Deciding in an Interdependent World Where Control Is an Illusion

---

The Context Has Changed

What Executive Programs Failed to Anticipate

Traditional leadership programs excel at teaching strategic analysis, change management, and negotiation. They prepare executives to steer organisational transformations, weigh documented options, and allocate resources on the basis of structured business cases. Even the VUCA framework — volatility, uncertainty, complexity, ambiguity — widely adopted over the past two decades, remains a conceptual map that names the problem without always equipping people to navigate it.

Some institutions have begun to correct course. Harvard Kennedy School‘s Leadership Decision Making program explicitly integrates uncertainty management and cognitive biases.

Complex adaptive leadership approaches acknowledge that different mental models are required — ones that go beyond those inherited from stable hierarchical organizations. But these evolutions remain a minority. Most leaders reach their positions with a toolkit designed for an environment where information eventually stabilizes, where facts eventually emerge, where waiting a little longer means deciding a little better.

In the cyber-AI universe, that reflex becomes dangerous.

Three Dependencies Leaders Underestimate

Technological dependency

It is often perceived as the best-identified risk. That is an illusion. Leaders know they use Azure, AWS, or third-party AI models — but few have actually mapped what that exposes. Infrastructure hosted in a foreign cloud provider, a software ecosystem whose supply chain has never been audited: these are concrete, documented risks, and yet they are systematically delegated below executive level. Not out of ignorance — but because facing them honestly forces uncomfortable trade-offs.

The question isn’t “how do we control everything?” — it’s “what happens if this dependency disappears tomorrow morning?”

Informational dependency

It is more insidious. Information has never been more abundant — or more uncertain. Leaders must now decide in an environment where verified facts, incomplete data, active disinformation, and AI-generated or AI-amplified content all coexist. The speed of circulation shrinks verification time. Yet a fast decision taken on false information almost always costs more than a slower decision taken on solid ground.

Human dependency

Finally, it is often the most underestimated. The departure of a key expert, the failure of a strategic partner, the loss of a critical skill within a team: these events can produce more impact than a major technical outage. Resilience isn’t built solely in systems. It is built in relationships, competencies, and the collective capacity to improvise when plans fail.

---

The Specificity of Cyber-AI Crises: Structural and Chronic Uncertainty

What defines cyber-AI crises is not so much their severity as their fundamentally unstable nature. If AI delivers real competitive advantage, it is also the vector of a particular danger: the manipulation of reality — deepfakes, AI model poisoning, or Adversarial Machine Learning.

Another specificity that AI brings to crises is the compression of time. Before, a crisis unfolded over hours, sometimes days. The time to detect, assess, decide, and communicate existed — imperfect, but real. AI eliminates that margin. A disinformation campaign can be generated, personalised, and distributed at scale in minutes. A convincing deepfake is produced in real time. Automated attack systems don’t wait for management meetings. The human decision cycle — already under pressure — is structurally behind the attack cycle. This isn’t a question of managerial slowness: it’s a tempo asymmetry that AI has made permanent.

>>> Read our article on the new dynamics of crises.

Manipulation, an old tactic, now amplified a thousandfold by AI

The manipulator today is anonymous, hidden behind a screen somewhere unknown. They know you well. Individuals and organisations alike publish so much about themselves in public mode. Facing this asymmetry of forces, the risk of becoming a puppet in their hands is real.

And like a trail of gunpowder, the organization unravels — with the shadow of paranoia in the background. Three dimensions shift simultaneously:

Attribution becomes uncertain

Who is attacking? A criminal group? A state actor disguised as opportunistic hackers? A copycat exploiting a vulnerability exposed elsewhere? Obfuscation techniques evolve faster than investigative capabilities. Europol and the FBI (IC3 Report) document this reality: the explosion of vishing and CEO fraud schemes shows that even the origin of an order can be called into question.

The timeline becomes blurred.

Is the attack over or merely suspended? Have all backdoors been identified? Is the adversary still present in the systems, watching, before a next phase? In some cases, months separate intrusion from detection. Real time becomes a fiction.

