Co-authored by R “Ray” Wang, Vala Afshar, and Dr. David Bray

Executive Summary: Two days before DisrupTV Episode 437 aired, a United Airlines aircraft collided with a drone at 4,000 feet over San Diego. In parallel, a major film studio is experiencing disruptions such that increasingly cannot film without unauthorized drones appearing overhead. Meanwhile, AI is surfacing cybersecurity vulnerabilities faster than organizations can fix them. These aren’t separate problems. They’re converging threats that expose a fundamental truth: your AI strategy is only as resilient as the physical infrastructure powering it and the security posture protecting it. Boards and CEOs face a dual crisis, and most aren’t prepared for either.

Editor’s Note: This article represents the second OODA Loop collaboration among R “Ray” Wang, CEO of Constellation Research; Vala Afshar, Chief Digital Evangelist at Salesforce; and Dr. David Bray, Chair of the Accelerator and Distinguished Fellow at the Stimson Center.

Executive Summary: Two days before DisrupTV Episode 437 aired, a United Airlines aircraft collided with a drone at 4,000 feet over San Diego. In parallel, a major film studio is experiencing disruptions such that increasingly cannot film without unauthorized drones appearing overhead. Meanwhile, AI is surfacing cybersecurity vulnerabilities faster than organizations can fix them. These aren’t separate problems. They’re converging threats that expose a fundamental truth: your AI strategy is only as resilient as the physical infrastructure powering it and the security posture protecting it. Boards and CEOs face a dual crisis, and most aren’t prepared for either.

The Physical Reality of AI Risk

AI feels abstract. It runs on physical infrastructure: data centers consuming 48 megawatts next to Costco parking lots, transformers vulnerable to supply chain disruption, diesel generators limited to 10-hour runtime before regulatory shutdown. Northern Virginia, the global epicenter of data center construction, features facilities built adjacent to busy roads and suburban neighborhoods. The assumption? All people are good. The reality? Technology now enables bad actors at scale.

Bob Gourley, who previously served as CTO of the Defense Intelligence Agency and is co-founder of OODA LLC, put it bluntly during the episode: “Every data center you see seems approachable by drones.” The convergence of physical and cyber threats is no longer theoretical. Communication jamming, infrastructure disruption, and hybrid attacks are operational realities. When a commercially available drone can carry a suitcase-sized jammer capable of disabling Wi-Fi and cellular communications, the question isn’t if an attack will happen. It’s when.

Dr. David Bray, Distinguished Fellow at the Stimson Center and who previously served as both a Senior National Intelligence Executive and CIO of the FCC, highlighted a critical gap: “Most U.S. commercial drones have not been tested against foreign jammers and foreign radars.” The Commander of Special Operations recently called for exactly this testing. But this also raises an organizational question: if you suddenly lose all communications because of a jammer, is that a physical security responsibility or a cybersecurity responsibility? Most enterprises don’t have an answer.

The Visibility Paradox: AI Exposes What You’ve Been Ignoring

While physical threats mount, AI is simultaneously creating a cybersecurity reckoning. Gourley delivered a stark warning: “We are in for a period of extremely hard times for cybersecurity professionals as they have to mitigate a rapid influx of patches and vulnerability fixes from their IT vendors.” This is the direct result of AI-driven tools like Anthropic’s Project Glasswing and OpenAI’s cybersecurity attack simulations.

These tools are discovering vulnerabilities that have existed for years, hidden in complexity and technical debt. The good news? Organizations finally have visibility into systemic weaknesses. The bad news? They’re discovering more problems than they can immediately solve. This creates a surge in discovered vulnerabilities, increased pressure on security teams, and short-term degradation in metrics boards have relied on for years.

Dr. Bray has been serving on and advising corporate boards to prepare for this reality: “Be ready for your cybersecurity KPIs to get worse in the short term. But that’s not because your team isn’t performing well. It’s because you’re finding things using AI.” The challenge is that the moment you spot a vulnerability, there’s pressure to immediately patch it. But you’ve got to test it. Does that patch break other things in the enterprise? Because you might apply that patch, but then all of a sudden you’ve taken your e-commerce pipeline offline.

This is where the combination of human expertise and AI-driven analysis becomes critical. Organizations need the ability to rapidly assess which patches can be deployed immediately because they’re high priority and won’t break critical systems. They also need the ability to write rapid workarounds when a patch will cause disruption. Because here’s the reality: bad actors will discover these vulnerabilities too. And bad actors don’t care if they break something.

The Cross-Jurisdictional Nightmare

Here’s the problem boards need to understand: there’s no single person to put in charge of fixing either the physical or cyber dimensions of this crisis. Data center defense requires coordination across state and local law enforcement, the Department of Defense, the FAA, and multiple cabinet departments. It requires working with innovators who can build defensive solutions that don’t fire bullets into populated areas.

Gourley noted that hyperscalers have had Cassandras warning about these risks for years: “There was always a Cassandra saying, this is coming, we’ve got to get ready for it. Too frequently, the Cassandras are not listened to until something happens like your data center in the Middle East gets bombed by Iran. Then it’s like, oh, wasn’t this guy warning us about this for the last seven years?”

