In the past 18 months, AI has been rolled out widely. The primary reason for the change is that AI is getting good. It can effectively liberate human employees from the repetitive, menial tasks that traditionally account for a lot of time and little reward.
To add to the debate, there is increasing pressure from investors and the board to roll out AI adoption. No board member wants to feel like they are behind the AI curve and will be keen to find efficiencies where they can. This can lead to a desire to implement AI, without fully scoping the project needs. This roll out will sit in stark contrast with other technology roll outs, which are typically slow and cautious.
When business leaders drive the technological change, how do security leaders remain in control?
In the security space, we are seeing AI agents operating across SaaS, source code, ticketing, and cloud dashboards with meaningful privileges. This has been on the horizon for some time but is now a reality.
In the vast majority of cases, these capabilities are a real benefit to the industry. They free up employee time to work on more technically complex issues, and they sift through large volumes of data to remove noise, all with precision and speed.
The issues arise in the small fraction of cases where privilege drifts or an agent is given too much access. The cases where agents work alongside other agents, ungoverned by humans.
DarkReading found that 48% of security professionals rank AI as the top attack vector. That figure is compounded by Cisco’s finding that only 31% of organizations feel fully equipped to secure their AI agents.
This article digs into those risks and explores the answers that will allow CISOs to take control of their AI implementation, secure it, and govern it. We’ll highlight the areas to be wary of and the signs you should look out for.
The AI Threat
One of the great things about AI is its speed. Any task you set can be carried out at a fraction of the time it would take a human to do. When this is going well, this is great. But when the AI does something you don’t want it to do, or when an attacker is using it against you, things can go wrong very quickly. To add to the risk versus reward debate, AI can be rolled out across so many aspects of your organization, affecting security, data, and finance.
1. The Scale of Shadow AI
Shadow AI is the name given to AI services used unofficially inside an organization. In practice, this looks like employees using chatbots to summarize emails, sometimes emails that contain sensitive information. Or developers using AI to generate code without full, line-by-line oversight.
Saviynt’s CISO AI Risk Report 2026 found that 75% of CISOs have already discovered unsanctioned AI tools running in production. That leaves security teams with an almost impossible task. How do you secure assets you don’t know exist?
The real problem with shadow AI is that once data leaves your environment, you lose the ability to govern it. You are unable to control who has access to it, or what it’s being used for. This is a severe breach of DLP processes as employees may leak sensitive information to LLMs, without proper oversight. Employees need to understand that pasting data into an AI tool is not the same as pasting it into an internal document.
What was once a theoretical risk has quickly become a clear and present danger. The same report found that 92% of organizations lack full visibility into their AI identities, and 95% of CISOs doubt they could detect or contain misuse if it happened.
2. AI-Powered Attacks: Phishing, Deepfakes, and Synthetic Identity
For all the efficiency and productivity benefits AI brings to your team, the same can be said for attackers. Criminals can increase the volume and accuracy of their content to trick unsuspecting users.
This tends to fall into three categories. The first is phishing. AI can scrape sites like LinkedIn to identify targets and craft messages that reflect their experience and their connections. That makes it much harder to recognize that the communication is not genuine.
“AI has made it virtually impossible to differentiate between an attempted phishing scam and legitimate business communications,” says Sudhanshu Dubey, CEO at FullStack Cyber.
Deepfakes operate in a similar way. They take information about a person and generate a new, fake version. A user’s digital footprint may include photos, videos, and audio recordings, perhaps a podcast appearance, and all of it can be used to make the AI version more convincing. A recent case involved the impersonation of Cypriot President Nikos Christodoulides, leading to individual victims losing more than €10,000 each.
We are seeing this type of attack combine with BEC, with attackers using Teams and Zoom calls to defraud companies. IDC has forecast that 80% of organizations will be hit by synthetic identity phishing by 2027.
Synthetic identity attacks combine these capabilities to generate completely fictitious personas. Attackers then pair the persona with stolen information, such as a social security number, allowing them to open fraudulent accounts, obtain credit, and evade detection. The technique is sophisticated, and AI is what makes it possible at scale.
3. The AI Supply Chain: Models, Plugins, and MCP Servers
The risks above are the simplest to understand and, as a result, the most covered in mainstream news reports. Attackers also use subtler methods of manipulating AI to make it produce pre-planned responses.
This is often referred to as poisoning. The AI model, or the data it trains on, has malicious information hidden inside it. The result is an AI agent that acts in a way that suits the attacker or surfaces malicious content. It might present you with a link that downloads malware once clicked.
MCP server ecosystems are also a risk. Model Context Protocol (MCP) is a method of connecting LLMs to external tools. MCP servers act as an interface, translating between two different technologies. They are useful, but they can also do real damage. The primary risk is remote code execution (RCE), where the AI triggers malicious code on your system. The risks extend to data exfiltration, prompt injection, and credential theft, thanks to the privileged access your AI has across your environment.