Evidence becomes unstable.

Voices, videos, emails can be synthetic. A call from the CEO may be a deepfake. A signed document may be AI-generated. This fragility of proof is no longer science fiction: it is documented as a major systemic risk by the World Economic Forum in its Global Risks Report.

---

The Strategic Mistake: Waiting for Stabilisation

But stabilisation of what?

Geopolitical tensions are growing, accentuating risks daily and making technological sovereignty increasingly critical for European economies. A long-term bet.

AI has not yet reached maturity. Its effects on the socio-economic world are still difficult to measure and predict. Models evolve constantly, their behaviors are not always predictable, their biases not always identified, their vulnerabilities not always known to those deploying them. Organisations are integrating tools whose limits they don’t yet fully understand, under competitive pressure, often without established governance frameworks. Here again, it will take time to have a reliable and precise picture.

The regulatory framework — NIS2, AI Act, DORA — evolves alongside technological development, with new obligations and divergent interpretations between member states. Organisations are legislating on uses they haven’t yet stabilised.

The threat landscape itself evolves at breakneck speed — attack tactics evolve faster than defenses. What was best practice 18 months ago may be obsolete today.

The internal balance of organisations — AI adoption at two speeds depending on teams, resistance, uneven competencies: the organisation’s social fabric doesn’t absorb transformations at the same pace as the tools being deployed.

Stakeholder trust, finally, is weakening under the pressure of all these factors — clients, partners, investors constantly reassess their exposure. A solid reputation yesterday no longer automatically protects today.

In this complex environment of fluctuating instability, waiting for favorable conditions to decide is simply suicidal.

Because while waiting, at least three mechanisms kick in.

Decision paralysis sets in.

Committees multiply, analyses accumulate, but no clear direction emerges. The organization waits for a signal from leadership. Leadership waits for certainty from experts. Experts wait for stable data. Nobody moves.

Organisational silence spreads.

Without guidance, everyone interprets the situation in their own way — usually along the most anxiety-inducing lines. Internal rumor becomes more structuring than absent official communication.

Belated decisions eventually land in degraded conditions.

The impact has worsened, internal and external trust has eroded, options have narrowed. The cost of inaction now exceeds the cost of imperfect action.

The paradox is brutal: it is not uncertainty that produces the crisis — it is the inability to act within it.

Herbert Simon formalised this as early as the 1950s: human rationality is always bounded. We never decide with complete information. But in cyber-AI crises, that limit becomes more visible and brutal. Waiting for stable facts is no longer prudence — it is abdication.

Redefining Resilience

Resilience is commonly associated with the ability to withstand shocks. That definition is incomplete — and sometimes dangerous, because it directs attention toward prevention rather than toward the capacity to act.

A resilient organisation retains its capacity to decide, act, and communicate even when conditions have deteriorated — even when information is incomplete, even when technologies are unavailable, even when dependencies suddenly become visible because they have stopped working.

Resilience is, above all, a decision-making capability. And that capability is not improvised at the moment of crisis.

---

What This Means Concretely for Leaders

The real question is one of “how” — how to integrate these tools and actors with clarity, both internally and in relationships with clients and suppliers, without inadvertently transferring decision-making power to systems or third parties you don’t fully understand.

Before even discussing method, four questions help situate where your organization stands.

1. Have you mapped your critical dependencies — technological, informational, human?
2. Do you know which ones are substitutable, and within what timeframe?
3. Can your organisation decide and communicate if one of them disappears or is compromised?
4. What signals, within your organisation, would allow you to detect that a critical dependency is turning against you — before the damage becomes visible?

These questions are not crisis management. They belong to ordinary governance — and they deserve to be asked before a crisis forces them.

As interdependencies multiply, absolute mastery becomes structurally impossible. The capacity to decide despite uncertainty then becomes a strategic advantage. Perhaps the hardest to build — and the only one that cannot be outsourced.