As AI adoption in business accelerates rapidly, the fundamental premises of cybersecurity are undergoing a radical shift. Attacks exploiting AI are growing increasingly sophisticated, and AI systems themselves are becoming new targets. A WEF survey found that 94% of respondents identified AI as "the single greatest driver of change in cybersecurity," while an IBM report attributes 1 in 6 data breaches to threat actors' use of AI.

This article organizes the latest incident case studies, regulatory trends, and industry frameworks to explain the measures that corporate information security professionals should "act on immediately," structured across three layers: technical, operational, and governance.

The impact of AI on cybersecurity is easier to grasp when considered along two broad axes. If countermeasures are skewed toward only one of them, the other becomes a blind spot.

AI-related security risks can be organized along the following two axes.

Axis 1: Offensive AI This refers to cases where attackers use AI as a "weapon." Examples include identity spoofing via deepfakes, sophisticated phishing emails generated by AI, and the automated creation of polymorphic malware. Traditional attack methods are being accelerated, scaled, and personalized through AI, creating a situation where defensive detection can no longer keep pace.

Axis 2: Attacks on AI These are attacks that target the AI systems organizations have deployed. Techniques include manipulating LLM behavior through prompt injection, embedding backdoors in training data (data poisoning), and exploiting tool integrations in AI agents. The more an organization adopts AI, the greater the risk along this axis becomes.

Cases where both axes intersect are also on the rise. For example, instances have been confirmed involving a China-linked group that jailbroke an AI coding assistant and automated 80–90% of a cyberattack chain.

Traditional security was designed on the premise that "human attackers use known techniques with standardized malware." AI overturns all three of these assumptions.

• Changes in speed and scale: AI generates phishing emails in seconds and personalizes them for each target — far beyond what human review can keep pace with
• More sophisticated evasion: Polymorphic malware mutates its code with each execution, neutralizing signature-based detection. Some reports indicate that 76% of AI-generated malware is polymorphic
• New attack surfaces: Attack vectors such as prompt injection, model poisoning, and MCP tool abuse have emerged that conventional firewalls and WAFs cannot defend against

IBM's 2025 Data Breach Report found that organizations with broad adoption of AI security tools achieved an average reduction of 80 days in detection and containment time, along with $1.9M in cost savings. The flip side is clear: without incorporating AI into defense as well, the asymmetry between attackers and defenders will only continue to widen.

Attackers are exploiting AI in three primary ways. While each represents an extension of conventional tactics, they share a common thread: AI has elevated both the quality and scale of these methods by orders of magnitude.

According to research by Cyble, deepfake incidents totaled 179 in Q1 2025 alone, surpassing the full-year 2024 figure by 19%. Additionally, 62% of organizations reported experiencing attempted deepfake attacks over the past 12 months.

Voice cloning is a particularly serious concern. In one attack that cloned the voice of Italy's Defense Minister, approximately one million euros were fraudulently obtained. Attackers can recreate a person's voice from just a few minutes of audio samples and issue wire transfer instructions over the phone. This represents a form of social engineering on an entirely different level from conventional "suspicious emails," leaving the recipient with virtually no reason to be skeptical.

Furthermore, the proliferation of "Deepfake-as-a-Service (DFaaS)" platforms has made it possible for even technically unskilled attackers to generate deepfakes. Security vendors predict that by the end of 2026, deepfakes will become the default method of social engineering.

According to KnowBe4's 2025 report, 83% of phishing emails are generated by AI. A ransomware or phishing attack occurs once every 11 seconds, and financial fraud losses in the United States reached $12.5 billion in 2025.

What makes AI-generated phishing particularly troublesome is that the traditional detection cues of "unnatural language" and "formulaic wording" no longer apply. LLMs analyze a target's LinkedIn profile and the tone of their past emails to generate text that sounds like something that person would write. In the author's own testing of AI-generated phishing emails, 3 out of 5 in-house security personnel were unable to distinguish them from legitimate emails.

As countermeasures, strict enforcement of email authentication protocols (DMARC, DKIM, and SPF), along with the adoption of AI-based email filtering, has become essential. Detection that relies solely on the "human eye" has reached its limits.

76% of AI-generated malware is polymorphic — altering its code structure with each execution to evade signature-based antivirus detection. Darktrace's 2026 Threat Report confirms a shift away from exploit-centric breaches toward AI-powered credential theft attacks.

Another concern is the automation of attack chains. Cases have been reported of Chinese-affiliated threat actors jailbreaking AI coding assistants to automate 80–90% of the attack chain — from reconnaissance to payload creation, delivery, and lateral movement. The "barrier to entry" for attacks has dropped dramatically, with AI commoditizing sophisticated attacks that previously required significant skill.

