Half of All Security Leaders Admit They Are Unprepared for AI-Powered Cyberattacks, New Report Reveals

Half of All Security Leaders Admit They Are Unprepared for AI-Powered Cyberattacks, New Report Reveals

What Happened

A new industry report has revealed that one in two cybersecurity leaders acknowledge their organisations are not adequately prepared to defend against AI-powered cyberattacks—even as they simultaneously push to deploy AI tools within their own operations. The findings underscore a growing paradox in enterprise security: businesses recognise AI as both their greatest emerging threat and their most promising defensive capability, yet the path to implementing either side of that equation remains unclear for most organisations.

The report surveyed hundreds of CISOs, security directors, and IT security managers across industries, finding that while 89% of organisations have either deployed or are actively piloting AI tools for internal use, only 48% have developed specific incident response playbooks for AI-enhanced attacks. The gap between AI adoption enthusiasm and AI threat preparedness represents what researchers describe as the most significant security posture deficit since the early days of cloud migration.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

Particularly alarming is the finding that AI-powered phishing attacks have increased 340% year-over-year, with deepfake-enhanced social engineering and automated vulnerability exploitation becoming mainstream attack vectors. The report notes that traditional security tools—designed to detect human-paced attacks with recognisable patterns—are fundamentally ill-equipped to handle AI-driven threats that can adapt in real time, generate novel attack payloads, and operate at machine speed.

Background and Context

The cybersecurity industry has been anticipating the weaponisation of AI for years, but 2025-2026 has marked the inflection point where theoretical concerns became operational realities. The proliferation of open-source large language models and readily available AI tooling has dramatically lowered the barrier for sophisticated cyberattacks. What once required nation-state resources—crafting convincing phishing campaigns in multiple languages, identifying zero-day vulnerabilities, generating polymorphic malware—can now be accomplished by relatively unsophisticated threat actors armed with consumer-grade AI tools.

The corporate rush to adopt AI has simultaneously expanded the attack surface. AI systems introduced into enterprise environments create new vulnerability categories: model poisoning, prompt injection, data exfiltration through AI assistants, and supply chain attacks targeting AI model repositories. Each AI tool deployed within an organisation represents both a productivity enhancement and a potential entry point for attackers who understand how to exploit machine learning systems.

Previous generations of cybersecurity challenges—cloud security, mobile device management, ransomware—each followed a predictable pattern: initial vulnerability exposure, followed by market response, followed by gradual maturation of defensive capabilities. The AI threat landscape is evolving faster than this traditional cycle allows, creating what security researchers call an 'asymmetric acceleration'—attackers are leveraging AI faster than defenders can adapt.

Why This Matters

The implications of this preparedness gap are profound for businesses of every size. AI-powered attacks don't just move faster than human-paced threats—they fundamentally change the economics of cybercrime. Traditional attacks required significant human effort per target, creating a natural limit on scale. AI-automated attacks can target thousands of organisations simultaneously with customised, contextually relevant attack vectors, making even small businesses viable targets for sophisticated campaigns.

For enterprises, the finding that half of security leaders feel unprepared suggests a market-wide vulnerability that extends beyond individual organisations. Supply chain attacks—where a breach at one company cascades to its partners and customers—become exponentially more dangerous when AI enables attackers to map and exploit interconnected business relationships at scale. An organisation's security posture is only as strong as its weakest vendor, and the report suggests that many vendors haven't yet grappled with AI-specific threats.

This environment makes fundamental security hygiene more critical than ever. Organisations running properly licensed, up-to-date software receive security patches faster and maintain vendor support relationships that are essential during incident response. Whether it's ensuring endpoints run genuine Windows 11 key installations or maintaining current productivity suite licences, the basics of software compliance have become frontline security measures.

Industry Impact

The cybersecurity vendor landscape is rapidly pivoting to address AI-specific threats. Established players like CrowdStrike, Palo Alto Networks, and SentinelOne are integrating AI detection capabilities into their platforms, while a wave of startups is emerging with purpose-built solutions for AI threat detection, deepfake identification, and model security. The market for AI-specific cybersecurity tools is projected to exceed $15 billion by 2028, representing one of the fastest-growing segments in enterprise software.

Insurance carriers are also taking notice. Cyber insurance underwriters have begun requiring AI-specific risk assessments as part of their coverage evaluation processes, and premium adjustments for organisations without AI threat response plans are expected by late 2026. This financial pressure may prove more effective than technical evangelism in driving enterprise adoption of AI security measures.

Regulatory bodies worldwide are moving to establish AI security frameworks. The EU AI Act's provisions on high-risk AI systems include cybersecurity requirements, and the US NIST AI Risk Management Framework provides guidance that regulators are increasingly citing in enforcement actions. Organisations that proactively address AI security posture will be better positioned when these frameworks transition from guidance to mandates.

Expert Perspective

The four recommended actions outlined in the report provide a practical starting framework for organisations looking to close their AI security gap. First, conducting an AI-specific threat assessment that maps how AI could be used against the organisation's particular assets and processes. Second, updating incident response playbooks to account for AI-speed attacks that may outpace human decision-making. Third, deploying AI-powered defensive tools that can match the speed and adaptability of AI-driven threats. Fourth, investing in workforce training that helps security teams understand both the capabilities and limitations of AI in attack and defence scenarios.

The most sophisticated organisations are adopting a 'fight AI with AI' posture, deploying machine learning models specifically trained to detect AI-generated content, AI-automated attack patterns, and anomalous AI system behaviour within their own environments. This approach acknowledges that human analysts, regardless of skill level, cannot match the speed and pattern recognition capability required to defend against machine-speed threats operating across enterprise productivity software environments and beyond.

What This Means for Businesses

For small and medium businesses, the message is clear: AI security is no longer an enterprise-only concern. The same AI tools that enable large-scale attacks make it economically viable for threat actors to target smaller organisations that may lack dedicated security teams. Basic defensive measures—multi-factor authentication, regular software updates, employee security awareness training, and maintaining properly licensed software including affordable Microsoft Office licence deployments—provide foundational protection while more advanced AI-specific defences are evaluated and implemented.

Business leaders should prioritise three immediate actions: request an AI threat briefing from their security team or managed service provider, review their cyber insurance policy for AI-specific coverage exclusions, and begin evaluating AI-powered security tools that can augment existing defensive capabilities. The cost of preparation is invariably lower than the cost of remediation after a breach.

Key Takeaways

• 50% of security leaders report their organisations are unprepared for AI-powered cyberattacks
• AI-powered phishing attacks have increased 340% year-over-year
• 89% of organisations are deploying AI internally but only 48% have AI-specific incident response plans
• Traditional security tools are fundamentally inadequate against AI-speed, adaptive threats
• Cyber insurers are beginning to require AI-specific risk assessments for coverage
• Four key actions: AI threat assessment, updated playbooks, AI-powered defences, and workforce training

Looking Ahead

The AI security arms race is expected to intensify throughout 2026 as both offensive and defensive AI capabilities mature. Organisations that begin building AI security competencies now will have a significant advantage over those that wait for regulatory mandates or, worse, a breach to catalyse action. The cybersecurity industry's response to AI threats will likely follow the pattern of cloud security—initial chaos followed by rapid maturation—but the compressed timeline means organisations have months, not years, to adapt their defences.