CIO CIO

Led by Kung-Hsiang Huang and published on arXiv, the CRMArena-Pro research challenges industry optimism around AI’s readiness for enterprise CRM. Using the CRMArena-Pro benchmark, which simulates realistic B2B and B2C scenarios built on Salesforce schemas, the study found agents performed reasonably well on structured workflows (83% success), but faltered on tasks requiring contextual reasoning or data protection. According to the study, this points to a broader issue. LLM agents still lack built-in awareness of confidentiality protocols. The findings echo rising enterprise caution. “The real risk lies in deploying open-source or lightly governed models without safeguards,” warned Manish Ranjan, research director at IDC EMEA. “Businesses should focus less on general-purpose deployments and more on embedding LLMs within secure, policy-aware architectures.” Methodology reveals critical weaknesses in AI agent design The study used the CRMArena-Pro benchmark to simulate realistic enterprise environments with synthetic data modeled on Salesforce Service Cloud, Sales Cloud, and CPQ schemas. Researchers generated datasets containing 29,101 records for B2B scenarios and 54,569 for B2C contexts, incorporating 21 latent variables to replicate real-world business complexity. source

To maximize AI’s value, CIOs must embrace a persona-based strategy, tailoring intelligence to the specific workflows of different employee roles. source

Your CEO calls at 3 am. Every system is locked. Every user is blocked. Your Active Directory has been compromised. This nightmare plays out across enterprises daily. The backbone supporting more than 90% of organisations globally[1] has become the primary target of cybercriminals. Unfortunately, most executives treat Active Directory like office furniture: essential but invisible. An Australian law firm that fell victim to ransomware in 2023 allowed attackers to infiltrate the firm’s Active Directory, resulting in a cascade effect that exposed data from 65 government agencies and multiple ASX-listed companies. The firm spent $250,000 on immediate remediation and dedicated 5,000 staff hours to incident response. Familiarity breeds complacency Active Directory has just turned 25 and has been a stalwart performer in the enterprise technology stack. But that predictable and reliable performance has caused it to fade from sight for IT and security teams. In 2024, Microsoft said that its customers now face more than 600 million cybercriminal and nation-state attacks every day, ranging from ransomware to phishing to identity attacks[2]. “Active Directory has powered enterprise identity for over two decades, but that familiarity breeds risk,” explains Richard Kulkarni, Country Manager ANZ at Quest. “It’s the backbone of any organisation, and cyber criminals know it. In today’s landscape, overlooking Active Directory is like leaving the master key under the doormat.” The issue is so critical that the Australian Signals Directorate (ASD) developed detailed guidance with Five Eyes agencies to detect Active Directory compromises[3]. The message couldn’t be clearer: this foundational technology has become the battleground for cyber warfare. Costs that go beyond financial losses Every major Active Directory breach follows a similar progression: initial credential compromise, privilege escalation through Active Directory misconfigurations, lateral movement using compromised credentials, and ultimately, widespread system compromise. Attackers don’t need sophisticated zero-day exploits; they often succeed through basic security failures, such as missing multi-factor authentication and poor credential management. Forrester calculates Active Directory downtime costs organisations A$1.11 million per hour. Even for large Australian enterprises, a successful attack could mean weeks of complete paralysis. But the impact goes beyond costs. Australian hospitals, for example, have become prime targets, with one Melbourne hospital network forced to cancel elective surgeries and revert to paper processes for weeks after ransomware locked their systems. A Queensland healthcare provider experienced nearly two months of manual operations, with staff using whiteboards instead of digital patient management systems. An active approach to Active Directory security The good news is that there are tools in the market that can shave the weeks-long nightmare of Active Directory recovery to a minutes-long inconvenience. “The Forrester Total Economic Impact report calculated that Quest Recovery Manager for Active Directory delivered US$19.7 million in benefits following a ransomware attack,” Kulkarni notes. “That’s the difference between business continuity and business catastrophe.” Quest’s comprehensive approach addresses the three capabilities the ASD identifies as critical: real-time threat detection, deep visibility, and rapid recovery. Quest Security Guardian uses Azure AI and machine learning to establish behavioural baselines and detect anomalies like unusual spikes in account lockouts, failed sign-ins, or permission changes. It also clearly articulates key attack path risks before they’re exploited and offers the ability to prevent changes to critical AD assets, ultimately helping to reduce the risk of a cyber-attack. At the same time, it integrates seamlessly with Microsoft Security Copilot to provide AI-driven insights that help security teams respond faster. But detection is only half the battle, and experienced security teams know that it is not whether a breach will occur, it is when. Being able to get the organisation back up and running quickly is equally important to preventative measures. Quest Recovery Manager for Active Directory automates the entire forest recovery process, including the 40+ steps outlined in Microsoft’s best practices. It offers multiple recovery methods, from phased recovery that restores critical domain controllers first to clean OS recovery that eliminates malware reinfection risks. The solution can even restore Active Directory to Microsoft Azure virtual machines, ensuring you have a trusted, clean environment for recovery. Quest’s Secure Storage feature provides air-gapped backup protection, regularly checking backup integrity and ensuring your recovery point remains uncorrupted. This means even if ransomware destroys your domain controllers, primary storage and online backups, you still have clean air-gapped backups ready for rapid restoration. The boardroom imperative For C-suite leaders, Active Directory security directly impacts three boardroom priorities: operational continuity, regulatory compliance, and reputation protection. Recent Australian breaches demonstrate how quickly public trust evaporates when core systems fail. Weeks of downtime mean lost revenue, regulatory penalties reaching $50 million or more, customer defection, and lasting reputation damage. With the right systems in place to recover from a breach, recovery can be reduced to minutes. That’s a bad morning for staff and a brief inconvenience for customers, quickly forgotten. Your Active Directory deserves the same security attention as your newest technologies, because in attackers’ hands, it remains your most dangerous vulnerability. Discover how Quest solutions can protect your Active Directory and reduce recovery time from weeks to minutes here. [1] Frost & Sullivan, Active Directory Holds the Keys to Your Kingdom, but is it Secure?, Mar 2020[2] Microsoft, Microsoft Digital Defense Report 2024, Oct 2024[3] Australian Signals Directorate, Detecting and Mitigating Active Directory Compromises, Jan 2025 source