4. AI-Generated Code, vibe coding, and the Accountability Question
As we have become more comfortable with the outcomes AI systems produce, developers have been keen to use AI within their code generation workflows. A lot of code is generic, and AI is good at generating that content at pace, leaving developers to guide and update it as they see fit. The issue is that AI does not have intimate knowledge of how the codebase works. Loopholes that would be obvious to a human coder are overlooked, leaving the code vulnerable.
Vibe coding is something of a buzzword within the software development community. This is where people use AI to build and ship working AI applications, without any personal coding experience. On the surface, the results often look impressive, mimicking applications that have been developed by professionals. The issue is what’s under the hood. The vibe coder will not understand how the application actually works. They will have no way of addressing vulnerabilities or ensure that there aren’t any hardcoded secrets.
The latest AI tools make vibe coding so easy, that you might not even realize you’re building an application. A marketing manager may look to build an internal tool to repeatedly process customer data, categorizing it and adding it to various workflows. This application and related data is now a target that your IT team don’t know exists.
To complicate matters, when you use AI to review AI, those vulnerabilities are often missed. There may be a long, overly complex justification for why a piece of code is written a specific way. The justification stands up to AI scrutiny, but a human reviewer would dismiss it.
The use of autonomous agents at scale, whether to review code or carry out other tasks, can compound these errors. Where there is no human-in-the-loop, the AI may be unable to recognize its own errors, repeating the same problem thousands or millions of times. This can result in an AI’s response straying some distance from the original intention.
That brings an uncomfortable question to the fore: who is responsible?
If a developer uses AI to improve their workflow, and is praised by management for the efficiency gains, can they also be blamed for issues that are present within the code? If we decide that they are responsible, then logically they should write every line of code themselves, which negates AI’s utility.
5. Governance and Regulatory Pressure
The risks AI poses cannot be ignored. For 70% of CISOs in the retail and hospitality sectors, AI is now a formal part of their responsibility. Recognizing the risk and accepting responsibility is the first step organizations can take in addressing the threat. AI is not a niche risk that can be ignored. It is growing in scale and severity.
Formal regulations are emerging to standardize how companies should address AI. The EU AI Act covers supervision, observability, and transparency rules. The picture is messier in the US, with rules being assigned on a state-by-state basis. Texas’s Responsible AI Governance Act (TRAIGA) and California’s AI and ADMT regulations have been in place since the start of 2026.
We are also seeing the emergence of sector-specific guidance in addition to geographic guidance. The SEC, FTC, and HHS have all published AI guidance. This is particularly an issue for organizations operating within the EU, where regulations are much more stringent, with the US taking a more deregulated approach.
For CISOs, the practical implication is clear. AI governance can no longer sit in a separate workstream from cybersecurity. Impact assessments, model documentation, incident reporting, and monitoring obligations all land directly on the security function. The organizations treating this as a compliance-only problem will find themselves on the back foot when their first AI incident becomes a regulatory disclosure.
6. Abuse of customer-facing AI
If your organization is able to offer customers AI features, such as chatbots or search functions, this is now brought into your attack surface. Anything that an attacker can probe is at risk of exploitation. What makes these AI features particularly risky is that they sit right at the edge of your environment, but often have privileged access to backend systems, API keys, or session tokens.
The most common attack pattern is prompt-based manipulation that tricks the AI agent into bypassing guardrails to provide critical data. This may reveal personal data or technical data that can allow the attackers to work out their next move. Some malicious prompts will coax the model into executing actions that will disrupt your normal operations.
To address this threat, you need to treat your customer-facing AI the way you would treat the rest of your public facing infrastructure. Ensure that its permissions are tightly scoped, isolate it from sensitive credentials, log every integration, and take a hyper-cautious approach that someone is already trying to exploit it.
7. Prompt Injection and the Agentic Browser Problem
The concept of prompt injection has briefly been touched upon in the supply chain and customer-facing AI sections already, but it’s worth taking a moment to consider its full repercussions.
Prompt injection is the process of hiding malicious instructions within content that an AI system will read. Whether it’s a webpage, PDF, email, or code comment, it will be invisible to the human user, but readable by a machine. The text is designed to hijack the AI and encourage it to carry out tasks that it wasn’t originally intended to. The AI is unable to differentiate the “hidden” text from the user’s instructions.
Agentic browsers add to the complexity here; these are browsers that will use AI to search the web to find specific answers to the questions that are given to it. The AI may visit a malicious site, unknowingly read malicious text, then act upon these new instructions. The ramifications here are almost limitless; from making payments using a saved card to accessing your emails or cloud data. The risks increase as the AI’s level of privilege increases.
Here, the best course of action is to limit the privileges that the AI has. An AI agent accessing your emails with read-only privileges is one thing; the ability to write, send, and access files is a much bigger problem. Ensure that a human is in the loop and assume that any third-party content is potentially compromised.