Dr. Bray calls them “responsible heretics.” The person that if you don’t listen to, things will happen. He emphasized: “Right now, a lot of organizations, if someone comes to you with a cybersecurity risk and you don’t have money to fix it, it just gets shut down. We don’t reward people for identifying issues. Boards should be creating a culture in which people can identify challenges, ask them to bring solutions, and you will actually give attention to that.”

The Energy-Security Nexus

Grid instability and energy constraints introduce a board-level question that didn’t exist five years ago: What happens when your infrastructure can’t be powered or protected? Some states now require companies to commit to building data centers before breaking ground or pay exit fees if they abandon projects within three to five years. Why? Because data centers represent massive energy resource commitments that impact the cost of energy for entire states.

Texas leads the nation in renewable energy production, not California. This isn’t ideological. It’s strategic. Texas is incentivized to maintain energy dominance whether carbon or non-carbon. Meanwhile, some states have permitted private companies to operate their own private energy sources off-grid to power data centers. This creates geopolitical dependencies and nation-state risk embedded directly into enterprise AI operations.

Vala Afshar raised a critical question during the episode: Will AI and cybersecurity challenges drive adoption of public cloud? The answer from both Gourley and Bray was unequivocal: yes.

Bray shared a revealing anecdote from his time at the FCC: “They had two advanced persistent threats from foreign nation-states still present in their IT systems when I inherited them. That’s why we went to cloud. It saved money, but it was also that the amount the FCC could spend on cybersecurity versus these large hyperscalers, the hyperscalers are going to spend more.”

Hyperscalers have red teams and blue teams numbering in the thousands. They have resources to protect availability that individual enterprises simply cannot match. For companies that have not made progress on their cloud journey, the combination of physical infrastructure risk and the cybersecurity messy middle may be the catalyst that finally accelerates migration.

The Decentralization Pendulum

Dr. Bray offered a historical perspective that should inform strategic planning: “The Apple computer was in an era in which there were mainframes. Mainframes were like cloud back in the day. And all of a sudden, Apple said, look, you can do what you did on a mainframe on your own personal computer. So this is a story as old as time. We get centralized, we get decentralized, we get centralized, and now we’re going to get decentralized again.”

Apple’s shift to becoming a hardware company signals a future where organizations can choose to run AI and cloud services locally while syncing back to centralized systems when needed. This hybrid model provides resilience when communications are disrupted while maintaining the security benefits of centralized management. As Bray noted, “You’re getting the best of both worlds, which is the cloud is responsible for keeping it up to date security-wise. But if you need to go offline or for whatever reason you are going offline because comms have been disrupted or you’re in a war zone, you can.”

Ray Wang introduced another critical capability: digital twins. Platforms like NVIDIA’s Omniverse enable organizations to create digital replicas of their business and test resiliency against vulnerabilities in a sandbox environment. This provides the ability to scenario plan and understand threat vectors before deploying patches or architectural changes in production.

Digital twins also enable organizations to model the transition from on-premises infrastructure to cloud. “Here’s my digital twin of me currently, which includes X number of on-prem things. Now here’s the next version. If I move this to the cloud, what does that look like?” This capability transforms risk management from reactive to proactive.

Strategic Recommendations for Boards

Corporate AI infrastructure is now critical national infrastructure. A coordinated attack combining physical disruption and cyber exploitation could simultaneously cripple economic competitiveness and national security. The hyperscalers have Cassandras who warned about these risks for years. The question is whether boards listened before the collision happened.

Given these converging risks, corporate Boards should at a minimum:

1. Require infrastructure resilience assessments as part of AI strategy reviews. Your AI capabilities are only as resilient as the infrastructure powering them and the security posture protecting them.
   
2. Recruit responsible heretics. They’re the people who warn you seven years before your data center gets bombed or your systems get compromised. Listen to them before the nightmare happens. Create a culture where people can identify challenges and bring solutions without fear of punishment.
   
3. Prepare for the messy middle. Explain to boards why security metrics may temporarily worsen. Frame this as increased visibility, not decreased performance. Invest in AI-augmented security teams, not AI replacement of security teams.
   
4. Accelerate cloud migration strategically. Hyperscalers have resources to protect availability that individual enterprises cannot match. But also build edge computing capabilities for offline resilience.
   
5. Rethink energy strategy. If your data center relies on grid power alone, you have a single point of failure. Evaluate private energy sources, battery backup beyond five seconds, and diesel generator runtime limits in your jurisdiction.

The organizations that survive the next decade won’t be those with the most AI capability. They’ll be the ones with the most resilient infrastructure and the fastest response to emerging threats. Because in the end, AI doesn’t just scale systems. It exposes them. And atoms matter just as much as algorithms.

Consequentially, the path through the “messy middle” we’re experiencing in 2026, and for at least the next eight-to-ten quarters, requires corporate leadership that understands both atoms and algorithms.