Stripe launched its Agentic Commerce Suite this spring. The infrastructure is no joke. Shared Payment Tokens let an AI agent initiate payments using a customer’s preferred method without exposing the underlying card number — scoped to a specific merchant, time-limited, revocable, monitored via webhook. Link’s wallet for agents gives AI systems programmatic wallet access. Issuing for agents supplies one-time virtual cards for custom financial workflows. Etsy and URBN are early adopters. Google, OpenAI, Microsoft, and Meta are all in. Mastercard, Visa, Affirm, and Klarna are integrating. McKinsey projects the US retail opportunity at one trillion dollars by 2030.

The credential layer is thoughtfully designed. Architecturally similar to Apple and Google Pay but operating at a different authorization scale. Scoped tokens instead of raw card numbers is a logical “safe” transaction. Revocation at any time is a meaningful control. One-time-use cards for single transactions beat persistent credentials by a significant margin. If agentic commerce was coming regardless — and it was — this is roughly what responsible infrastructure looks like at the payment primitive level.

The problem lives above the credential layer.

In December 2025, OpenAI published its security assessment for ChatGPT Atlas, the browser agent it launched the same month. The key finding: prompt injection for AI browser agents “is unlikely to ever be fully ‘solved.’” The framing was measured as an ongoing engineering challenge, not a full stop. The timing was harder to square as the assessment and the product launch arrived together.

The attack surface is the agent’s input stream. Not the token. Not the OAuth handshake. The content the agent reads while doing its job.

Palo Alto Networks’ Unit 42 documented live prompt injection attacks targeting Stripe and PayPal payment rails in 2025 — malicious scripts embedded in legitimate-looking web content, recovered from compromised sites. Neither attack required compromising credentials. Neither triggered token revocation. A legitimately credentialed agent, reading legitimate content, completed transactions the user never authorized. The payment infrastructure functioned exactly as designed.

Shared Payment Tokens have nothing to say about this attack class. The token is scoped and revocable. The agent holding it is readable. Using credentials the user deliberately granted and within the agent’s existing authorized scope, an adversary who can control what the agent reads can direct where the agent spends. The theft occurs before the payment, not during it.

OWASP (Open Worldwide Application Security Project, the nonprofit that sets the industry’s standard vulnerability frameworks) places prompt injection at position one across assessed production deployments in its 2026 Top 10 for Agentic AI.

Below the input stream problem sits the session problem, which the payments industry has diagnosed more accurately although it remains unresolved.

CVE-2025-34291 was a critical account takeover vulnerability in Langflow, a widely used open-source AI agent platform. Complete account takeover and remote code execution, triggered by visiting a malicious webpage. No credentials required. CVE-2025-12420, BodySnatcher, was found in ServiceNow’s Virtual Agent: any unauthenticated attacker with a user’s email address could impersonate that user in an agentic session. Both vulnerabilities were in live, deployed platforms handling real user data — production systems, in engineering terms. Both appeared in 2025. Both have CVE numbers, which means they represent the subset of vulnerabilities somebody bothered to formally document.

An agent’s delegated token carries permission breadth by design. The breadth allows the agent to act across systems on the user’s behalf. An agent authorized to plan and book a business trip, for instance, might simultaneously hold credentials to your calendar, your corporate travel portal, your expense platform, and a payment card. When the compromised entity is an agent with payment credentials, the blast radius is financial and it scales directly with how much the developer trusted the agent to do. Companies are increasing that trust to make their products more useful. The attack surface grows with the capability.

Payment liability frameworks were built for humans. There are still retail vendors that ask a human to sign a receipt (a practice that remains foreign to me and always has). A transaction is authorized or unauthorized. The human either consented or did not. Loss is distributed accordingly through chargeback rules that have been refined over decades of card fraud.

When an agent consents — and was manipulated into consenting — the categories stop working cleanly.

The Consumer Bankers Association identified the failure mode in its January 2026 symposium white paper. A user instructs an agent to shop. The agent shops. The user receives a statement, doesn’t recognize the charge, and files a dispute. The transaction was within the agent’s authorization scope. The user genuinely did not intend it. Under existing rules, it is not clear whether the issuer, the merchant, the agent platform, or the user bears the loss. The card networks are working on agent identity verification frameworks — Visa’s Trusted Agent Framework, Mastercard’s Agent Tokens. These establish that a verified agent made the payment. They do not address who is liable when a verified agent was deceived.

Davis Wright Tremaine flagged the same gap in October 2025: how does a merchant prove proper authorization when the payer was an AI? The question remains unanswered. CFPB, OCC, and FinCEN have not issued guidance. The infrastructure launched before the rules were written.

Spending limits, offered by every agentic commerce platform as a primary user protection, are configuration options.

The attack: direct an agent toward $47.99 purchases across seventeen merchants, each transaction below the alert threshold, each individually unremarkable in isolation. Or subscription enrollment for twelve services at $9.99 per month, scope creep normalized as recurring billing across a billing cycle. Or sub-agent delegation chains where each agent in the tree carries its own limit and none individually triggers a review. A $500 daily cap stops an agent from spending $501 in a day. It does not stop an adversary who has read the cap and designed around it.

Hard budget controls manifested as pre-execution verification at the transaction level, atomic budget operations preventing race conditions, and task-level limits rather than session-level limits all exist as engineering concepts. OWASP describes them in detail. Most deployments are not running them. What most deployments are running is a number in a configuration file and a plan to improve it.

The autonomous weapons case took twenty years and all it takes is an hour of network news to see how resolved it is. The social media algorithm case — recommendation systems acquiring the ability to shape political discourse and radicalize users before any jurisdiction had a content liability framework — took a decade, a congressional hearing cycle, and a body of documented harm before governance attempts began to arrive.

Agentic payments has been in production for months.

The documented attack surfaces are real: in-the-wild payloads with CVE numbers, prompt injection acknowledged by the model provider as permanent exposure, liability categories that do not map to the fraud scenarios already occurring at payment processors. The $1 trillion McKinsey number is plausible. It assumes the governance gap closes, the liability framework gets written, and the security community’s warnings turn out to have been premature or addressable.

That assumption is doing considerable work.

Devin Carlson leads security operations in South Asia and holds a Masters of Strategic Intelligence. He has spent 17 years observing, analyzing, and responding to geopolitical events and tech advancement in high-threat environments across three continents.

The decree is probably apocryphal. For four hundred years, historians have repeated that Sultan Bayezid II forbade printing in Arabic script on penalty of death, in 1485. The date is wrong. The firman has never been found. The source is a single French traveler, André Thevet, writing a century after the fact, who had been to the Levant briefly and was not expert in its languages. We have built a story about the Ottoman monopoly on the word out of one sentence from 1584.

What is not apocryphal is the outcome. From Gutenberg’s press in Mainz until İbrahim Müteferrika opened the first Arabic-script press in Istanbul in 1727, the empire that stretched from the Danube to the Red Sea did not print in the language of its prayer books, its law, or its commerce. Two hundred and forty-two years. Europe printed. The Ottomans did not. In the space between those two choices, the history we now read as inevitable was made.

Historians do not trust their sources. They interrogate them. They ask who wrote this, and when, and for whom. They ask what the writer could not say, or would not say, or did not know. They look for the missing letter, the burned ledger, the census that never counted the ones who did not want to be counted. They weigh a traveler’s account against a local’s, and both against the silence of those who left no account at all. The work is slow and unglamorous and produces conclusions hedged with qualifiers. It is the only work that has ever produced anything worth calling history.

This is the habit of mind historiography teaches. The field has a more elegant name for it — source criticism — but the practice is simpler than the term. Assume every record is made. Ask by whom. Ask why. Ask what was omitted.

The habit was once confined to the past. The past was where the evidence was rationed, where the archives were thin, where the researcher had to do the careful work because there was no other way. The present ran on wire copy and cable traffic and the morning paper — sources treated with less suspicion because there was less time and less access to do otherwise. You trusted the Reuters lead because the alternative was to not know.

That condition no longer applies. The present is now as source-rich as the past used to be sparse. The ledgers are searchable. The ships transmit their positions. The aircraft announce themselves on public feeds. The ministerial calendars leak. The court filings translate in seconds into languages the filer never intended to publish in. And the traveler’s account — the Thevet, the suspect narrator — is now every actor who speaks on every platform about every event.

The question historians ask of the dead is now available to ask of the living.

