or Dunning-Kruger doesn't self-correct anymore.

> TL;DR. The Dunning-Kruger effect, that is, the difference between what people think they can do
and what they can actually do, used to close and self corrects with experience. My hypothesis that I introduce in this post is that AI keeps it open: it increases confidence and splits real capability into "with the tool" and "without the tool." For boards and practitioners, that turns intrinsic capability from a productivity question into a governance one, and it is the capability that quietly erodes.

  1. The ending that used to be guaranteed (more or less)
  2. About the Dunning Kruger curve
  3. What AI changes
  4. The Gap that no longer closes
  5. Does it really matter?
  6. What it means for companies

1. The ending that used to be guaranteed

Everyone knowns Mount Stupid. The colleague who read one thread and now wants to redo the whole plan. The new hire who watched a video and is sure everyone before them was doing it wrong. Believe me, I have been there.

The nice part of the Dunning-Kruger story is how it ends. Experience wins over the overconfident, and the gap between what you think you can do and what you actually can do closes on its own. The thing doing the work is boring but reliable: you try, you fail in front of people, you learn. Reality keeps sending the bill until what you think you can do matches what you can.

Figure 1. The classic picture. Perceived capability runs ahead, crashes, then converges on actual capability. The gap closes.[Thierry ZOLLER]

Figure 1. The classic picture. Perceived capability runs ahead, crashes, then converges on actual capability. The gap closes.[Thierry ZOLLER]


2. About the Dunning-Kruger curve

One warning first : the chart everyone has in mind stands is an . The famous Dunning-Kruger curve, with its confidence peak and valley of despair, did not come from Dunning and Kruger. It is not in their 1999 paper or in any of Dunning's later work. It spread through management training and the internet in the mid-2000s, the real study compared what people thought of their ability with how they actually scored, in four bands, and the real line climbs steadily rather than peaking [1].

The effect itself has no real concensus, several papers say the pattern is mostly a statistical mirage, a mix of regression to the mean and the plain fact that most people rate themselves above average [2, 3]. Others point out that the basic pattern still turns up even when critics rerun the study, and that the numbers in the original look too big to be a trick alone [4]. The fair summary: the pattern in the data is real (and that it what matters most in my hypothesis), what it means is still disputed.

I use the popular chart here on purpose, because you know it, not because I am claiming it is the 1999 data. The argument does not need the curve to be literally true. It needs only the one thing nobody argues about: people are bad at judging their own ability, and the gap between what they can do and what they think they can do now runs through a tool that makes it wider.

My hypothesis only needs the one thing nobody argues about: people are bad at judging their own ability, and the gap between what they can do and what they think they can do now runs through a tool that makes it wider.

3. What AI changes

Two things change according to me. Let's go through them one at a time.

1. First, confidence goes up. A beginner with a good assistant turns out work that looks expert.

The work is the proof, and the proof says "good," so the early peak of overconfidence climbs higher than it ever did on its own. The valley isn't as deep either. The moment of getting caught comes later and lands softer, because the tool papers over the gaps that used to show you up. And the line never really drops back. There is no longer a reliable point where harsh reality (failure, mistakes etc) forces what you think to meet what is true, because the output keeps looking fine. Figure 2a shows the one line changing.


Figure 2a. Same chart, one line changed. Perceived capability peaks higher, dips less, and no longer comes back to meet actual. The gap that used to close stays open. [Thierry ZOLLER]

Figure 2a. Same chart, one line changed. Perceived capability peaks higher, dips less, and no longer comes back to meet actual. The gap that used to close stays open. [Thierry ZOLLER]


2. Second, "what you can really do" stops being one thing. Before AI, your ability was a single number. Now it splits in two (Figure 2b).

Let me explain, there is what you can produce with the tool in hand, which is high and comes fast. And there is what you can do if the tool is taken away (I call it "Intrinsic"), which is lower, and which only grows through the practice the tool now does for you.


vFigure 2b. The single "actual" line splits. Assisted capability rises with the tool. Intrinsic capability, the part left when the tool is gone, settles much lower. The faint dotted line is the old single curve. [Thierry ZOLLER]

Figure 2b. The single "actual" line splits. Assisted capability rises with the tool. Intrinsic capability, the part left when the tool is gone, settles much lower. The faint dotted line is the old single curve. [Thierry ZOLLER]

4. The gap that no longer closes

Put the three lines on the same chart and the problem shows up (Figure 3).

