Integrating Governance, AI Accountability, and Systemic Resilience: A Framework for Critical Infrastructure Protection in Nigeria

The security and systemic resilience of critical infrastructure (CI) in developing economies, such as Nigeria, require executive-level governance akin to the NIS 2 Directive's mandates for management body oversight and direct liability (European Parliament & Council of the European Union, 2022). Nigeria's CI faces annual losses exceeding $1 billion from cyber incidents, underscoring the urgency for integrated frameworks (Central Bank of Nigeria, 2024). This governance mandate is necessary because current risk models are often inadequate for accurately assessing the probability and consequence of sophisticated hybrid attacks (NIST, 2008). This paper establishes a synthesized governance framework, leveraging Agency Theory to diagnose internal accountability failures within Nigerian CI organisations (Burch et al., 2024). The resulting model structurally integrates strategies for confronting two paramount systemic threats: complex vulnerabilities within the Artificial Intelligence (AI) supply chain (DHS, 2024; IBM, 2024) and the multiplying effects of the Cyber Climate Nexus (Guy Carpenter, 2025; UNDP, 2024). The prescribed five step model provides a practical and auditable blueprint for strengthening corporate accountability, institutionalising formal risk acceptance procedures, and transitioning from fragmented compliance to proactive, integrated operational resilience (CISA, 2024; Parlov et al., 2025).

Executive Governance, Critical Infrastructure Resilience, Agency Theory, AI Risk Governance, Cyber Climate Nexus, Cyber Resilience, Nigeria

1. Adebayo, O., & Ojo, A. (2023). Agency problems in Nigerian public enterprises: A governance perspective. African Journal of Economic and Management Studies, 14(2), 210–225. [Google Scholar] [Crossref]

2. https://doi.org/10.1108/AJEMS-05-2022-0189 [Google Scholar] [Crossref]

3. Burch, G. F., Burch, J., & McGarry, M. (2024). Cybersecurity risk management governance: An agency theory perspective. ISACA. [Google Scholar] [Crossref]

4. Campos, S., Papadatos, H., Roger, F., Touzet, C., Quarks, O., & Murray, M. (2025). A frontier AI risk management framework: Bridging the gap between current AI practices and established risk management (arXiv:2502.06656). arXiv. Retrieved 29 October 2025, from arXiv.org [Google Scholar] [Crossref]

5. Cybersecurity and Infrastructure Security Agency. (2024, August 14). ISC updates to the risk management process. Retrieved 29 February 2025, from Cybersecurity and Infrastructure Security Agency website [Google Scholar] [Crossref]

6. Cybersecurity and Infrastructure Security Agency. (n.d.). Artificial intelligence. Retrieved 14 November 2025, from Cybersecurity and Infrastructure Security Agency website [Google Scholar] [Crossref]

7. Commonwealth of Australia. (2024, November). Critical infrastructure annual risk review (Second edition). [Google Scholar] [Crossref]

8. Deloitte. (2024). Compliance in focus: Findings from Deloitte’s 12th Energy Industry Compliance Survey. Deloitte. [Google Scholar] [Crossref]

9. Department of Homeland Security. (2024, November 14). Roles and responsibilities framework for artificial intelligence in critical infrastructure. [Google Scholar] [Crossref]

10. European Parliament & Council of the European Union. (2022). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). Official Journal of the European Union, L 333, 80–155. https://eur-lex.europa.eu/eli/dir/2022/2555/oj [Google Scholar] [Crossref]

11. Federal Ministry of Communications and Digital Economy. (2021). National cybersecurity policy and strategy. https://www.ncc.gov.ng/docman-main/cybersecurity/1160-national-cybersecurity-policy-and-strategy/file [Google Scholar] [Crossref]

12. Guy Carpenter. (2025, September). Climate change X cyber: An intertwining risk. Retrieved 10 September 2025, from Guy Carpenter website [Google Scholar] [Crossref]

13. Hsu, C.-C., & Sandford, B. A. (2007). The Delphi technique: Making sense of consensus. Practical Assessment, Research & Evaluation, 12(10), 1–8. https://doi.org/10.7275/pb6t-4d11 [Google Scholar] [Crossref]

14. IBM. (2024). DHS: Guidance for AI in critical infrastructure. Retrieved 16 November 2025, from IBM website [Google Scholar] [Crossref]

15. International Organization for Standardization. (2024). New global standard on resilient infrastructure launched: ISO 22372 sets a benchmark for safer, risk informed development. Retrieved 30 October 2025, from Prevention Web website [Google Scholar] [Crossref]

16. National Institute of Standards and Technology. (2008). Advanced risk models for evaluating critical infrastructure cyber security threats, exploits, vulnerabilities, incidents, and responses. National Institute of Standards and Technology. [Google Scholar] [Crossref]

17. National Institute of Standards and Technology. (2023). Cybersecurity framework profile for resource constrained organisations. National Institute of Standards and Technology. [Google Scholar] [Crossref]

18. Nigeria Information Technology Development Agency. (2021). National Centre for Critical Information Infrastructure Protection (NCCCIIP) guidelines. [Google Scholar] [Crossref]

19. https://nitda.gov.ng/wp-content/uploads/2021/05/NCCCIIP-Guidelines.pdf [Google Scholar] [Crossref]

20. Nigeria Information Technology Development Agency. (2024). Nigeria AI strategy report. https://nitda.gov.ng/ai-strategy/ [Google Scholar] [Crossref]

21. Parlov, N., Akrap, G., & Esterhajer, J. (2025). Supply chain security and AI risk governance model for critical infrastructure under NIS2, CER, and CRA. ACIG, 4(1). [Google Scholar] [Crossref]

22. President’s Council of Advisors on Science and Technology. (2024, February). Strategy for cyber physical resilience: Fortifying our critical infrastructure for a digital world. Executive Office of the President. [Google Scholar] [Crossref]

23. United Nations Development Programme. (2024, October). Powering the future: Risk governance for a sustainable, resilient and inclusive energy system. United Nations Development Programme. [Google Scholar] [Crossref]

24. U.S. Department of Energy. (2024, April). Risk assessment essentials for state energy security plans. Office of Cybersecurity, Energy Security, and Emergency Response. [Google Scholar] [Crossref]

25. World Bank. (2022). Cybersecurity and critical infrastructure resilience in developing economies. World Bank Group. [Google Scholar] [Crossref]

26. Xage Security. (2025, February 25). NERC CIP 2025 updates: Key changes, utility implications and compliance solutions. Retrieved 30 October 2025, from Xage Security website [Google Scholar] [Crossref]

• “Next-Generation Cybersecurity Through Blockchain and AI Synergy: A Paradigm Shift in Intelligent Threat Mitigation and Decentralised Security”
• Forensic Payroll Analytics for IPPIS: A Hybrid Anomaly-Detection Framework to Expose Payroll Fraud, Improve Data Governance, and Protect Employee Rights
• Factors Influencing Data Protection on Global Trade
• Development Of Artificial Intelligence-Based Model for Forensic Analysis of Cross-Platform Deepfakes
• Cyber Threats and Nigeria’s National Security: Assessing the Role of Regional Cooperation in West Africa