Introducing AI means that AI itself becomes a new attack surface. OWASP systematically categorizes LLM-specific vulnerabilities and updates them annually. Below is an overview of the key attack vectors that organizations should be aware of.

In the OWASP Top 10 for LLM Applications 2025, prompt injection continues to rank #1. 35% of real-world AI security incidents are caused by simple prompts, with some resulting in losses exceeding $100,000.

A emblematic case is the "EchoLeak" vulnerability in Microsoft 365 Copilot (CVE-2025-32711). Through zero-click prompt injection, attackers were able to exfiltrate sensitive business data without any user interaction. Simply by embedding malicious prompts in shared documents or incoming emails, Copilot would automatically execute them.

The fundamental difficulty with prompt injection lies in the blurred boundary between "instructions" and "data." While SQL injection has a clear countermeasure in parameterized queries, no standard method for completely separating prompts from user input has yet been established for LLMs.

Researcher proof-of-concept experiments have revealed that injecting as few as 250 poisoned documents into training data is sufficient to embed an undetectable backdoor into a model. This "sleeper agent" type backdoor operates normally 99.9% of the time, manifesting malicious behavior only when a specific trigger phrase is provided as input.

In January 2025, it was demonstrated that medical LLMs could be compromised through data poisoning. In domains like healthcare that directly fall under YMYL (Your Money or Your Life), the consequences of an AI returning incorrect outputs could be immeasurable.

As countermeasures, establishing Data Provenance management for training data and developing an AI-BOM (AI Bill of Materials) have become increasingly important. Without making the entire supply chain traceable—capturing what data was used, by whom, and when for training—detecting poisoning attacks remains extremely difficult.

Attacks exploiting the mechanisms by which AI agents call external tools (such as MCP: Model Context Protocol) are rapidly increasing.

Confirmed real-world cases:

• The Supabase Cursor agent processed SQL instructions embedded in support tickets and exfiltrated sensitive integration tokens to external parties
• Fake npm packages disguised as email integrations silently copied outgoing emails to attacker-controlled addresses
• Researchers identified tool poisoning, RCE (Remote Code Execution) flaws, excessive privilege grants, and supply chain tampering within the MCP ecosystem

These attacks are difficult to detect with conventional network monitoring. Because AI agents call external tools as "legitimate operations," anomalous traffic patterns often do not arise. Input validation for tool integrations, requiring signed artifacts, and logging all actions form the pillars of mitigation.

There is a risk that is more familiar and harder to address than technical attacks: "Shadow AI," where employees use AI tools for work without approval from the IT department.

Gartner predicts that by 2030, more than 40% of organizations will experience security and compliance incidents caused by unsanctioned AI tools. A 2025 survey found that 69% of organizations responded that they "suspect employees are using prohibited public GenAI."

What makes Shadow AI particularly troublesome is that well-intentioned employees are using it to boost productivity. Pasting customer data into ChatGPT to generate reports, sending source code to Claude to find bugs — while individual productivity increases, this carries the risk of sensitive data leaking to external services. Research also indicates that in 27% of organizations, more than 30% of data processed by AI contains private information.

IBM's 2025 Data Breach Report explicitly quantified the increased cost of data breaches involving Shadow AI. Breaches involving Shadow AI cost an average of $670,000 more than those that do not. Currently, Shadow AI is involved in 20% of all data breaches.

The main drivers of increased costs are as follows:

• Delayed detection: Leaks originating from tools unknown to IT departments take an average of dozens of additional days to detect
• Increased incident response complexity: Identifying the breach pathway takes longer, delaying containment
• Compliance violations: The use of unauthorized tools can directly lead to violations of regulations such as GDPR

Spending on AI governance is projected to reach $492M in 2026 and exceed $1B by 2030. Behind this rising investment priority lies the growing severity of "hidden costs" attributable to Shadow AI.

In 2026, the way AI is being utilized is shifting from "chatbots" to "autonomous agents." Gartner predicts that by the end of 2026, 40% of enterprise applications will incorporate task-specific AI agents—a sharp increase from less than 5% in 2025. While agents are powerful, the nature of their security risks changes qualitatively as well.

OWASP, in collaboration with over 100 industry experts, has published the "OWASP Top 10 for Agentic Applications 2026," a compilation of risks specific to autonomous AI systems. Unlike the traditional LLM Top 10, it is designed for environments where agents autonomously invoke tools, make decisions, and collaborate with other agents.