GDELT — the Global Database of Events, Language, and Tone — updates every fifteen minutes, in a hundred languages, and has been doing so since 1979. A single year now runs two and a half terabytes. No intelligence service built this. A researcher named Kalev Leetaru did, and it runs on public feeds any citizen can query. That is one catalog. There are also the ship transponders, the flight tracks, the court dockets, the import ledgers, the satellite passes, and the telemetry of capital.

In 2018, the British government identified the two GRU officers who poisoned Sergei and Yulia Skripal in Salisbury. That attribution, delivered through an SIS apparatus built over a century, named faces and aliases. Within weeks, a small team of journalists working with flight records, passport leaks, and social media traces — Bellingcat’s Salisbury Poisoning investigation, joined by The Insider and Der Spiegel — named the men by their real names, their unit (29155), their military academy, and the vehicle they had used. The open-source reconstruction went further than the state’s.

By the winter of 2022, the same pattern ran at scale. For three months before Russian forces crossed into Ukraine, civilians in Belarus and southern Russia were filming convoys for TikTok. Commercial satellite imagery showed field hospitals being staged. A community of analysts — academics, veterans, hobbyists — read the signs and called the invasion in writing, by date range, before most Western governments made their own assessments public. The data was not classified — it was observed by the people living next to it and broadcast to the world through the phones in their hands.

This is the inflection. The distance between what is happening and who can see it has collapsed.

The question the press could not answer was what to do with what had been printed. Gutenberg gave Europe the Bible in German, the sermon in the vernacular, the pamphlet in the market square. He did not give it the reader. That arrived later, unevenly, through catechism and schoolhouse and argument — and it arrived incompletely. What Gutenberg could not do was teach anyone to read what they could now read.

The same gap opens now, wider.

A flight-tracking dataset is not an assessment. A satellite image is not a judgment. A leaked spreadsheet is not a conclusion. The work that turns any of these into a finding has a name — source grading, calibrated confidence, competing hypotheses, explicit assumptions — and it used to live inside buildings with doors and clearances and people paid to apply it. Those buildings still exist. They are no longer the only rooms where the work gets done.

The skills can be taught in an afternoon. Distinguish the source you trust from the source you find convenient. Assign a probability to a judgment and defend it when you are wrong. Argue the opposing case before reaching your own. Mark what would change the assessment. Name what you are assuming. These are the disciplines that separate intelligence from opinion, and they are the work the institutions used to do on behalf of everyone else.

Almost no one teaches them.

The bottleneck is no longer access. The bottleneck is the discipline to hold two hypotheses in mind before collapsing to one, to note the grade of the source next to the claim it supports, to mean the difference between probable and almost certain. Slow work. Unglamorous. Available to anyone who will do it.

That is what Gutenberg could not do.

Müteferrika’s press ran for seventeen years and then it closed. What we have now will not close. It is here and it keeps arriving and no one is in charge of reading it. That is the work.

The views expressed are the author’s personal views and do not represent the position of any employer or government.

References

Bellingcat. “Skripal Suspect Boshirov Identified as GRU Colonel Anatoliy Chepiga.” Bellingcat Investigations, 26 September 2018. https://www.bellingcat.com/news/uk-and-europe/2018/09/26/skripal-suspect-boshirov-identified-gru-colonel-anatoliy-chepiga/

Bellingcat, The Insider, and Der Spiegel. “Unit 29155: The GRU’s Elite Assassination Squad.” Joint investigation series, 2019–2020. https://www.bellingcat.com/tag/unit-29155/

GDELT Project. “The GDELT 2.0 Event Database: Data Format and Technical Documentation.” www.gdeltproject.org, accessed April 2026.

Higgins, Eliot. We Are Bellingcat: An Intelligence Agency for the People. London: Bloomsbury, 2021.

Institute for the Study of War. “Russia–Ukraine Warning Update” series, November 2021 – February 2022.

https://www.understandingwar.org/

Leetaru, Kalev, and Philip A. Schrodt. “GDELT: Global Data on Events, Location, and Tone, 1979–2012.” International Studies Association Annual Convention, San Francisco, 2013.

Lewis, Bernard. The Muslim Discovery of Europe. New York: W. W. Norton, 1982.

