When Savannah Guthrie’s 84-year-old mother was abducted in Arizona earlier this year, the FBI issued an unusual warning: in the age of AI, even a proof-of-life video can’t be trusted. A kidnapper now needs little more than a LinkedIn photo and a voicemail to manufacture a convincing deepfake. The old rules of crisis response no longer apply.
It was, said Sid Kosaraju, president of global security firm Crisis24, exactly the kind of threat corporations have been slow to take seriously. A hush came over the room at the Fortune COO Summit in Scottsdale as Kosaraju described the actual threat landscape that most people would rather not think about.
Two years into his role, he said, he asked his own security team to run a cyber assessment. He considered himself well-protected. But his team — ethical hackers — were able to pinpoint the location of his 12-year-old daughter in two-hour increments, every day, simply by accessing her school’s website and her tennis club’s schedule. She doesn’t even own a smartphone. “They could get into the school website. They could get into the tennis club website and pinpoint.”
Usually what happens, Kosaraju explained, is that threat actors target children and elderly parents. “Sorry to say here right in this state of Arizona, we have the Guthrie incident.” These are things that the industry is wrestling with right now, he said. “It’s not just the principal. It’s the families that you have to protect against.”
The Nancy Guthrie case was, he added, what the industry calls a “grey rhino” — a massive, visible, charging threat that most of us have been staring at for years and chose not to act on. It’s not a “black swan,” the term popularized by Nassim Taleb for unknowable, unpredictable catastrophes. A grey rhino: obvious in retrospect, ignored in the moment.
That distinction, argued Kosaraju and Kroll CEO Jacob Silverman, in conversation with Fortune‘s Ruth Umoh, is the single most important concept in risk management that corporate America is still getting wrong.
The threat is already inside your house
Most executives think about security as something that happens at the perimeter — a firewall, a badge reader, a background check. Silverman, who leads one of the world’s foremost corporate investigations and risk advisory firms, calls that a category error.
“The weakest link is always a person,” he said. “And some of the biggest threats — purposeful or inadvertent — come from within the walls of all of our organizations.”
That’s the grey rhino: not a sophisticated nation-state attack, but a routine online calendar, visible to anyone who looks.
Silverman was blunt about what AI has done to the threat landscape: it has made deception cheap, fast, and nearly undetectable. His firm, Kroll, fields impersonation attempts constantly — fake emails, fake invoices, fake voices purporting to be him.
“I can’t tell you how many times Jake Silverman asked for billing information,” he said, by way of example. “And now with the ability to do real deepfakes with AI, it’s all that much more dangerous.”
The FBI’s warning in the Guthrie case crystallized what security professionals have been saying for years: the proof-of-life paradigm — the foundational mechanism of kidnap response for decades — is broken. AI needs only seconds of audio or a single photograph to generate a convincing fake. Verifying that a loved one is alive, in real time, has become a genuine technical and operational challenge.
The corporate implications run wider than kidnapping. When your employees, your customers, and your fellow executives can no longer assume that an email, a voice call, or a video is real, the entire architecture of organizational trust requires rethinking.
What the best-prepared companies are actually doing
At the Fortune 100 level, Kosaraju described an intelligence infrastructure that would have seemed excessive even five years ago: dedicated business resiliency teams staffed with former CIA and FBI analysts, feeding real-time geopolitical intelligence to C-suite executives on a continuous basis. Some executives now receive what amounts to a daily presidential brief — a document summarizing threats to their people, facilities, vendors, and supply chains, generated and synthesized by AI.
Silverman’s firm, Kroll, is operationalizing a similar capability. Its Resolver platform uses AI to ingest security information and help risk managers run remediations with an audit trail, cutting the lag time between detecting a breach and containing it.
But here’s what struck the audience: the median annual security spend on C-suite protection at the top 100 publicly listed U.S. companies was under $100,000 as recently as 2023. That figure, Kosaraju noted, has risen sharply in the two years since — but the baseline was startlingly low for organizations with global exposure.
The minimum viable security stack
For companies without Fortune 100 budgets, both executives converged on three affordable, underutilized baselines:
- Secure transportation. Stop putting executives and board members in unvetted rideshares. The cost premium over an Uber is minimal. The protocol difference is not.
- Company email for everyone who matters. Board members conducting sensitive business over personal Gmail is an unforced vulnerability that requires a policy memo, not a budget line.
- Always-on intelligence. Subscription threat monitoring services — social media surveillance, reputation alerts, geopolitical feeds — are not expensive. They are simply not yet standard practice.
Training, both stressed, underlies all of it. Kosaraju’s firm uses a rotating verbal password system: if an employee receives a suspicious communication claiming to be from a senior executive, they call a designated number and exchange a code.
Silverman closed the conversation with the frame that should unsettle every COO in the room. Threats today don’t arrive in silos.
“When something is a physical threat, it usually is linked to a supply chain threat, which is linked to a business threat and linked to a cyber threat,” he said. “They all come together at you at one time.”
For this story, Fortune journalists used generative AI as a research tool. An editor verified the accuracy of the information before publishing.
The post Grey rhinos, black swans, and the kidnapping of Nancy Guthrie: What Corporate America still gets wrong about risk appeared first on Fortune.
