in ,

Chertoff Group’s Michele Iversen: How AI Is Transforming Cybersecurity & Supply Chains

Michele Iversen. The Chertoff Group principal sat down with ExecutiveBiz to discuss AI, cybersecurity and supply chain risk.
Michele Iversen Principal The Chertoff Group
  • Michele Iversen helped establish the ICT Supply Chain Risk Management strategy
  • She is now helping both the government and industry manage national security risk
  • Iversen sat down with ExecutiveBiz to discuss AI, cyber, supply chain risk and CMMC

Michele Iversen, principal at the Chertoff Group, had a choice to make when she was nearing the end of her decorated 34-year government career. She deliberately chose consulting with the Chertoff Group as the work she began in government with agencies like the CIA, the National Security Agency and U.S. Cyber Command, particularly on information and communications technology supply chain risk, was far from finished.

In addition to sharing her commitment to national security rather than treating it as a market, the Chertoff Group gives Iversen, a retired Army officer, a platform to keep advancing those objectives from the private sector, where much of the risk actually resides. Iversen didn’t leave the mission, she simply changed seats.

But what makes Iversen most proud is not any single policy, like helping establish the Pentagon’s ICT Supply Chain Risk Management strategy. Instead, it’s that the mission outlasted her time in this role. Iversen is now helping both government and industry manage national security risk, from supply chain and cybersecurity to the geopolitical and regulatory forces that shape both.

Iversen sat down for her first Spotlight interview to discuss how federal agencies should balance innovation and cybersecurity. She explored how it would have impacted national security to have small businesses drop out of GovCon because they couldn’t afford the fees of the Cybersecurity Maturity Model Certification, or CMMC, 2.0 effort that was paused by the Pentagon on July 13.

Iversen also dove into new supply chain vulnerabilities that may emerge as organizations increasingly rely upon AI and AI-related systems and the biggest misconceptions organizations have about supply chain security.

Get actionable business intelligence from top intelligence community and Pentagon officials at the Potomac Officers Club’s 2026 Intel Summit on Sept. 24! Discover new partnership opportunities from Maj. Gen. Brian Sidari, Space Force deputy chief of space operations for intelligence, during his illuminating keynote address. Join the conversation during his Q&A and get your burning questions answered. Secure your seat today for this highly anticipated GovCon forum!

ExecutiveBiz: How should federal agencies balance innovation and cybersecurity when adopting emerging technologies?

Michele Iversen: America leads the world in innovation. Watching the drone light shows over the America 250 celebrations, it was hard not to feel that pride. But the same technology that paints the night sky can be turned against an unsuspecting crowd if security and supply chain integrity were not built in from the start. That is not alarmism. Cyber threats are asymmetric, and a capability designed for wonder can be repurposed for harm when its foundation is weak.

AI sharpens the point. It is remarkable technology, but the guardrails are still being built. Models drift, they hallucinate, they can be poisoned and the volume of corrupted data needed to compromise a model is alarmingly small. Emerging deterministic capabilities, which check and bound an AI’s behavior without altering the model itself, offer a path forward. But until companies acknowledge the weaknesses and adopt them, the innovation can quickly turn from asset to liability.

The balance is real and cybersecurity professionals sometimes get it wrong from the other direction. Too many are so fixed on compliance that they lose sight of the point, which is security and risk reduction, not paperwork. Cybersecurity exists to serve the technology. Without the system, there is nothing to secure.

The answer is not more checklists, but is instead ownership. A civil engineer cannot outsource public safety to someone down the hall, and an IT developer, systems engineer, or coder, should not be able to abdicate security either. When the people building the technology own its security as a first-order responsibility, agencies get both the innovation and the assurance. That is the balance worth striking.

Supply chain security cannot be treated as a box to check and set aside. It is a continuous discipline, and provenance is its core.

EBiz: How will it impact national security to have smaller businesses drop out of the GovCon marketplace because they can’t, or won’t, afford the steep costs and compliance requirements of Cybersecurity Maturity Model Certification 2.0, which was paused by the Pentagon on July 13?

Iversen: It is a real risk, and a serious one. The small and very small businesses at the edges of the defense industrial base are often where the sharpest innovation happens and they are the least able to absorb the cost of certification. If they exit, the government loses capability and competition, and it concentrates the supply base in a way that is itself a security problem. 

The threat is asymmetric. A narrower, more uniform supplier pool is easier for an adversary to map and target.

The standard itself is right. The threats to controlled information are real and the rigor CMMC demands is justified. The problem to solve is not the bar, it is access to it. Lowering the standard through waivers and carve-outs only moves risk downstream, where it is harder to see and easier to exploit. Security does not improve because the paperwork was excused.