Pettegree, Andrew. Brand Luther: How an Unheralded Monk Turned His Small Town into a Center of Publishing, Made Himself the Most Famous Man in Europe — and Started the Protestant Reformation. New York: Penguin, 2015.

Sabev, Orlin. Waiting for Müteferrika: Glimpses of Ottoman Print Culture. Boston: Academic Studies Press, 2018.

Schwartz, Kathryn A. “Did Ottoman Sultans Ban Print?” Book History, vol. 20, 2017, pp. 1–39.

Thevet, André. La Cosmographie Universelle. Paris: Guillaume Chaudière, 1575. [Primary source of the Bayezid II decree claim; cited by later historians as the sole documentary basis for the alleged ban.]

On September 26, 1983, the Soviet Union’s Oko satellite system told Lieutenant Colonel Stanislav Petrov that the United States had launched five intercontinental ballistic missiles. His training said to report it up the chain immediately. Soviet doctrine would have triggered a retaliatory strike within minutes.

Petrov waited.

He knew a first strike would involve hundreds of missiles, not five. He knew ground radar showed nothing. He knew the system was new and untested in certain conditions. He weighed what the machine told him against what he knew about the world, and he judged the machine was wrong.

Sunlight reflecting off high-altitude clouds had confused the sensors. There were no missiles.

That decision — to override the system, to pause — is now treated as one of the most consequential acts of individual judgment in modern history. It was not protocol. It was a human algorithm: pattern recognition, institutional knowledge, and the willingness to trust his own assessment over the machine’s.

We are forty-three years past that moment, and building systems designed to remove it

The World Economic Forum’s 2026 Global Risks Report ranks “adverse outcomes of AI” 30th among risks over the next two years and 5th over the next ten — the largest upward shift of any risk surveyed. The global AI market is projected to grow to $3.5 trillion by 2033. The report’s risk network map shows AI connecting directly to misinformation, cyber insecurity, geoeconomic confrontation, inequality, societal polarization, and illicit economic activity — among the most interconnected nodes on the register.

The report’s most unsettling contribution is a scenario: an automated early-warning system misinterprets a missile test and triggers defensive responses from an adversary’s AI. Conflict initiated by technical error, not strategic intent. The WEF’s framing is precise — traditional deterrence assumes human deliberation. Algorithmic speed removes that assumption.

This is the Petrov problem inverted. In 1983, a human overrode a machine’s false alarm. The WEF is describing a future where the machine overrides the human — not through malice, but through speed. The system acts before anyone can evaluate whether acting is warranted.

Simulations of AI-assisted nuclear early-warning systems show they can generate a decisive alert before any human evaluation framework can respond. The mathematics removes deliberation. The window for judgment is being engineered shut.

The corporate version of this problem is quieter but structurally identical.

Eighty-six percent of companies expect AI to transform their business models by 2030. Roughly ten percent are using it in production today. That gap — between expectation and implementation — is where governance failures will concentrate. Organizations are making strategic commitments to a technology most of them have not yet operated at scale, and they are doing it with risk architectures designed for a slower world.

The deeper issue is organizational. AI risk touches cyber, geopolitical, operational, and personnel categories simultaneously. But most risk functions are built to brief one lane at a time. Your CISO briefs on cyber. Your political risk director briefs on geopolitical exposure. Your compliance team briefs on regulatory frameworks. Each of them is competent in their domain. None of them owns the intersection.

The WEF’s risk network illustrates this precisely. AI does not sit in a single risk category. It is a node connected to six of the most consequential risks on the register. A labor displacement event driven by AI adoption is simultaneously a personnel risk, an operational continuity risk, a reputational risk, and — depending on the jurisdiction — a regulatory risk. No single briefing deck captures it.

Boards are beginning to ask questions that expose this architecture. Deloitte’s 2024 Future of Cyber Survey found that 41 percent of boards were addressing cyber issues monthly — a cadence previously reserved for financial and strategic risks. “Half of organizations have established AI governance committees.” But committees do not solve the problem if they inherit the same siloed inputs. A cross-functional committee receiving single-function briefings is not synthesis. It is aggregation. The distinction matters.

The organizations that handle this will be the ones that connect risk functions before the crisis forces it. Someone has to own the synthesis — not the cyber piece, not the geopolitical piece, not the compliance piece, but the picture that emerges only when you lay them on top of each other. It is a leadership problem.