Key risk categories:

• Prompt Injection and Manipulation: Tampering with an agent's instructions to cause it to execute unintended actions
• Tool Abuse and Privilege Escalation: Causing an agent to use its granted tool access beyond its intended scope
• Memory Poisoning: Corrupting memory that persists across sessions (unlike ordinary prompt injection, the effects are long-lasting)
• Cascading Failures in Multi-Agent Systems: A malfunction in one agent propagating chain-reaction failures to other agents
• Supply Chain Attacks on Agent Toolchains: Attacks conducted via MCP servers and plugins

In a survey conducted in early 2026, 80% of organizations that had deployed AI agents reported "dangerous behaviors, including unauthorized access and data exposure." Meanwhile, only 21% of executives had full visibility into agent permissions and data access. Just 29% of organizations reported being "prepared" for agent security.

The root cause of this gap lies in the design principle that agents "make decisions on behalf of humans." With chatbots, a human enters a prompt, reviews the output, and then takes action. Agents automate the intermediate decision-making, meaning a single malicious input can trigger a chain of actions. The more steps that exist without human review, the more risk grows exponentially.

The attack scenario demonstrated by CyberArk Labs clearly illustrates the risks posed by agents.

An attacker embedded a malicious prompt in the shipping address field of an e-commerce site. When a vendor's staff member used an AI agent to query order information, the agent "read" the address data and executed the embedded prompt as an instruction. As a result, sensitive information from the order database was exfiltrated to an external destination.

This case offers three key lessons:

1. Data becomes instructions: AI agents process data from user input fields as "trusted context"
2. Attackers do not need direct access to the agent: The attack can succeed through indirect data pathways
3. Traditional input validation is insufficient: A prompt can be embedded within a "valid value" in an address field

The regulatory environment surrounding AI security is rapidly taking shape. Companies are required to address not only technical measures but also compliance perspectives.

The EU AI Act is being enforced in phases, with the "high-risk AI system requirements" — the most impactful provisions — entering into full application in August 2026.

Companies operating systems classified as high-risk AI — such as recruitment screening, credit scoring, and critical infrastructure management — must establish risk management systems, data governance frameworks, transparency requirements, and human oversight mechanisms. Even Japanese companies are subject to these requirements if they provide services within the EU.

In the United States, the NIST AI Risk Management Framework (AI RMF) functions as a de facto standard framework. It systematically manages AI risks across four phases: "Map, Measure, Manage, and Govern." The generative AI-specific profile (AI 600-1) defines 12 risk categories.

On the international standards front, ISO/IEC 42001 provides a certification standard for AI management systems. It is also used as a means of demonstrating conformance with the EU AI Act's high-risk requirements.

While these frameworks are not mandatory, they serve as evidence that "reasonable measures were in place" in the event of a security incident. They are also worth considering from the perspective of requirements from business partners and audit readiness.

In January 2026, the U.S. federal government published a "Request for Information (RFI) on the Security of AI Agents" in the Federal Register. This signals potential regulation targeting security risks unique to AI agents, with a focus on AI systems that make autonomous decisions and take independent actions.

While formal regulation has not yet been enacted, the direction is clear. There is a strong likelihood that requirements will emerge around agent permission management, action logging, and ensuring human override capabilities. Proactively establishing a compliance framework now will significantly reduce the costs of responding once regulations come into effect.

Having grasped the risks, how do you specifically protect against them? AI security measures are built across three layers: "technology," "operations," and "governance." Relying on any single layer alone will leave gaps.

1. AI-BOM (AI Bill of Materials) Management Similar to software SBOMs, this involves centrally managing the provenance of models, training data, and libraries used in AI systems. It is essential for detecting model poisoning and supply chain attacks, as well as identifying their scope of impact.

2. Input/Output Filtering Filtering layers are established for both inputs and outputs to LLMs. This covers detecting prompt injection, preventing the output of sensitive information (PII, API keys, etc.), and blocking malicious code generation.

3. Principle of Least Privilege Tool access granted to AI agents should be limited to the minimum necessary for task execution. Access should be controlled at a granular level — for example, read-only access to specific tables rather than full database access. Logging of all actions is also mandatory.

4. Adoption of AI-Based Defense Tools According to an IBM report, organizations that extensively leverage AI security tools incur data breach costs that are $1.9M lower. Given that attackers are using AI, defenders who fail to do the same will fall behind in detection speed.

1. Detection and Management of Shadow AI Combine DLP (Data Loss Prevention) and CASB (Cloud Access Security Broker) to detect and block data transmission to unauthorized AI tools. Since a complete ban is not realistic, it is more effective to maintain a list of approved AI tools and provide safe alternatives.

