Chirag Shah, Global Information Security Officer & DPO at Model N examines how cyber risk in pharma and life sciences is shifting beyond traditional breaches toward data misuse, AI-driven exposure and regulatory pressure. He explains why executives still underestimate silent control failures, how ransomware groups are weaponizing compliance risk, and why proof of security will increasingly require real-time governance, not audits, as cybersecurity and compliance continue to converge.
By 2026, what category of cyber risk do you believe Pharma and life sciences companies are still structurally underestimating, and why hasn’t it been internalized yet at the executive level?
Life sciences leaders are rightly focused on breach monitoring and prevention, but the exposure growing fastest is data misuse that never sets off an alert. As AI adoption accelerates and vendor relationships deepen, regulated data is being accessed, moved and repurposed in ways that most organizations haven’t fully mapped.
I believe that compliance programs were built for a different kind of threat. Passing an audit doesn’t mean that clinical data isn’t sitting in a vendor system with permissions that were never validated. Once regulators put more emphasis on data governance, life sciences companies and partners will need to show control over how sensitive data is used and shared, not just how it’s stored.
Executives know how to respond to outages and breaches, but not necessarily silent control failures. Data misuse through AI systems or vendor environments often looks like normal operations until questions come up that organizations can’t answer. And when AI models learn from regulated data, serious questions of accountability will get raised. Who owns the risk when the model was trained on information that should have stayed at the source? Life sciences manufacturers face additional risk because of how long data lives and how many parties touch it. Clinical trial data persists for decades, moving through various systems and entities across the entire product lifecycle.
Ransomware groups are shifting toward data extortion and regulatory leverage. In a highly regulated pharma environment, what does a “worst-case” extortion scenario look like two years from now?
Attackers will look to steal regulated data like clinical records, pricing models, revenue management data and patient-adjacent information. They’ll use regulatory exposure as the primary way to gain leverage and extort payment from the target company. Mandatory disclosure timelines and the threat of enforcement action create urgency with no clear, immediate solution. As more sensitive data flows through vendors and AI systems, organizations face a gap between where their data actually lives and what they can account for under pressure. The timeline is unforgiving. Within days, an attacker will share proof of data theft privately.
Very quickly, partners, trial sponsors or payers would need to be notified. AI can complicate the situation even further, as an attacker doesn’t even need to publish stolen data. They could simply demonstrate they’ve trained a model on it, raising more serious concerns about the integrity of data or other intellectual property.
How do you see the intersection of cybersecurity incidents and compliance violations evolving? Will regulators increasingly treat cyber failures as compliance failures by default?
Regulators are becoming less interested in whether controls existed on paper and more focused on whether those controls actually worked. Cyber incidents aren’t going to be viewed in isolation or assumed to be aberrations. They’ll be viewed as indicators of governance, oversight and accountability missteps.
We’re moving toward a model where regulators assume failure of controls unless organizations can demonstrate otherwise. Evidence of diligence has to exist before something goes wrong. It can’t be pieced together afterwards. The burden is shifting from proving compliance during annual audits to proving cyber resilience in real time.
Do you expect customers to demand stronger security assurances from vendors beyond certifications and audits? What might “proof of security” look like in 2026?
The industry will experience a transformation as customers move beyond certifications and audits to demand real-time security assurances from their vendors. As emerging cyber threats amplify the risks tied to vendor systems, organizations will increasingly view supply chain risk as a core security function rather than a compliance checkbox.
With companies moving away from implicit trust models, zero trust has become the new industry standard for proof of security. This transition will be defined by the use of short-lived credentials, rigorous identity controls and intensified oversight of cross-tenant API traffic to ensure proper verification. Customers will demand greater security from vendors, so I expect to see a rise in the adoption of software bills of materials, frequent integrity audits and stricter obligations for reporting security incidents.
Security teams are using AI for detection and response, but so are attackers. By 2026, where do you expect the defensive use of AI to meaningfully outperform adversarial AI, and where will it still fall short?
AI is increasingly outperforming threats in automated containment and the execution of real-time policy adjustments. As speed becomes the primary factor of success, these autonomous systems are critical for tightening reporting protocols and meeting the rigorous demands of board-level oversight. However, the defensive use of AI often falls short against personalized phishing campaigns and autonomous reconnaissance driven by agentic systems. These tools allow attackers to map environments with greater accuracy and less noise than traditional detection can detect.
Beyond these threats, companies still remain vulnerable to data poisoning. Attackers manipulate decision-making by corrupting training data, often without ever involving a breach. The most alarming cyberattacks are the ones that blend automation with deep knowledge of human behavior.