focus on what actually matters and prioritize decisions based on real impact.
For leadership and boards, the discussion rarely starts with vulnerabilities, CVE lists or attack techniques. What they want to understand is the potential impact on the business. What happens to operations if a critical system fails? How does it affect customers, revenue or reputation?
This is why impact-based approaches and economically defensible risk models are gaining attention. They help organizations connect security investments and risk decisions directly to business outcomes.
Ultimately, security and risk are not separate disciplines. They are two sides of the same conversation.
AI Is Not the Risk — Unmanaged AI Is
Artificial intelligence was naturally a major topic throughout the event. However, one of the most practical insights was also one of the simplest: AI itself is not the real risk. The real risk comes from unmanaged AI.
Many organizations still react to new technologies by trying to block them. In practice, this approach rarely works. Employees will experiment with new tools regardless of policy, and when that happens outside official processes the risks actually increase.
A more effective approach is to focus on governance rather than prohibition. Organizations need to decide which AI tools are allowed, create a clear intake process for new use cases and classify risks early. Platforms like ServiceNow’s AI Control Tower illustrate how AI governance can be managed in a structured and transparent way.
The goal is not to slow innovation. The goal is to create enough structure and visibility so that innovation can happen safely and scale responsibly.
Measure AI in Practice
One of the most practical takeaways from the event was simple: measure whether AI actually delivers value.
In many cases, AI adoption starts with excitement about models, capabilities or new tools. However, the discussions at NEXUS emphasized a much simpler and more disciplined approach.
AI should not be adopted because it sounds impressive. It should be adopted because it demonstrably improves outcomes.
A useful rule of thumb discussed during the sessions was straightforward: if an AI solution cannot outperform a simple baseline, you should question whether it is worth using at all. Organizations can start by running the existing approach and the AI-driven approach side by side. Beginning with a simple comparison makes it easier to understand whether the new solution actually delivers value.
If AI cannot outperform a basic comparison, it may simply be a very complicated calculator.
Starting simple, measuring outcomes and only adding complexity when it proves its value allows organizations to move forward in a much more controlled way. AI adoption is not a sprint. It is a long climb that rewards disciplined experimentation, patience and honest measurement.
AI Is Changing Knowledge Work
AI is also reshaping how organizations think about productivity, especially in knowledge work. For a long time, measuring productivity in work done behind a computer has been difficult. Unlike industrial work, the output of knowledge work has traditionally been much harder to measure.
AI is beginning to change that. Organizations can now analyze patterns across conversations, documents and customer interactions at a scale that was previously impossible. This creates new ways to understand customer pain points, product direction and service effectiveness.
At the same time, another reality is becoming clear. Removing AI tools from employees will often reduce both productivity and quality. A new generation of professionals has learned to work with AI as a natural part of their workflow.
AI also amplifies what already exists in an organization. Strong domain knowledge and business understanding become even more important. Without them, even the most advanced AI systems can produce solutions that are technically impressive but disconnected from real business needs.
The Bottom Line
One of the clearest takeaways from NEXUS was that resilience, risk and AI can no longer be managed separately.
AI will not solve structural weaknesses in organizations that lack discipline, clarity or resilience. At the same time, unmanaged AI can significantly increase complexity and risk.
The organizations that succeed will not be the ones chasing every new model or platform. They will be the ones that build resilient foundations, govern technology thoughtfully and measure progress honestly.
In that environment, security becomes less about restriction and more about enabling the business to move forward with confidence.
Ultimately, speed without resilience is fragile. True resilience allows organizations to move faster, take calculated risks and continue operating even when disruption happens.