Petrov’s story is usually told as a parable about heroism — one man who saved the world. That framing, while true, misses the structural lesson. The Soviet system worked that night not because of the protocol but because of the deviation from it. The system’s reliability depended on a human being willing to distrust it.

Every early-warning system, every automated risk platform, every AI-driven monitoring tool carries the same dependency. The value of automation is speed. The vulnerability of automation is also speed — the capacity to act faster than anyone can evaluate whether the action is correct.

The WEF report describes this as a governance challenge. It is. But governance is an abstraction until someone in a specific role, in a specific organization, has the authority and the judgment to say: wait. The data says one thing. I am not certain it is right. Let me check.

That is the load-bearing structure of every reliable system ever built. And it is the first thing that gets optimized away when speed becomes the metric.

Every organization adopting AI at scale will face a version of Petrov’s moment — not a nuclear launch, but a decision moving faster than anyone can evaluate. The ones that survive it will be the ones that built something into their operating systems, not their policy documents, that preserves that decision window.

The machines will get faster. That part is settled. Whether anyone retains the authority to pause is not.

References

Unal, B. et al., “Uncertainty and Complexity in Nuclear Decision-Making,” Chatham House Research Paper, March 2022, Chapter 5: Nuclear Decision-Making Case Studies.

World Economic Forum, Global Risks Report 2026, Section 2.7: “AI at Large,” pages 60–66. Figures 51–54.

Brookings Institution and Tsinghua University Center for International Security and Strategy, “How Unchecked AI Could Trigger a Nuclear War,” Brookings, 2024.

Deloitte, The Global Future of Cyber Survey (2024).

IANS Research, “The CISO’s Expanding AI Mandate: Leading Governance in 2026,” February 2026.

You stress about the groceries, but not about the threat stream. You find an element of serenity amidst the worst of times. As a father of young boys I have learned that panic sets in quick when things go wrong; overseas, I aim to be one of the calm ones. The success rate varies. The path isn’t always clear. In fact it rarely is. But two decades in places where the threat picture changes faster than the guidance teaches you something: you stop reaching for certainty the way a drowning man reaches for a rope. Instead you learn to swim.

I think about this now because the wider world has begun to feel the way my operating environment has felt for years. The fog has moved downstream. It has reached the boardrooms, the trading floors, the quarterly planning sessions. And the people sitting in those rooms are discovering what security professionals have known for some time: the fog does not lift on schedule.

BlackRock’s Geopolitical Risk Dashboard is flashing across its top-ten risk categories — from global trade protectionism to major cyber attacks to Russia-NATO conflict. The World Economic Forum ranked geoeconomic confrontation as the risk most likely to trigger a global crisis this year, the top slot in its two-year outlook and up eight positions from the year prior. Sixty-eight percent of WEF respondents expect a multipolar or fragmented order over the next decade, up four points from the last survey. PwC’s 2026 Global CEO Survey found only thirty percent of chief executives confident about twelve-month revenue growth — down from fifty-six percent in 2022.

Then the trade disruption. On February 20th, the Supreme Court struck down tariffs imposed under the International Emergency Economic Powers Act in a 6-3 ruling, holding that IEEPA does not grant the president the power to impose tariffs. The administration responded within days, invoking Section 122 of the Trade Act of 1974 — initially at ten percent on nearly all imports, effective February 24th and expiring in 150 days. A fifteen percent increase was announced the next day but never implemented — CBP confirmed the rate held at ten. The weighted average tariff rate dropped from 13.8 percent to 6.7 percent when the IEEPA tariffs fell, then climbed back above ten percent within the week. An estimated $142 billion to $175 billion in IEEPA tariff collections now sits in legal limbo, with the Court silent on whether refunds are owed.

The Global Economic Policy Uncertainty Index, according to the Munich Security Report, reached an all-time high after “Liberation Day” in April 2025 — nearly three times its level during the 2008 financial crisis. UNCTAD Secretary-General Rebeca Grynspan called uncertainty “the highest tariff possible.” The Munich Security Report amplified the point: the uncertainty may be inflicting more economic damage than the tariff rates themselves. The IMF estimates the drag at an additional 0.3 percentage points of global output.