2. AI-Specific Employee Training Conduct regular simulation exercises using deepfakes and AI-generated phishing as training scenarios. It is important for employees to experience firsthand that the conventional judgment standard of "the email reads naturally, so it must be safe" no longer holds. Introducing identity verification protocols for voice calls (callback confirmation, passphrases) is also an effective countermeasure.

3. Developing an AI Incident Response Plan Add AI-specific scenarios to existing incident response plans. Establish in advance the rollback procedures in the event of model poisoning, the process for identifying the scope of impact when a prompt injection attack succeeds, and the response workflow for data leakage originating from Shadow AI.

1. Developing an AI Usage Policy According to IBM's report, 63% of AI-related breaches involved a lack of AI governance policies. Clearly document which business operations may use AI, what data may be input into AI systems, and how the approval process should work. Policies are best structured as an "allowlist + guardrails" format rather than a "blocklist."

2. Regular AI Security Audits Conduct quarterly audits of AI system security posture. Utilize the OWASP Top 10 for LLM and Agentic Applications as a checklist to verify prompt injection resistance, permission configurations, and data access scope. Mapping the AI attack surface using the MITRE ATLAS framework improves overall coverage.

3. Proactive Investment in Compliance Readiness In anticipation of the EU AI Act's high-risk requirements (August 2026) and evolving AI agent regulations in the United States, begin preparing risk management documentation, data governance frameworks, and transparency reports. There is a strong likelihood that requirements will arrive at a scale where a "wait until regulations are finalized" approach will not be sufficient.

Here are 2 common failure patterns that companies tend to fall into with AI security measures.

The misconception that deploying AI security tools guarantees safety is dangerous. While tools accelerate detection and response, operating them without proper policies creates new risks.

For example, there are cases where an AI-based SIEM is deployed, but leaving the alert threshold configuration entirely to AI results in a flood of false positives, causing the security team to fall into "alert fatigue." It is also important not to overlook the possibility that AI defense tools themselves can become targets of prompt injection.

Tools are merely the "technology layer" of a three-layer defense model. Without accompanying operations and governance, the investment will not yield commensurate results.

The numbers from IBM's 2025 report are stark. 97% of AI-related breaches involved inadequate AI access controls, and 63% lacked AI governance policies entirely.

Deploying AI without governance in place triggers the following chain of events:

1. Individual departments adopt AI tools independently (Shadow AI)
2. Confidential data leaks to unauthorized services
3. When an incident occurs, identifying the breach vector takes time
4. Response costs increase by $670,000 (IBM estimate)
5. Risk of regulatory sanctions

The "try it first, deal with problems later" approach is costly in the context of AI. Following the proper sequence—policy development → pilot deployment → phased rollout—ultimately proves the most cost-effective path.

Concisely answer frequently asked questions.

Indeed, small and medium-sized enterprises are actually more vulnerable to AI-powered attacks due to their smaller security teams. However, since the same level of investment as large enterprises is not realistic, they should prioritize their response accordingly.

There are three minimum steps to take: understanding the actual usage of Shadow AI (by implementing CASB), employee training to address AI-generated phishing, and establishing an AI usage policy. For technical countermeasures, starting with AI-based email filtering offers the best cost-effectiveness.

Partial coverage is possible, but it is not sufficient. Firewalls, WAFs, and EDR are effective against conventional attacks, but do not address prompt injection or model poisoning. The practical approach is to augment the existing stack with AI-specific security layers (LLM firewalls, AI-BOM management tools, etc.).

Follow three principles. First, "least privilege" — minimize the tool access granted to agents to only what is strictly necessary. Second, "logging of all actions" — maintain a complete record of what the agent has done to ensure auditability. Third, "human override" — incorporate a human-in-the-loop for critical decisions. The OWASP Top 10 for Agentic Applications 2026 can be useful as a checklist.

AI cybersecurity risks are rapidly expanding along two axes: "attacks using AI" and "attacks against AI." Deepfakes have increased 19% year-over-year, 83% of phishing attacks are AI-generated, and 80% of organizations that have deployed agents have experienced dangerous behavior — every one of these figures points to a crisis that is happening right now.

Countermeasures should be built across three layers: technical, operational, and governance. Defend on the technical front with AI-BOMs and input/output filtering, strengthen operations through Shadow AI detection and employee training, and establish governance via AI usage policies and regular audits. With the EU AI Act's high-risk requirements (August 2026) on the horizon, now is the time to begin making proactive investments.

No perfect defense exists, but combining all three layers makes it possible to keep risk within acceptable bounds. Start by taking stock of your organization's actual AI usage.