AI has armed attackers faster than defenders: flawless phishing, convincing deepfakes, machine-speed attacks, and a new attack surface from your own AI. The WEF's 2026 cyber survey names AI the top force reshaping the threat. That makes cyber an enterprise risk, not an IT line item.
- AI has armed attackers faster than it has armed defenders. The World Economic Forum's 2026 cyber survey of 804 leaders across 92 countries names AI the single most significant force reshaping cyber risk.
- Cheap, convincing AI-generated phishing, deepfakes and fraud have moved the threat from occasional to constant. Roughly three-quarters of organisations now flag AI-enabled fraud as a rising concern.
- Your own AI adoption widens the attack surface: new data flows, prompts and models are all things that can be exploited, often deployed faster than they are secured.
- The gap is widening between well-defended organisations and everyone else, and your weakest supplier is now part of your risk.
- This makes AI-era cyber a board issue, not an IT backlog item: put it on the agenda, assume AI-armed attackers, secure your own AI, and rehearse for attacks that move at machine speed.
For years, cybersecurity lived comfortably in the IT department. It was technical, it was contained, and the board saw it once a year as a line on a risk register. AI has quietly ended that arrangement. The same technology you are adopting to move faster is being used, right now, to attack you faster, and it has shifted the balance in a direction that should concern anyone responsible for the whole enterprise rather than just its servers.
The evidence is not anecdotal. The World Economic Forum's Global Cybersecurity Outlook 2026, produced with Accenture and drawn from 804 leaders across 92 countries, including hundreds of chief information security officers and chief executives, names AI the most significant force now reshaping the cyber landscape. Its judgement is uncomfortable and precise: AI empowers defenders, but it is amplifying attackers faster. Around three-quarters of organisations report AI-enabled fraud as a growing concern, and the report describes a widening gulf between the well-protected and everyone else.
Why has AI tilted the field towards attackers?
Because it makes the expensive parts of an attack cheap. A convincing phishing email once took effort and gave itself away with clumsy language; AI now writes flawless, personalised lures at scale in any language. Voice and video deepfakes make the fraudulent call from the "chief executive" genuinely hard to catch. Reconnaissance, vulnerability-hunting and malware adaptation all speed up. None of this is science fiction; it is the current cost curve. The defender has to be right every time, and AI has made it cheaper than ever for the attacker to keep trying.
There is a second, quieter reason, and it is self-inflicted. Every AI system you deploy is new surface to attack: fresh data flows, model endpoints, prompts that can be manipulated, and integrations that were shipped at the speed of enthusiasm rather than the pace of security. The rush to adopt, the same rush behind why most organisations fail at AI adoption, tends to leave the securing of AI as an afterthought.
Put AI-era cyber risk where it belongs, on the board agenda
The AI Strategy Session helps you treat AI security as an enterprise risk, not an IT afterthought, and decide what to do about it, in ninety minutes.
Book your Strategy SessionWhy is this a board issue rather than an IT one?
Because the decisions that matter now are enterprise decisions, not technical ones. How much AI risk you are willing to run, how fast you deploy versus how carefully you secure, how exposed you are through your suppliers, and whether your people can still tell a real instruction from a synthetic one, these are questions of governance and culture, not firewall configuration. The Stanford AI Index recorded AI-related incidents rising to a record 233 in 2024, up more than half on the year. A risk growing at that rate, aimed at the whole organisation, has outgrown the server room.
What should leaders actually do?
Treat AI-era cyber as a standing enterprise risk and manage it like one.
- Put it on the board agenda, not the IT backlog. Make AI-enabled threat a regular governance item with a named owner, the way you treat financial or safety risk.
- Assume your attackers are AI-armed. Retrain people for a world where phishing and deepfakes are flawless, and add verification steps for high-value actions that a convincing fake cannot pass.
- Secure the AI you deploy. Treat every model, data pipeline and integration as attack surface, and assess it before it goes live, not after an incident.
- Close the gap in your supply chain. Your weakest vendor is now your exposure. Ask what they are doing about AI-enabled threats, because their lapse becomes your breach.
- Rehearse for machine speed. Test your incident response against attacks that move faster and scale wider than the human-paced ones you planned for.
AI armed your attackers before it armed your defence. Flawless phishing, convincing deepfakes and machine-speed attacks make cyber an enterprise risk now, not an IT line item. Put it on the board agenda.
What does this change for me as a leader?
It changes who owns the problem. As long as cyber sat with IT, the board could treat it as someone else's technical worry. AI has made the threat faster, cheaper for attackers, and tangled up with the very systems you are racing to adopt, which pulls it squarely into enterprise risk. The organisations that come through this well will not be the ones with the cleverest tools; they will be the ones whose leaders decided, early, that this was theirs to govern.
That is the shift underneath the end of business as usual: AI changes not just what you can do, but what can be done to you, and both belong on the same agenda. Treat AI-era cyber as the board-level risk it now is, and you can adopt with confidence rather than exposure. These are exactly the questions a board should be asking before the next AI system goes live.
| Source | Finding on AI and cyber risk |
|---|---|
| WEF, Global Cybersecurity Outlook 2026 (with Accenture) | Survey of 804 leaders across 92 countries names AI the most significant force reshaping cyber risk, empowering defenders but amplifying attackers faster |
| WEF, Global Cybersecurity Outlook 2026 | Around three-quarters of organisations report AI-enabled fraud as a rising concern, alongside a widening gap between well-defended organisations and the rest |
| Stanford HAI, 2025 AI Index | AI-related incidents rose to a record 233 in 2024, up more than 50% on the previous year |
Frequently asked questions
How is AI changing cybersecurity risk?
Why should the board care about AI cybersecurity, not just IT?
What should leaders do about AI-enabled cyber threats?

About the author
British technology futurist, AI keynote speaker and advisor. Thirty years across enterprise technology and AI strategy, helping leaders navigate the future of work. The futurist who died.