This is not a crisis. A crisis has a beginning and an end. This is a condition.

The natural human response to sustained uncertainty is paralysis. Research compiled by MIT Sloan Management Review found that thirty-two percent of business leaders report freezing when it is time to act. Forty-two percent admit to delaying decisions because thinking about them is uncomfortable. PwC’s Global CEO Survey put a finer point on it: CEOs now spend nearly half their time on issues with horizons under a year — three times more than they devote to thinking beyond five years.

This is the part that does not get discussed enough. We talk endlessly about frameworks, decision trees, scenario planning. We rarely acknowledge that the first obstacle is not analytical but psychological. The fog does not merely obscure the path. It makes you doubt whether there is one.

I have watched this happen in crisis rooms overseas. Smart, experienced people — people who had trained for exactly this — locking up. Not because they lacked information. Because the information they had was contradictory, incomplete, and arriving faster than anyone could process it. The ones who performed were not the ones with better data. They were the ones who had learned, through practice and repetition and failure, to move through ambiguity without requiring it to resolve first.

That is a skill. It is trainable. It is not a personality trait.

What follows is not elegant. Elegant frameworks look beautiful on slides and collapse under load. This one works when you are tired, when the information is bad, and when people are looking at you for answers you do not have.

Separate signal from noise — and accept that you will get it wrong.

The instinct in a high-information, high-adrenaline environment is to consume everything. Every report, every feed, every developing story. This feels productive. It is a coping mechanism disguised as diligence.

The discipline is narrower and less comfortable. Not what is happening but what, if true, changes what I do next. Everything else is atmosphere. Interesting, perhaps. Not actionable.

You will never see the full picture. The question is whether you are watching the variables that matter most and letting the rest blur. Histories make men wise; data make men anxious. The difference is in the selection.

Design decisions to be reversible.

Not every commitment needs to be permanent. One of the most underrated skills in uncertain environments is building exit ramps into your own plans.

In military planning, we built what we called decision support templates — predetermined points where we would reassess whether the plan still fit the situation. In a corporate context, this might mean staging resources rather than deploying them all at once. Piloting technology in one facility before a global rollout. Telling your team: “this is our direction for now. We will revisit in ninety days with fresh data.”

The 150-day expiration on the current Section 122 tariffs is, deliberately or not, an application of this principle. Time-bounded decisions force reassessment. Leaders can build this into their own operating rhythm without waiting for someone else to impose it.

Distinguish the structural from the temporary.

This is where most leaders fail right now, and the cost of misclassification runs high in both directions.

The shift toward a multipolar, fragmented global order is structural. It is not returning to 2019. If your security program, your supply chain, your international operations are built on assumptions about stable alliances and predictable trade relationships, those assumptions need updating. Not next quarter. Now.

A specific tariff rate on a specific product category is probably temporary, or at least variable. It affects your near-term planning. It should not drive your five-year strategy.

The structural and the temporary look alike in the moment. Separating them requires discipline, intellectual honesty, and the willingness to reclassify when the evidence demands it. Some things you thought were storms turn out to be climate change. Some things you feared were permanent turn out to be weather.

And your brand carries a national identity whether you manage it or not. Someone — a competitor, a regulator, a foreign government — is already factoring the flag you fly into their calculus. That, too, is structural.

Build your team’s tolerance for ambiguity, not just your own.

The leader who navigates uncertainty brilliantly but whose organization seizes up the moment things get complicated has not solved the problem. Scale matters.

This means creating an environment where I don’t know is not a career risk. Where changing a plan in light of new information is treated as strength, not indecision. Where tabletop exercises exist not to rehearse a specific scenario but to build the organizational muscle of making decisions under conditions that will never be perfect.

The teams that perform best in crisis, in my experience, are not the ones with the best plans. They are the ones where the leader has built enough trust that people bring problems forward early, challenge assumptions openly, and execute with confidence even when the picture is incomplete. Decentralize decision authority to the lowest feasible level. Your team handles what’s in front of them while you keep your head up — finding the next problem, getting your people ready for what comes after. There will always be more.

