KAREN JOY BACUDO

Finance Editor

Topia has partnered with Certino to integrate expatriate payroll calculations into its Topia Horizon platform, covering payroll instruction outputs in more than 90 countries.

The partnership brings Certino’s gross-up and shadow payroll calculations into Topia’s mobility workflow, aiming to replace the spreadsheet-based processes and disconnected systems many employers still use to manage internationally mobile staff.

Many multinational employers handle cross-border compensation through a mix of internal spreadsheets, external providers and manual calculations. As international hiring grows and regulatory scrutiny increases, payroll, tax and mobility teams are left managing fragmented processes.

Under the arrangement, organisations using Topia Horizon will be able to access payroll-ready calculations within the same system they use to manage employee mobility. The integrated workflow is designed to help employers pay mobile employees accurately while managing tax and compliance obligations across jurisdictions.

Manual burden

Expatriate payroll has long been one of the most complex parts of global mobility because employees can trigger tax, social security and payroll requirements in more than one country. Gross-up calculations, which employers use to offset tax burdens for staff on assignment, and shadow payroll processes, which track tax liabilities in host locations, often require multiple handovers between HR, payroll and tax specialists.

Topia said its Horizon platform already automates risk assessments linked to tax, immigration, social security and permanent establishment before employee trips and remote work requests. The Certino integration extends that process into payroll execution by linking mobility decisions with payroll calculations.

The new service is aimed at both large employers managing cross-border workers directly and mobility service providers running international compensation programmes for clients. Payroll instruction outputs are supported across all countries covered by the arrangement.

David Walters, Chief Executive Officer, Topia, said the partnership is intended to address a longstanding operational gap.

“International talent mobility has become a strategic priority but the operational processes underpinning it have not kept pace. Too many organisations are still managing critical payroll and tax calculations through manual processes that create unnecessary risk and cost. Topia Horizon’s intelligence closes that gap, surfaces risk, generates policy-linked cost simulations, and now connects directly to payroll-ready calculations through Certino. Partnering with Certino means organisations can run a more accurate, connected and scalable global compensation operation,” Walters said.

Compliance focus

The announcement reflects wider pressure on employers to tighten oversight of international employment arrangements. As companies hire across borders and allow more staff to work remotely or travel for work, payroll teams increasingly need to track where income is earned, where tax is due and how local payroll reporting should be handled.

Errors in those calculations can create financial and compliance risks for both employers and employees. As a result, expatriate payroll remains a persistent challenge for companies with international workforces, particularly when payroll data is kept separate from mobility and tax systems.

Certino focuses on tax calculation and shadow payroll for global mobility programmes. Its systems are used by multinational employers as well as by accountancy, payroll, and relocation partners that handle assignment-related compensation.

Tom Lockyer, Chief Executive Officer at Certino, said the work has traditionally required significant manual input.

“Gross-up calculations and shadow payroll obligations have always required significant manual effort and multiple handoffs. The consequences of getting them wrong are serious. Certino was built to standardise and automate these calculations, delivering consistent, payroll-ready outcomes at scale. Embedding that capability inside Topia Horizon brings specialist expatriate tax calculation directly into the operational workflow, enabling global mobility teams to execute with greater control, transparency and confidence,” Lockyer said.

Chainguard has launched a source code scanner that blocks open source packages it classifies as malware and “greyware”. It says the tool is already screening more than 100,000 packages a day.

The scanner is available for npm packages requested through Chainguard Libraries for JavaScript and has already blocked more than 52,000 packages identified as malware or greyware.

Chainguard uses the term greyware for open source packages that disclose their intended behaviour but still pose security risks many organisations would reject in a formal review. These can include tools for credential harvesting, command interception, persistent remote access and account fraud automation.

The launch reflects broader concern in software security over the growth of risky dependencies in public registries. Security teams have long focused on malware hidden inside code packages, but Chainguard argues that another category is slipping through because the software openly states what it does and can avoid conventional malware detection.

In its current setup, the scanner reviews packages before they are added to the Chainguard Libraries catalogue rather than waiting until a customer requests them. It examines maintainer behaviour, package contents, publishing signals and the behaviour of installation scripts in a sandboxed environment.

That includes unusual account activity, changes in release history, obfuscated code, suspicious domains, differences between source code and published packages, and scripts that try to contact external servers or access local files. Packages are then marked as malicious, escalated for review by a security engineer, or cleared for use.

Chainguard says the volume of software being generated and adopted through AI-assisted development is making manual dependency checks less realistic. It argues that developers often rely on indicators such as download numbers, repository activity or autocomplete suggestions rather than reading package documentation or reviewing source code in detail.

The company also pointed to a wider industry backdrop in which supply chain attacks remain a significant issue, citing figures showing that 65% of organisations said they experienced a supply chain attack in the past year.

Examples found

Among the examples identified on npm was leobot-cli, which Chainguard described as an account fraud automation tool. The package advertises itself as a command-line bot for registering Canva and Leonardo accounts and includes a command to generate fake accounts and inject a Chrome extension for session injection and token monitoring.

