Cyberthreats keep evolving, so contractors must stay vigilant.
Key takeaways
Agentic AI can boost efficiency but raises major security and privacy risks.
Human oversight is critical before AI can access networks or sensitive data.
According to Charles Barley Jr., a principal at RSM US LLP, government contractors can never rest when it comes to their cybersecurity offensive and defensive measures.
“Adversaries and threat actors are constantly looking at ways to expose any weakness and leverage it to gain access to the information that you hold dear,” Barley says.
AI and data risk
When looking at cybersecurity trends, Barley identifies agentic AI as a key area of focus.
“We should never allow an agent to make decisions or analyze data without assessing the privacy and security risk of allowing technology to traverse your network and your data sets without human intervention,” he says.
Barley believes artificial intelligence offers greater efficiencies and value, but notes that organizations must account for significant risks from security, privacy and contractual perspectives. Government contractors must evaluate multiple factors when considering these technologies, he says, including the determination of where the data goes once it is accessed and whether the information remains in the U.S. or is exported.
We should never allow an agent to make decisions or analyze data without assessing the privacy and security risk of allowing technology to traverse your network and your data sets without human intervention.
Charles Barley Jr., Principal, RSM US LLP
Third-party dependencies
Barley advises organizations to recognize when to seek out an experienced external service provider. He says that many tasks may be better handled by specialists who have more advanced tools and greater experience.
“Every organization should understand their limitations,” he says. “Leaders need to acknowledge when the risk is too much to tackle internally and when to seek specialized help.”
However, Barley cautions that as organizations outsource functions, they introduce additional layers of dependency. He offers the example of a vendor responsible for monitoring security systems that itself relies on other providers.
“The moment you have a third party in your organization, you have to ask how far down do fourth- and fifth-party activities go before you lose visibility into who is truly your external service partner,” he says.
Barley believes that for government contractors to have insight across multiple layers of providers, an effective supply chain risk management program is essential. He says organizations must understand the full chain of external involvement, particularly as it relates to security responsibilities.
The takeaway
The government contracting landscape comes with defined expectations, particularly around cybersecurity and operational readiness. Contractors must take these requirements seriously and remain ever vigilant.
“Contractors face a range of risks,” Barley says. “And technology changes the moment you get used to a particular widget. For any high-tech tool, the new version comes out tomorrow.”
For deeper insights on this topic, read the RSM US Middle Market Business Index Special Report: Cybersecurity 2026.
RSM contributors
-
Charles Barley, Jr.Principal
Cybersecurity special report
Our annual insights into cybersecurity trends, strategies and concerns shape the marketplace for midsize businesses in an increasingly complex risk environment.