Figure 3. The old meeting point (faint, top right) against the AI world. Two gaps open and stay open: the dependency gap between what the tool makes and what you could do without it [Thierry ZOLLER]

Figure 3. The old meeting point (faint, top right) against the AI world. Two gaps open and stay open: the dependency gap between what the tool makes and what you could do without it, and the persistent illusion between what you think you can do and what you can. Intrinsic capability itself splits, by who built it before AI showed up.


Figure 3. The old meeting point (faint, top right) against the AI world. Two gaps open and stay open: the dependency gap between what the tool makes and what you could do without it, and the persistent illusion between what you think you can do and what you can. Intrinsic capability itself splits, by who built it before AI showed up.

Perceived ability stays high. Assisted capability, what you make with the tool in hand, sits just below it. Intrinsic capability, what is left when the tool is gone, sits well underneath. And unlike the classic curve, none of them bend back toward each other. Here is why. The old gap closed because reality punished overconfidence. You tried something, you failed where people could see, and the failure showed you where you were wrong.

The old gap closed because reality punished overconfidence.You tried something, you failed where people could see, and the failure showed you where you were wrong.

AI takes out parts of that step. It soaks up the friction and hides the failure, so the signal that used to fix your self-judgment never lands. The gap does not close, because the thing that used to close it is the thing we handed to the AI.

One more split that matters, and it matters most for the next generations."Intrinsic" is not the same for everyone. People who built real skill before they leaned on the tool keep most of it and lose it slowly.

People who learned with the tool from day one quite possibly never build it at all. Same low line on the chart, two different reasons, and the second one gets worse over a generation.

"Intrinsic" is not the same for everyone. People who built real skill before they leaned on the tool keep most of it and lose it slowly.

5. Is the missing skill just theory?

Not entirely. The early evidence points the same way, with one difference. In a 2025 study of 666 people, Gerlich [5] found that the more people relied on AI, the worse they scored on critical thinking, with "cognitive offloading" [8] as the mechanism and the effect biggest among younger users. A Microsoft and Carnegie Mellon survey of knowledge workers found the same pattern from the other side: the more people trusted the tool, the less thinking they did; the more they trusted their own skill, the more they did [6]. An MIT study connceted people up to an EEG and found less brain connectivity in those who wrote with a language model than in those who wrote without one [7].

The difference matters, and it is the honest part.

The same research shows the outcome depends on how the tool is used. Used to replace thinking, it erodes the skill. Used to aid thinking, where the hard stuff stays with the person and the tool takes some of the logical load, it can leave critical thinking intact or even improve it.

The direction is consistent: leaning on the tool to avoid the effort is exactly what wears the skill away.

6. Does it really matter?

Handing a skill to a tool is the oldest story in recent human evolution, and most of the time it is just progress. We dropped long calculations for the calculator, stopped learning phone numbers, stopped reading maps. The skill faded and nobody missed it, because the tool was reliable. By that logic, intrinsic skill is just the next thing we are right to put down.

If the tool is always there, why keep the skill?

Because, if my hypothesis holds, handing it over stops being harmless in three places, and they are the three we should care about most.

  • First, passing it on, and this is the one I care most about. Skill is handed down by apprenticeship: juniors do the boring work, struggle, fail in front of the more experienced, and pick up the know-how no one wrote down. AI now does the boring work, so the issues/struggle that made the next experts is gone, and the junior never really internalises it's AI driven learnings. The ones who built the skill before AI retire, and none form behind them.
  • Second, when things break. The tool is not always there, and it is not always right. In 1997 an American Airlines captain warned that pilots were becoming "children of the magenta line," good at managing the automation but no longer able to fly by hand [9]. In 2009 the autopilot on Air France 447 quit over the Atlantic, handed the plane to a crew who had lost the hand-flying skill, and 228 people died [10]. The same happened at San Francisco in 2013 [11]. The skill that mattered only mattered for the ninety seconds it was needed.
  • Second, oversight. The EU AI Act makes a human in the loop a legal requirement for high-risk systems. But look at what it asks of that human: understand what the system can and cannot do, catch it when it goes wrong, and know when to override it [14]. Every one of those is intrinsic skill under another name. You cannot check work you could not do yourself, so as the skill fades the human in the loop becomes a rubber stamp.

Banking has already run the test, on a delay. COBOL, written in 1959, still sits under an estimated three trillion dollars of transactions a day [12, 13]. It works. But the people who understand it are retiring/have retired, and the business rules live in their heads, not in any document. When New Jersey's unemployment system fell over in 2020, the state had to call retired programmers back [13]. You might say AI settles this: point it at the code. But the language was never the hard part. AI can read the syntax and still not tell you why one job runs before another on the last day of the month, or which exception encodes a rule from 1987 that no one wrote down. That did not live in the code. It lived in the person, and the person has gone.