Another package, @robinpath/cloud-cli, was described as software that creates a permanent backdoor from a machine to a third-party server and waits for commands to run. It is presented as a command-line tool for an AI assistant that reads code, creates files, executes commands and builds scripts.

Chainguard also highlighted noesis-miner, which it said reads Solana keypairs from disk and runs persistent mining loops. The package is presented as an AI-agent-mined token protocol for Solana.

It identified drogonclaw as a hacking toolkit that includes open source intelligence functions, network scanning, exploit execution and remote mobile control. The package advertises itself as an autonomous AI pentest framework.

A fifth example, chrome-tool, was described as a Chrome credential-harvesting extension. According to Chainguard, the package exports modules designed to extract passwords, cookies, credit card information and autofill data.

Several of these packages remain available for download on npm and have each recorded thousands of downloads, Chainguard said. Some had also passed what it described as a typical seven-day cooldown period, a delay often used by software security products before treating a package as established.

Scanner design

The scanner sits inside Chainguard Repository and is intended to add another layer of review on top of existing checks such as building from source and cooldown periods. The aim is to reduce the risk of malicious or risky software being cached inside internal systems before it is flagged.

Ross Gordon, Staff Product Marketing Manager, and Evan Gibler, Staff Security Engineer at Chainguard, described the rationale for the product in a joint comment: “Malware has become a serious industry problem: 65% of organizations said they experienced a supply chain attack last year, let alone in 2026. However, there hasn’t been much emphasis on packages that do exactly what their README says, pass malware scans, but act in ways no CISO would ever approve. We call those packages greyware.”

Protection is currently in place for npm packages requested through Chainguard’s JavaScript library service, with additional language ecosystems due to be added later. Chainguard says the scanner is already protecting all packages served through its upstream fallback to npm and has blocked more than 52,000 malware and greyware packages.

KPMG has published a global study linking stronger AI transformation results to trust and governance. The survey covered more than 1,750 senior leaders across 20 countries.

The findings highlight a gap between rising AI adoption and broader business results. Many organisations are expanding AI use in specific functions without changing the wider operating model needed to turn those efforts into enterprise-level gains.

While 58 per cent of leaders consider enterprise-wide systems, processes, people and technology critical to transformation, only 12 per cent said their organisations deliver them effectively. The study also found that risk-led transformation produced the strongest performance improvement, at 14 per cent.

Workforce readiness emerged as another weak point. While 75 per cent of respondents expect benefits from humans and AI working together, only 19 per cent reported having a workforce ready for that shift.

Risk concerns were widespread, but integration remained limited. Nearly three in four respondents cited risk, security and privacy as major concerns, yet only 24 per cent said those issues are embedded in strategy and technology.

Measurement was also patchy. Just 28 per cent of organisations track operational or revenue outcomes linked to trusted AI, suggesting many still rely on adoption rates, qualitative signals or no formal measurement at all.

Operating model gap

The research argues that AI deployments often remain confined to individual use cases and are not fully tied to decision-making or end-to-end workflows. In that environment, productivity gains may appear in isolated parts of a business without translating into sustained organisation-wide improvements.

Legacy structures are part of the problem. Many businesses still operate with models built for stability rather than constant adaptation, making it harder to coordinate change across multiple teams and systems.

Adrian Clamp made that point in comments accompanying the research.

“Real value from AI requires operating as an intelligent enterprise – aligning strategy, decisions, and execution. Yet, most organizations have not redesigned themselves to do so, with complexity rising faster than performance. As a result, many risk scaling AI without delivering sustained enterprise impact or meaningful returns,” said Adrian Clamp, Global Head of Consulting Strategy & Investment, KPMG International.

Governance divide

The strongest performers were more likely to treat trust and AI governance as part of day-to-day operations rather than as a separate compliance exercise. The study linked that approach to better outcomes in areas including innovation, investment capacity and stakeholder trust.

Only a minority have taken that route. Most organisations still rely on reactive, siloed or partly integrated approaches to AI risk management.

Samantha Gloede said the issue goes beyond technical oversight.

“Trust is no longer a safeguard; it is a prerequisite for performance. As transformation scales across interconnected systems, organizations must be able to rely on decisions, not just data. That confidence is built through how risk is governed, managed, and embedded into execution. When it is, transformation can be directed, aligned, and scaled. When it is not, it fragments under its own complexity,” said Samantha Gloede, Global Head of Risk Services and Trusted AI Leader, KPMG International.

Broader shift

The study frames the findings as part of a wider change in how businesses compete. Rather than judging success by the number of transformation projects, it suggests organisations are increasingly being tested on whether they can coordinate change across the whole business.

KPMG described this as enterprise orchestration: the ability to align priorities, connect execution and manage trade-offs continuously across different parts of the organisation. The data suggests that without that coordination, AI investment may increase activity without producing equivalent returns.

The survey spanned sectors including technology, financial services, healthcare and manufacturing, indicating that the issues identified are not limited to a single industry. Across responses, a common theme emerged: AI adoption is moving faster than organisational redesign, leaving many companies with more complexity but not necessarily stronger performance.

One of the starkest findings was the contrast between ambition and readiness: 75 per cent of leaders expect gains from human and AI collaboration, but only 19 per cent say their workforce is ready.