] Lucas: At the same time, a lot of these corporations, uh, the cio, CTOs, CEOs, whom we talk with are multinational. And so they have to deal with things like the eus AI regulation. Yep. Um, g uh, um, um, um, I’m sorry. Just went out on my head. Um. Uh, GD Oh, GDPR, right. And then, uh, I was talking about the state regulations, the California Consumer Privacy Act, which is, I, I don’t think the President Trump is, is going to be, uh, successful in, uh, putting a ban on state regulations. [ source

Quebec anti-corruption squad has raided the organization that commissioned the over-budget ERP overhaul as investigation into the project continues. source

The Sovereign Public Cloud will be offered to all European customers in all of Microsoft’s existing European data center regions. The package includes enterprise services such as Microsoft Azure, Microsoft 365, Microsoft Security, and the Power Platform. In the Sovereign Public Cloud, customer data will remain in Europe and subject to European law, the software giant promises. Operation of and access to the cloud will be solely in the hands of personnel residing in Europe. Furthermore, the Data Guardian feature ensures that only Microsoft employees residing in Europe control remote access to these systems. Customers also have full control over the encryption of their data in the Microsoft Cloud. With the Sovereign Private Cloud, Microsoft is going a step further. Customers can run critical collaboration and communications workloads on Azure Local. This combines solutions such as Microsoft 365 Local and Microsoft’s productivity server software into an environment that can run entirely in the customer’s own data center. Microsoft is also focusing on partnerships. The US provider plans to cooperate with national partner clouds such as Bleu in France and the Delos Cloud in Germany. There, customers will be able to access features from Microsoft 365 and Microsoft Azure in a standalone and independently operated environment. For external key management, Microsoft is working with Aachen-based company Utimaco, among others. The joint solution includes Azure Managed HSM (Hardware Security Module) encryption. According to Microsoft, this allows customers to store their data in the cloud encrypted and generate, manage, and securely store the required keys yourself or through local partners. With the help of an external key manager, such as the Utimaco Enterprise Secure Key Manager (ESKM), European Microsoft customers can also generate keys according to the highest FIPS standards, the company promises. These are secured by an integrated hardware security module that can be obtained as an on-premises appliance or as-a-service. Microsoft must comply with Trump’s decree Just a few weeks ago, Microsoft came under fire after the US company allegedly blocked the email account of Karim Khan, chief prosecutor at the International Criminal Court. The reason for this was an executive order sanctions decree by US President Donald Trump, who threatened penalties for anyone who supported Khan financially, materially, or technically. (Microsoft President Brad Smith has since denied that Microsoft cancelled Khan’s account, though a Microsoft representative did admit the account was disconnected.) source