If you’re a CEO looking for a security leader, find the one whose team doesn’t need them. A team that is always training, has authority to act, and has the comfort in chaos to function without a single point of failure sitting at the top. When the leader is there, the team runs better. When they aren’t, the team still runs. And when they’re not there, they still shoulder the responsibility for action. That is the standard.

Protect your cognitive capacity like the finite resource it is.

This one I learned the hard way.

Decision fatigue is real. The quality of your judgment degrades over the course of a day, a crisis, a sustained period of uncertainty. If you are spending your sharpest hours on decisions that do not require your judgment, you are burning fuel you will need later.

Delegate not just tasks but decision authority. Build routines that eliminate low-stakes choices. Sleep. The leader who burns out on day two of a seven-day crisis must be replaced. The leader who burns out at month three of a twelve-month crisis has failed the mission as surely as the one who made the wrong call on day one.

The environment is not going to calm down. Not this quarter, probably not this year, possibly not this decade. Your capacity is not superhuman. Protect it — sleep eight hours, show your team that regeneration is part of the job — and you will still be making sound decisions when others have shifted to autopilot.

There is, against all odds, an opportunity here.

In stable times, every leader looks competent. The processes work. The playbook applies. Leadership is mostly operational management wearing a better suit (or khakis in my case).

When the ground shifts — when the rules change between breakfast and lunch, when last quarter’s assumptions become this quarter’s liabilities — that is when the leaders who can think clearly, adapt quickly, and bring their people along actually earn the title.

The world is not falling apart. But it is rearranging. And the question is not whether you can prevent that. The question is whether you and your team have the capacity to navigate it — with discipline, with discernment, and with endurance.

That is not a security question. It is a leadership one. But security professionals, who have lived in this fog longer than most, might have something worth saying about it.

Subscribe now

Devin Carlson leads security operations in South Asia. He has spent over 17 years protecting people and enabling mission success in high-threat environments across three continents.

Sources

BlackRock Investment Institute. Geopolitical Risk Dashboard, March 2026. https://www.blackrock.com/corporate/insights/blackrock-investment-institute/interactive-charts/geopolitical-risk-dashboard

World Economic Forum. Global Risks Report 2026: 21st Edition. Geneva: World Economic Forum, January 2026. https://reports.weforum.org/docs/WEF_Global_Risks_Report_2026.pdf

PwC. 29th Annual Global CEO Survey. January 2026. https://www.pwc.com/gx/en/issues/c-suite-insights/ceo-survey.html

Supreme Court of the United States. Learning Resources, Inc. v. Trump and Trump v. V.O.S. Selections, Inc., decided February 20, 2026.

Tax Foundation. “Tariff Tracker: 2026 Trump Tariffs & Trade War by the Numbers.” Updated March 2026. https://taxfoundation.org/research/all/federal/trump-tariffs-trade-war/

Yale Budget Lab. “State of U.S. Tariffs: SCOTUS Ruling Update.” February 20, 2026. https://budgetlab.yale.edu/research/state-us-tariffs-scotus-ruling-update

Penn Wharton Budget Model. “Supreme Court Tariff Ruling: IEEPA Revenue and Potential Refunds.” February 20, 2026. https://budgetmodel.wharton.upenn.edu/issues/2026/2/20/supreme-court-tariff-ruling-ieepa-revenue-and-potential-refunds

Munich Security Conference. Munich Security Report 2026: Under Destruction. Edited by Tobias Bunde and Sophie Eisentraut. February 2026. https://securityconference.org/en/publications/munich-security-report/2026/

Grynspan, Rebeca. Remarks at the 80th session of the UN General Assembly, September 2025. Cited in UNCTAD, “Development in Action: UNCTAD Warns on Tariffs, Debt and Trust Deficit at UN General Assembly.” https://unctad.org/news/development-action-unctad-warns-tariffs-debt-and-trust-deficit-un-general-assembly

International Monetary Fund. World Economic Outlook: Global Economy in Flux, Prospects Remain Dim. October 2025. https://www.imf.org/en/Publications/WEO/Issues/2025/10/14/world-economic-outlook-october-2025

MIT Sloan Management Review. “10 Strategies for Leading in Uncertain Times.” https://sloanreview.mit.edu/article/10-strategies-for-leading-in-uncertain-times/

Bacon, Francis. “Of Studies.” Essays (1625).​​​​​​​​​​​​​​​​