8. Hallucinations and the rogue agent problem
While there are endless ways for an attacker to probe your AI tools, some of the most damaging incidents are caused by the AI systems themselves. Hallucination is where an AI agent makes up data, treating it as genuine. This means that it can make erroneous inferences from a spreadsheet, flag that something is a risk when it’s not, or simply make up an answer to your query.
The response will often look plausible, showing you data points, sources, and statistics as you need. If this data is fed into processes or used to make decisions, the problem compounds. This issue is enhanced in situations where AI is used at speed and used to control operational decisions. Within an e-commerce situation, the AI may make up false orders, causing you to send products to people who don’t exist and to order more stock.
The advice here is, again, to monitor the privileges that your AI has, and ensure that the human remains in the loop. In many cases, the AI agent will own up to the fact that it made the data up when asked directly.
Legacy IAM
The defining control category for the remainder of the year is identity governance for AI agents. Legacy IAM platforms were built for humans and service accounts. They were not built for systems that act with delegated authority, accumulate permissions across SaaS environments, and operate in seconds. Expect identity vendors to address the risks AI systems pose. Some will adapt existing tools. Others will launch new, dedicated tools to handle discoverability, privilege, and behavioral monitoring.
AI for defense
The same capabilities that make AI so dangerous in the wrong hands are also reshaping the defenders toolkit. Francis deSouza, COO and President of Security Products at Google Cloud explained that “the idea of having a human in the loop in a lot of defense processes is just too slow when you have an agentic attack… The response has to be AI fighting AI. Not humans fighting AI, otherwise we won’t win.”
One area where AI is being put to use on the defender’s side is Agentic SOC. Rather than relying on a team of overworked SOC analysts to triage, investigate, and respond to security alerts, AI can take much of the heavy lifting. It can quickly and accurately correlate attack patterns, gather context, and escalate response as needed. This does not remove the need for human input, but it allows that human input to be focused and efficient.
We’re also seeing similar AI technologies being embedded in email security platforms; this will look for risk flags to call out phishing and BEC attempts before users become victims. Again, this will assess context and analyze wider attack patterns (from attacks across the world) to effectively understand the nature of a risk.
This technology presents a new problem for CISOs. Not whether to adopt AI-powered defense, but how to evaluate it. With so much chatter about AI today, it’s important to be clear about what AI is offering.
We think it’s worth considering the following questions as you assess AI use:
What decisions is the AI actually making, and what is being escalated? What training data is the model using, and is your data being fed back into a shared model? How are false positives handled, and who is accountable when the AI gets it wrong? Where is the human checkpoint, and is it real or theatrical?
The Regulatory Challenges
On the regulatory side, the second half of the year is when principles become enforcement. On 2 August 2026, the European Commission’s enforcement powers under the EU AI Act come into force, including the power to issue fines against GPAI model providers, alongside the bulk of high-risk AI system obligations. The picture in the US is messier. The Colorado AI Act, once the most ambitious state framework, was stayed by a federal court in April and replaced in May with a narrower automated decision-making law that does not take effect until 2027. Texas’s TRAIGA and California’s ADMT rules remain in force, and state attorneys general are increasingly active in AI enforcement. The regulatory landscape 12 months from now will look markedly different.
Expect the first significant penalties and the first publicly disclosed AI incidents that trigger regulatory reporting obligations to land before year-end. These will set the tone for how boards interpret AI risk in 2027 and beyond.
The bigger shift sits underneath all of this. Agentic systems cannot function under traditional human oversight. If your team reviews every action an agent takes, the agent has no advantage over the analyst it was built to replace. The point of agentic security is machine-speed response, and the only way that scales is to move humans from approving every step to setting the policies, monitoring the outcomes, and intervening at the edges.
The CISOs who close out 2026 from a position of strength will have accepted that shift and built around it. They will have brought AI identities into their IAM and PAM strategy as a priority, not as an extra. They will have built governance around their own use of defensive AI before regulators or auditors require it. And they will have moved AI risk reporting onto the board agenda as a standing item, not an annual update.
All three depend on the same underlying move: human-in-the-loop becoming human-on-the-loop. Day-to-day involvement is the bottleneck. Oversight, escalation paths, and audit trails are the controls that replace it.
In Short
We have already seen an unprecedented level of growth in the scope and use of AI in the past 12 months. Regulation has been slow to catch up, and attackers have been quick to adopt new technologies and test new strategies.
To secure your organization against the emerging threat, AI can no longer be an edge case. It must be formalized as a risk inside the CISO’s remit, with targeted policies and clear escalation paths for how to address attacks.
AI is not a problem that will disappear if we ignore it for long enough. It can only be addressed with broad, frank discussion of the risks, and sufficient investment in time and tooling.