When I asked why that is, Ryan opined that primarily it is because these new PCs come with a premium price point, and budgets are tight.  Perhaps more importantly, many IT leaders say the lack of clear, cost-justifying AI solutions are creating a ‘hurry up and wait’ scenario for widespread adoption of AI PCs.  Ryan said that he doesn’t believe that IT buyers need to be fully committed to AI PCs at this stage. There are many more pressing priorities, and realistically, the use cases aren’t fully developed yet, though they are emerging. In his view it is better to wait until those use cases are more defined, as the solutions and focus will likely integrate with the existing software you’re already using, enhanced by AI implementations. (See also: How to win at AI: think like a systems designer, not a tech shopper.) On-device AI: security and efficiency at the edge Ryan and I discussed using AI to drive efficiency within organizations, and the way this is going to have a major impact on the workplace of the future. I asked him what can organizations and employees look forward to? What will be the impact on end user devices, phones, and laptops?  source

AI writer AI writers are tasked with creating written content using gen AI and then reviewing, editing, and reworking that content to quickly produce blog posts, articles, and social media updates, all faster than the average human. The role requires a strong understanding of SEO, prompt engineering, NLP, content management, data analysis, and knowledge of popular AI tools. You’ll also need a strong understanding and knowledge of copyright laws and ethical considerations around AI writing, which are still up for debate and evolving. According to the survey, 14% of respondents say they’ve already hired AI writers to support gen AI, while 44% say they have plans to hire for the role. AI artist Similar to AI writer, AI artists use AI to create artwork for companies including logos, branding, stock images, and other creative content for products, services, and marketing campaigns. It’s a role that requires creative experience combined with the technical knowledge of NLP, ML, AI, and prompt engineering. You’ll need to ensure the right images are created and then also have an eye and skill to edit and improve the AI outputs to ensure they accurately represent the brand. Much like AI writing, AI art is another contentious topic that draws criticism regarding the automation of art. Nevertheless, AI artist is an increasingly popular role as businesses embrace this implementation of AI to expedite advertising campaigns, streamline posting online content, and speed up delivery times for creative work. According to the survey, 10% of respondents say they’ve already hired AI artists to support gen AI, while 41% say they have plans to hire for the role. Natural Language Processing engineer NLP engineer is a vital role for embracing AI in any organization. AI relies heavily on NLP to improve communication and create chatbots and other AI services that need to communicate effectively with users, no matter the query. This role is responsible for training NLP systems, developing models, running experiments, identifying proper tools and algorithms, and performing regular maintenance and analysis of the models. Candidates typically have experience in big data, coding, model selection and customization, language modeling, language translation, and text summarization using NLP tools. NLP plays a big role in technologies such as text-to-speech (TTS) and speech-to-text (STT), chatbots and virtual assistants, and other AI tools designed to interact in real-time with users. According to the survey, 17% of respondents say they’ve already hired NLP engineers to support gen AI, while 18% say they have plans to hire for the role. source

“The first problem is your business operation gets defined by how the application runs, and that should never be the case,” Vijayaragavan says. “You should define what your business operations are, and software as a solution for it, not a cause for it.” More apps means more problems IT leaders surveyed acknowledged several problems caused by SaaS sprawl. The top issues included workflow delays, difficulty scaling, increased manual entry, and data duplication. “In most organizations, you got these disconnected systems, and you’re trying to put some Band-Aid, bubble gum, barbed wire around it to actually run your business operations,” Vijayaragavan says. “People are finding it to be inefficient, because now you have to integrate one system to the other.” source

Chris: In this demo, I’m a researcher studying diabetics and pre-diabetic individuals. I’ve created a dashboard in Databricks—but this could just as easily be in Tableau, Power BI, or connected to Snowflake, Redshift, etc. You’ll see I’ve created a dashboard with charts and patient data. As the lead researcher, I want to share it with colleagues. But when one of them tries to access the same dashboard, nothing appears. The error message says they’re missing access to the underlying tables. That’s where the Immuta Data Marketplace comes in. Within the marketplace, users can see available data products—what they’ve been approved for, denied from, or had revoked. This is a demo system, so there’s not a lot of data, but you can search by keyword and even find matches in descriptions. I’m looking for diabetes data. I see a description, the subject matter expert, and the datasets included. There’s also a Data Use Agreement—in this case, a simple one requiring compliance with HIPAA standards. Now the user can request access. They can request it for themselves or on behalf of someone else, add a reason (like “doing medical research”), and specify the tables needed. Some requests might be denied due to immutable policy restrictions. They can review the data use agreement again before submitting the request. Once submitted, the request is marked as pending, and the data product owner is notified. source