7. What it means for companies

So, does intrinsic knowledge matter? For everyday output, less and less, and pretending otherwise is just looking backward. For coping when things break, for oversight, and for making the next set of experts, more than ever.

The shift worth naming, if I am right, is this: intrinsic skill has moved from a productivity question to a governance one. It used to be how the work got done. Now it is what lets you trust, check, and survive the tool that does the work. That is no longer a training line item. It is a control, and like any control, it fails quietly until the day you need it. The practical questions for a board are simple to ask and uncomfortable to answer. Where in the organisation has intrinsic capability already thinned out. Who could still do the work if the tool went down tomorrow. And is your human in the loop a real check, or a signature.

Put plainly: if the hypothesis is wrong, intrinsic skill is just nostalgia and the tool has freed us from it. If it is right, it is a control that erodes while the output keeps looking fine.

Put plainly: if the hypothesis is wrong, intrinsic skill is just nostalgia and the tool has freed us from it. If it is right, it is a control that erodes while the output keeps looking fine.

8. References

Dunning-Kruger, original and critiques

  • [1] Kruger, J. and Dunning, D. (1999). Unskilled and Unaware of It: How Difficulties in Recognizing One's Own Incompetence Lead to Inflated Self-Assessments. Journal of Personality and Social Psychology, 77(6), 1121-1134. https://doi.org/10.1037/0022-3514.77.6.1121 (The popular peak-and-valley curve does not appear in this paper.)
  • [2] Krueger, J. and Mueller, R. A. (2002). Unskilled, unaware, or both? The contribution of social-perceptual skills and statistical regression to self-enhancement biases. Journal of Personality and Social Psychology, 82(2), 180-188.
  • [3] Gignac, G. E. and Zajenkowski, M. (2020). The Dunning-Kruger effect is (mostly) a statistical artefact. Intelligence, 80, 101449. https://www.sciencedirect.com/science/article/abs/pii/S0160289620300271
  • [4] Nuhfer, E., Cogan, C., Fleisher, S., Gaze, E. and Wirth, K. (2016, 2017). Random-number simulations on self-assessment and the graphical portrayal of measured competence. Numeracy, 9(1) and 10(1). https://digitalcommons.usf.edu/numeracy/

AI, cognitive offloading and critical thinking

Automation dependency in aviation

COBOL and legacy banking systems

Regulation

Belgium published first, France went deeper. Belgium's CCB released CyFun well before the October 2024 NIS 2 transposition deadline, built on NIST CSF and officially mapped to ISO 27001/27002. France's ANSSI published ReCyF, but as of March 2026 the underlying legislation still has not passed - making it a technically superior but legally unenforceable framework.Bottom line: ISO 27001-certified organisations in Belgium are largely compliant with a manageable gap list. The same organisations in France still have significant work ahead - and no hard deadline yet to do it by.

Table of Contents

  1. Introduction
  2. Belgium - The Head Start (4 Level Architecture, Control Counts, ISO27002 clusters, What are key measure and why do they matter, self-assessment)
  3. France - The Thorough Approach (The objective and means architecture, still waiting for the law, ISO Alignement ANSSIs own assessment
  4. ISO27002 Mapping as a common Anchor
  5. The Divergences
  6. Practical Impliaction

Part I: Introduction - One Directive, Two Answers

When the EU adopted NIS 2 (Directive 2022/2555) in December 2022, it set a clear expectation: member states had until October 17, 2024 to transpose its requirements into national law. What followed, at least across the Franco-Belgian border, is a study in contrasting regulatory cultures, institutional histories, and practical philosophies.

NIS 2 expanded covered sectors from 7 to 18, lowered size thresholds, made supply chain security and multi-factor authentication explicit obligations, and - most significantly - introduced Article 21's detailed list of required risk management measures. What the directive deliberately does not do is specify how each measure should be implemented. That granularity was left to member states, producing genuine policy diversity: two technically credible frameworks that are compatible at the technical level but structurally different in regulatory philosophy, timing, and practical demands.

The timeline below tells the story at a glance. Belgium formalised an existing, mature framework and published its official cross-framework mapping nine months before the deadline. France is still working through its legislative process 18 months after that same deadline.

Figure 1 : NIS2 Transposition timeline. Belgium met the Octobre 2024 deadline, France Transposing law remains a bill of March 2026.


Introduction

For years, we’ve all heard it: “Cyber threats are on the rise.” But how much is hype, and how much is reality ?

