Stop assuming your continuity plan will work—prove it

For CIOs, CISOs, and continuity leaders, static checklists no longer protect the business; this means their continuity plans fail at the very moment they’re needed most. In cyber-driven outages, especially in banking and healthcare, audit-ready plans often fail at execution, resulting in fines, downtime, and lost trust. Exhibit 1 shows why this matters. Security risk is now a top barrier to enterprise progress, and the task is to prove recovery under real conditions.

Exhibit 1: Cybersecurity threats rank among the leading barriers to enterprise progress

Sample: 305 major enterprise decision makers
Source: HFS Research Pulse, 2025

Last year, two weeks-long disruptions occurred at MGM Resorts and Change Healthcare, exposing how quickly operations can unravel.

The real issue is that every newly created playbook forgets the last one. Even the new ones are either static or siloed. Ultimately, recovery still leans on manual calls and old assumptions.

HFS believes AI agents are well-equipped to close this gap. Continuity must move from paperwork to living systems that update continuously and recommend recovery as events unfold. AI agents are the bridge.

Business resilience is moving from plans to pilots with AI agents

The gap between plans and proof is where AI is stepping in to test, validate, and even run recovery actions instead of just documenting them. The shift from static playbooks to dynamic, self-testing systems is already underway. CISOs and boards are experimenting with AI agents that can verify recovery in real-time, rather than waiting for the next annual drill.

One early example is Perpetuuiti’s Susan, an AI agent designed to run impact analysis, update continuity playbooks, and issue real-time alerts. As the first business continuity management (BCM)-certified resiliency AI agent, it operates through voice or chat to deliver situational context and recommended actions, rather than presenting another static dashboard. Susan’s value lies less in immediate deployment and more in what it signals: Continuity can no longer be dependent on static systems.

HFS suggests enterprises treat Susan as a signal, not a solution, because enterprises still own validation, governance, and integration. AI agents may help you close the execution gap, but you cannot outsource resilience.

Enterprises need continuity tools that act, not just analyze

Most programs still flag risks and leave execution to humans, which turns delays into disasters. What enterprises now need are systems that move beyond advice and start taking the first recovery steps automatically.

Perpetuuiti’s Susan is a bellwether of that shift. Linked to Continuity Vault and Continuity Patrol, it can trigger notifications, launch drills, and analyze trends. It learns from iterations and actions and finds gaps in your business continuity plans. It also connects directly to enterprise systems, such as ServiceNow and Archer, ensuring that continuity updates are fed into tools already used by risk and operations teams.

Perpetuuiti cites results of 75% lower costs, 80% faster recovery, and sub-20-minute detection-to-recovery. These claims suggest what agent-driven continuity can deliver when properly governed.

The broader point isn’t about Susan alone. It’s that business continuity tools are evolving to manage the full ISO 22301 lifecycle—from risk checks, plan creation, testing, and emergency drills—in a fraction of the time required without AI agents.

Human-only recovery just isn’t enough anymore

AI is already transforming IT and operations by automating repetitive tasks, freeing human teams to focus on oversight and strategy, as Exhibit 2 illustrates.

Exhibit 2: AI is rapidly transforming IT by automating grunt work

Sample: 608 major enterprise decision makers
Source: HFS Research, 2025

Facing increasing threats and freed from grunt work, continuity leaders can’t keep planning relegated to a once-a-year compliance exercise. The last 18 months of ransomware, cloud, and identity breaches have shown how quickly operations can collapse and how slowly they recover. Retail outages like Marks & Spencer’s payments disruption prove the same point: fast collapse, slow recovery.

Regulators and boards are no longer satisfied with post-incident reports. They now expect proof that recovery works under real conditions. Tools like Susan embed compliance monitoring at the core, mapping real-time continuity plans against standards such as NIST, DORA, or RBI and producing audit-ready output.

The other shift is that human-only defense is no longer enough. HFS has already called out that human-only cyber defense is dead, and continuity planning is no different. This is where AI agents come in. AI agents don’t just execute; they learn from every disruption. Each exercise feeds smarter playbooks and accelerates the next response. The goal now isn’t just preventing incidents, but also improving the velocity of recovery when disruptions happen.

The Bottom Line: Recovery is no longer planned. It’s proven. Enterprises that test now will lead later.

Business continuity can no longer depend on compliance check boxes. Enterprises need provable resilience, and AI agents will help deliver it.

Susan and tools like it point in this direction. They replace humans but also signal how agent-driven validation can move beyond paperwork into execution and subsequently shrink recovery cycles from weeks to minutes.

The next action items for CIOs, CISOs, and continuity leaders are to review their continuity processes, establish guardrails for AI, and begin testing agent-driven tools now. The following 12 months are about testing AI in continuity and ensuring teams know how to keep it in check.