Artificial intelligence is fundamentally reshaping the cyber landscape much faster than organizations can handle. The offensive attacks are accelerating at machine speed; the defense of organizations remains largely reactive.
A global BCG survey of 500 senior leaders shows the scale of the exposure. More than half of executives now rank AI cyber risks among their top three organizational risks, but budgets, talent, technology maturity, and regulations are not keeping pace. The full results of our survey are detailed in the accompanying slideshow.
AI is enabling bad actors to automate large parts of the “cyber kill chain.” Such AI-enabled attacks have already caused operational shutdowns, financial losses, and regulatory penalties. The uncomfortable truth: Offense is scaling faster than organizations are modernizing their defenses.
The core message is clear: The era of passive defense is over. Offense will not slow down, and the question is whether defense can keep up.
The New Reality: AI Is Rewriting the Cyber Playbook
For decades, cybersecurity has been an asymmetrical contest. AI has made that asymmetry far more dangerous. Attackers now use AI to hunt for vulnerabilities at scale, generate hyper-realistic phishing content, clone voices and identities, and impersonate executives on live video. Their new toolkit dramatically amplifies both the speed and sophistication of cyberattacks.
These developments are not theoretical. Across industries, AI-enabled breaches have already produced multimillion-dollar losses, operational disruptions, and regulatory fines.
- A major health care provider faced an advanced AI‑enabled ransomware attack that encrypted electronic records, billing, and scheduling systems, forcing surgery delays.
- A multinational engineering firm lost $25 million after employees were deceived by an AI‑generated deepfake video impersonating the CFO.
- A telecom provider was fined $1 million after attackers used AI voice cloning to spoof election‑related robocalls.
Executives widely expect these threats to rapidly evolve. Over the next two years, they expect financial fraud, social engineering, vulnerability discovery, and self-learning malware to be the largest cyber threats, according to the survey.
The Core Problem: Offense Is Scaling Faster Than Defense
Nearly every organization now understands the risk, but few are acting at the speed required.
About 60% of leaders believe they have already encountered an AI-enabled attack. Yet despite this recognition only 7% of organizations have deployed AI-enabled defense, while 88% of companies plan to do so.
The gap between understanding the threat and acting on it continues to widen. Why the lag?
- Budgets are flat. Only 5% of companies have increased cyber spending significantly due to AI threats, despite rising exposure.
- Talent is scarce. Nearly 70% of organizations struggle to hire AI‑cyber talent.
- Leadership focus is fragmented. Many executives view AI as an IT issue rather than an enterprise-wide strategic threat.
- Vendor maturity varies. The market is filled with early‑stage solutions, so organizations are concerned about the long-term strength and viability of these products. They also fear becoming locked-in to solutions that may soon be obsolete.
- Regulatory uncertainty persists. While most regulators have issued or drafted AI‑cybersecurity policies and regulations, most organizations are unaware of how to implement them.
These factors explain a widening readiness gap, and attackers are exploiting it.
Tech + Us: Harness the power of technology and AI
Three Structural Shifts Every Leader Must Understand
It is not enough for organizations to do more of the same cyber-defenses they have used in the past. The landscape requires a more sophisticated approach.
AI systems themselves are becoming targets.
As organizations embed AI across products, operations, and workflows, their AI systems have emerged as a new class of assets requiring protection. Organizations need to protect the integrity of their AI models; training data, interaction, and prompting interfaces; and agentic tools.
Attacks are becoming autonomous.
AI has advanced from static models to agentic systems that can observe, reason, and act, transforming how attacks unfold. Adversaries can now launch multistep operations without human oversight, adapt instantly to defensive signals, and probe continuously for hidden vulnerabilities.
Identity-based authentication is vulnerable.
Deepfakes, voice cloning, and synthetic identities have undermined identity-based authentication as a reliable safeguard. Attackers can now replicate executives, employees, and customers with convincing precision, outpacing traditional training and awareness programs.
CEOs and CISOs Must Come Together
Organizations need a dual-leadership model to close the gap. CEOs must prioritize cybersecurity and AI at the board level, while CISOs should accelerate deployment of high-impact, AI-enabled use cases. In practice, organizations should consider the following actions:
- Establish a board-backed mandate to address AI-enabled cyber vulnerabilities and fund it accordingly.
- Deploy AI as a defensive tool, not as an experiment but as an integral part of the cyber-defense toolkit.
- Secure their AI systems.
- Build cyber-defense agility with a diverse multi-vendor architecture.
Working together, the CEO and CISO can propel organizations to shift from awareness to action. This is the moment when organizations decide whether they will shape the cyber threat landscape—or be shaped by it.
The authors thank Nora Altwaijri and Rameez Hashmi for their invaluable help with the analysis and writing of this article and slideshow.