According to the IRIS 2025 report by Cyentia, it’s not hype. Since 2008, the number of publicly reported cyber incidents has increased by over 650%, climbing from 450 to nearly 3,000 per quarter.

But here’s the nuance that matters: this rise isn’t just about more attacks. It’s also about how attackers evolve, how we detect threats, and how regulation drives transparency. From the stealthy era of APTs to the ransomware boom and the pandemic’s IT transformation, every major spike has a cause.

As risk managers and CISOs, this isn’t just trivia—it’s critical context. Understanding these shifts helps us future-proof our strategies, rather than plan for a past that no longer exists.

Europe's Most Influencial CISOs of the year 2024

The below is an interview originally conducted by CIO-World, in which I was recognized as one of Europe’s Most Influential CISOs of 2024. The discussion goes beyond technical security and focuses on leadership: the core capabilities a CISO needs today, how regulatory frameworks can be used as strategic enablers of resilience, and how security leaders can operate credibly and effectively within the C-suite. It also explores the growing convergence of technology, governance, and compliance.

The original can be found at CIO-World.

As financial technology (FinTech) evolves rapidly, it faces an increasing number of cyber threats. Cybercriminals are constantly finding new ways to exploit weaknesses in payment systems, putting billions of dollars and countless identities at risk. A staggering statistic reveals that up to 75% of customers worldwide now use at least one FinTech service, a number projected to grow as more people embrace digital payments and online banking.

Source: CIO World 

Meet Thierry Zoller, the Chief Information Security Officer at J.P. Morgan Mobility Payments Solutions S.A. (Red. now Julius Baer) , whose mission is to stay one step ahead of these digital predators. With nearly three decades of experience in cybersecurity, Zoller brings a unique blend of technical expertise and strategic vision to one of the world’s largest financial institutions. His journey from a curious teenager in Luxembourg to a leading figure in global information security is an example of the power of passion and perseverance.

Thierry’s fascination with technology began early, driving him to explore the inner workings of systems and networks. This curiosity led him to dive deep into reverse engineering and system vulnerability analysis, skills that would become invaluable in his future roles.

His career has been marked by a series of high-profile positions, including Head of Security Risk and Compliance Europe for Amazon and CISO for Amazon Payments. These experiences have honed his ability to navigate the complex intersection of technology, finance, and security.

At J.P. Morgan, he faces his most challenging task yet: securing the future of mobile payments in an increasingly cashless world. His approach combines futuristic technology with a deep understanding of human behavior, recognizing that the weakest link in any security system is often the user.

Thierry’s impact extends far beyond his corporate role. As a prolific blogger and researcher, he has coordinated the disclosure of over 100 vulnerabilities and released numerous free security tools. His work has been cited in books and peer-reviewed papers, cementing his status as a thought leader in the field.

The 45-year-old security expert’s commitment to knowledge sharing has been a cornerstone of his career. This philosophy drives his continued efforts to educate and empower the next generation of cybersecurity professionals, contributing significantly to the global information security community.

N-Th Party Risk (Thierry ZOLLER)
The responsibilities of vendors, suppliers, and service providers have grown increasingly important in the dynamic digital economy. The growing digitalisation and reliance on third-party entities significantly enhances business operations while concurrently introducing a spectrum of security risks. 

Recognising these challenges, regulatory supervisors have been actively creating frameworks over the years to make sure that financial entities in particular appropriately handle and mitigate the risks of security incidents that could directly affect their operations.

The adoption of specific guidelines by the European Banking Authority (EBA) in marked a substantial acceleration of the shift towards a more security-conscious approach when interacting with third parties. These guidelines were a significant advancement in highlighting the important security aspects to take into account while working with third parties. 

However, with the recent final Regulatory Standards published, the Digital Operational Resilience Act (DORA) is further evolving the requirements and expectations in light of multiple high-profile breaches involving third parties and the supply chain. The entry into force of this European Regulation, which takes effect in January 2025, marks the beginning of a new era in third party security management. 

It signals a time when strict compliance and proactive risk management are more important than ever in third-party contacts, and it also emphasises the significance of operational resilience and indicates a heightened response to the changing threat landscape.

While researching the state of the Art in "Third Party" risk management I came across an Report recently published by Wade Baker, Ph.D. and the Cyentia Institute titled “Risk to the Nth-Party Degree: Parsing the Tangled Web".

In true Cyentia Institute fashion the report is a data driven and provides plenty of opportunity for the data science geeks amongst us to rejoice - for the others it's one of the first publicly available reports providing us with data analysis on the matter with.

The Report highlights a crucial aspect that is often overlooked in risk management: vendor risk extends beyond direct third parties.

What really is "third party" risk ?