Agentic AI
,
AI-Based Attacks
,
Artificial Intelligence & Machine Learning
Attorney Jonathan Armstrong on AI, Vendor Consolidation and Personal Liability
As organizations outsource more crown jewels to third-party vendors and silently roll out artificial intelligence, the old playbook of contracts and one-time due diligence is dangerously out of date, said Jonathan Armstrong, partner at Punter Southall Law.
See Also: Know Thy Enemy: Threats to Cyber Resilience
Legacy risk frameworks remain anchored in an analog “one and done” mindset, built for software that never changed, Armstrong said. Contracts pointing to a vendor with fewer than 10 employees offer little real protection when that vendor suffers a major breach.
“You can say you have to pay us $20 million, but they haven’t got $20 million,” he said. “A lot of firms, when they’re going through that type of transaction, spend less on product development, spend less on security,” he said, warning that vendor consolidation and AI IPO activity are creating fresh blind spots for organizations already struggling to keep pace with nation-state-backed attackers.
In this video interview with ISMG at Infosecurity Europe 2026, Armstrong also discussed:
- Why the proliferation of overlapping regulations is pulling security professionals away from frontline defenses;
- How rising personal liability for CISOs and board members is reshaping due diligence expectations;
- Why every board should have a member with genuine cybersecurity and AI expertise.
Armstrong is regarded as one of the foremost cybersecurity experts and is active in advising clients on GDPR compliance and AI risks and opportunities. He advises multinational companies on risk and compliance across Europe, with expertise in data breach response, investigations, data transfer issues and interactions with regulators.