The better path is to make compliance achievable. The tools already exist. Automated platforms can assess a company’s real-world security posture continuously, not just its documentation, and emerging providers are proving this at scale.

government-subsidized managed cyber and supply chain risk service, available to businesses below a defined size and revenue threshold, could carry that load until those companies grow enough to own their security themselves. Keep the standard high, and help the smallest innovators reach it. That is how the country keeps both its security and its edge.

Are you a GovCon technology executive? Then you cannot afford to miss the Potomac Officers Club’s 2026 Intel Summit on Sept. 24. Get exclusive investment insights on emerging technologies like data, AI, cyber and secure networking from leading federal officials and top industry experts. Spark collaborations with other ambitious GovCon professionals and score that big contract. Connect with sponsors like TRSS that are driving the future of intelligence technology and services. Sign up now!

The adversary and the defender are handed the same accelerant at the same time. The real vulnerability is falling behind an adversary who is using AI while you are still working tier by tier.

EBiz: What new supply chain vulnerabilities emerge as organizations increasingly rely on AI models and AI-enabled systems?

Iversen: The most significant shift is that AI changes how an adversary attacks a supply chain. The old model was linear: you worried about your direct suppliers, then theirs, tier by tier. Advanced AI collapses that into a multi-dimensional problem.

An adversary can now map a supply chain across many tiers at once and identify weaknesses down to the individual component or chip, faster than any human team could. The attack surface has not just grown, it has changed shape.

That raises the premium on third-party risk management dramatically. The trouble is that visibility remains fragmented. A complete picture requires seeing three different things: network vulnerabilities across supplier tiers and product vulnerabilities in both hardware and software. The tools available today tend to concentrate on one layer, most often the network, and no single capability yet sees clearly across all three. Closing that gap is where the defense has to go.

The same technology also works for the defender, and that is the part worth holding onto. AI makes ownership and due diligence research faster. It can help build and refine security policies and procedures. Used well, it can map automated, continuous monitoring against those policies and produce a near real-time picture of compliance and posture rather than a once-a-year snapshot.

So the adversary and the defender are handed the same accelerant at the same time. The real vulnerability is falling behind an adversary who is using AI while you are still working tier by tier. The organizations that will stay secure are the ones that adopt these capabilities for defense as aggressively as their adversaries are adopting them for attack.

EBiz: What is the biggest misconception organizations have about supply chain security?

Iversen: The biggest misconception is that clearing foreign ownership, control or influence, or FOCI, is the finish line. A company mitigates FOCI, signs the agreement and believes the supply chain problem is solved. It is not.

FOCI addresses who funds and controls a company. It says nothing about where a product is actually developed, who writes and maintains the code, where the components come from, or who supports the system once it is fielded. Those are separate axes of risk and ownership remediation does not touch them.

Provenance is the harder and more revealing question. Knowing what is inside a product and where each piece came from is the foundation everything else rests on. That means a software bill of materials and a hardware bill of materials, so an organization actually knows its own components rather than assuming.

It means counterfeit detection, because a genuine part number is not a genuine part. It means recurring supplier reviews rather than a one-time check at onboarding, because ownership, funding and development can change overnight, often through the mergers and acquisitions that reshape who really stands behind a supplier. It also means secure development environments, because a trustworthy design built in a compromised environment is no longer trustworthy.

Consider a company founded and owned by Americans, entirely clean on paper, that develops its software through a subsidiary in an adversary nation. No ownership review flags it, because the ownership is genuinely domestic. Yet the code is written where an adversary has reach.

This is why buying from a U.S. company is not enough on its own. The flag on the building tells you who owns the firm. It does not tell you where the product was built, who touched it, or what was put into it.

That is why supply chain security cannot be treated as a box to check and set aside. It is a continuous discipline, and provenance is its core. The organizations that understand this stop asking only who owns a supplier and start asking what is in the product, where it came from, and whether they can prove it. That question, asked continuously, is what real supply chain security looks like.

Chertoff Group’s Michele Iversen: How AI Is Transforming Cybersecurity & Supply Chains - top government contractors - best government contracting event

 

ExecutiveBiz Logo

Sign Up Now! ExecutiveBiz provides you with Daily Updates and News Briefings about Executive Spotlights

mm

Written by Pat Host

Project Overmatch. This essential Navy C3 program is the service's contribution to the Pentagon's CJADC2 effort.
5 Key Navy Project Overmatch Updates
John Mengucci. The CACI President and CEO commented on their DOW contract to deploy SkyValor in the southern border.
DOW Awards CACI Contract to Use SkyValor cUAS at Southern Border