AI as an Insider Threat: Expanded Risks with Expanded Usage
Next-generation AI models may pose a “high” cybersecurity risk, including the potential to generate sophisticated exploits or assist intrusion operations, according to a warning from OpenAI. This highlights that AI is no longer just a defensive tool; it is a strategic attack surface that organizations must actively govern. Adding to that, 60% of organizations are highly concerned about employee misuse of AI tools enabling insider threats, according to the 2025 Insider Risk Report by Cybersecurity Insiders and Cogility. The Problem: AI Expands the Attack Surface AI is now embedded across workflows in engineering, HR, finance, and clinical operations, introducing new and often misunderstood risks. Modern AI systems can generate executable code, identify vulnerabilities, craft personalized phishing messages, and automate reconnaissance. While these tools support security teams, they also enable misuse by anyone with access. Employees, contractors, or third parties may unintentionally or deliberately misuse AI in ways traditional controls can miss. Shadow AI use, unapproved model integrations, and poorly governed prompts increase exposure. Compounding the issue, 62% of organizations faced at least one deepfake attack in the past year, and 32% experienced attacks targeting their AI applications, according to a 2025 Gartner survey. Why This Matters: Business, Regulatory, and Board Risk AI-driven insider risk is a strategic business threat. Misuse can corrupt data, create vulnerabilities, disrupt operations, and expose sensitive information, impacting productivity, customer trust, and competitive advantage. Regulatory risks are growing as organizations must comply with HIPAA, SOX, GDPR, and new AI governance requirements focused on transparency and accountability. Noncompliance risks costly enforcement and reputational harm. Boards now expect CISOs and CIOs to clearly explain how AI-enabled insider risks are governed and mitigated. Failure to do so may weaken investor confidence and slow strategic initiatives. How Organizations Can Prepare Organizations should adopt a holistic People, Process, Technology approach. People: Train employees and leaders on responsible AI use and insider risk awareness. Process: Implement strong AI governance frameworks defining acceptable use, model oversight, and ownership. Incorporate AI-specific threat modeling and behavioral analytics, leveraging standards like the NIST AI Risk Management Framework. Technology: Enforce identity and access controls around AI tools and sensitive data, along with continuous monitoring to detect misuse early. Finally, investing in ongoing employee education is critical because even as AI evolves, people remain the backbone of any defense strategy. AccessIT Group’s Strategy and Transformation practice helps organizations design and implement AI-aware insider risk programs that align strategy, governance, and technology controls to protect sensitive data and enable secure, value-driven AI adoption.
The Evolution of Cyber Risks in M&A, Rebalancing Approaches and Countermeasures in a Growing Threat Landscape
53% of surveyed organizations report they have encountered a critical cybersecurity issue or incident during an M&A that put the deal into jeopardy, according to ForeScout (“The Role of Cybersecurity in M&A Diligence“). As such, visibility into key risks and determining actionable priorities are critical components of the Mergers and Acquisitions (M&A) lifecycle. Although the role of cybersecurity in M&A, especially during ‘due diligence’ is nothing new to the industry, it is too often seen as a check-box activity, leaving many issues underestimated, unidentified, or even unseen. Today, threat actors are increasingly targeting M&A announcements themselves, or indicators of a potential transaction – to extract leverage – using leaked deal data, phishing schemes, and ransomware to exploit periods of organizational transition and distraction. Now more than ever, organizations must proactively evolve their cybersecurity strategies, rebalancing due-diligence approaches and strengthening countermeasures to keep pace with a rapidly growing and increasingly sophisticated threat landscape. The Pace of Chance As the risk and threat landscape has significantly evolved in recent times, approaches to gain risk visibility and assess business level impacts for M&A has fallen behind. These must steadily evolve to position success and manage risk liabilities that are increasing in impact magnitude, with impacts spanning beyond cyber breaches into large scale reputational damage, costly legal affairs, and impacts to market capitalization for public companies as highlighted examples. Some notable and issues warranting heightened concern include: Change Influencers At a macro scale – heightened geopolitical tensions and geostrategic influences are placing certain industries and demographics at increased risk. This is often the realm of nation state actors or their ‘professional’ affiliates. Impacted organizations may include: Key Areas to Consider Enhancing: 1. Data Ecosystem Leakage and Exfiltration: Shadow IT, and Assets in an ‘under managed’ and/or ‘under configured’ state: Data Boundaries and Operational Processes and Behaviors: 2. Attack Surface and Reconnaissance 3. Legacy Debt Accumulation 4. Technology Licensing Hangovers 5. The Role of The Security Tech Stack In conclusion: In today’s rapidly evolving threat landscape, cybersecurity is no longer optional in M&A—it’s mission-critical. Organizations must move beyond checkbox due diligence, proactively identifying and addressing risks before they can jeopardize a deal. Only by rebalancing strategies and strengthening defenses can companies protect deal value and emerge more resilient in an era defined by digital risk. In closing: