AI isn’t just a productivity booster, it’s a growing attack surface. And organizations aren’t prepared for either.

The 2025 Cost of a Data Breach Report highlights how “shadow AI” – AI tools adopted without IT approval – is already driving higher breach costs.
Beyond risks from inside the organization, attackers are using AI to accelerate phishing, impersonation, and automation, making their campaigns faster and harder to detect. Yet most organizations still lack the governance and access controls needed to keep pace.

AI isn’t just helping businesses work faster – it’s also giving attackers new ways in.

When employees adopt AI tools without governance, companies lose visibility. In fact, 1 in 6 breaches now involve shadow AI. IBM estimates these incidents add about $670,000 in costs for large organizations. The figure may differ by company size, but the impact – disruption, regulatory exposure, and loss of trust – can hit all businesses. What starts as a quick productivity shortcut often opens a path for attackers to slip through.

Key risks of shadow AI include:

• Data leakage – sensitive company or customer data uploaded into unmanaged AI tools.
• Loss of control – IT teams can’t see or control which AI tools are in use.
• Compliance gaps – no approval or audit trail, creating regulatory exposure.

The use of AI tools may not only create gaps for attackers – it can also give them the same speed boost employees rely on. And while employees turn to AI for productivity, criminals are using that same acceleration to intensify their attacks.

From phishing to deepfake impersonation to large-scale automation, attackers are increasingly leaning on AI to make their campaigns faster, harder to detect, and more convincing.

We see three main attacker use cases:

• AI-generated phishing – highly personalized emails or messages that are harder to spot.
• Deepfake impersonation – convincing voice or video scams targeting executives and customers.
• Attack automation – AI helps attackers generate variations, automate tasks, and even write code to run attacks at scale.

Faster and more convincing attacks don’t just overwhelm defenses, they shake confidence in what’s real and what’s fake.

Deepfakes and AI-generated content strike at something more fundamental than cost: trust. If you can’t believe the voice on the phone or the face on a video call, how do you decide what’s real? For businesses, that means attackers can impersonate executives, trick employees, or mislead customers with alarming ease.

Employees, meanwhile, frequently place too much trust in AI outputs. They often assume the model’s answer is correct, overlooking that it can be biased, incomplete, or even manipulated.

That creates a perfect storm:

• External trust broken – customers and partners can no longer rely on authentic voices or images.
• Internal trust misplaced – employees blindly follow AI-generated advice or instructions.

Once trust is undermined, every interaction – inside and outside the company – becomes a potential risk, and without governance or access controls, those risks grow unchecked.

The bigger problem is that most organizations simply aren’t ready. According to IBM, nearly two-thirds of organizations don’t have any formal AI governance in place, and almost all AI-related breaches occurred where proper access controls were missing.

When governance is missing, proper access controls rarely follow. The risks tend to show up in a few ways:

• Unmanaged AI in workflows – tools adopted without IT oversight, often leading to sensitive data being uploaded into them.
• Insecure AI setup – systems built without security in mind, leaving them open to manipulation or data leakage.
• Excessive access – AI given too much reach into systems and data, without limits on what it can do.

AI rarely sits in isolation. It gets tied into ticketing systems, knowledge bases, APIs, or databases. Without governance and access controls, attackers may manipulate AI interactions in ways that open the door to business-critical systems and data.

AI will keep spreading across workflows. The question is whether your organization treats it like any other IT surface that needs hardening – or like a shiny tool left unchecked. Shadow AI, deepfake impersonation, overtrust in outputs, and unsecured integrations all pile up into new risks.

Here are our recommended steps to reduce AI-related risks:

• Define AI policies – set clear rules on which tools are allowed and how they should be used.
• Raise awareness – ensure employees understand both the risks of AI and the policies for using it.
• Test AI for weaknesses – include it in penetration testing, since chatbots, plugins, and copilots can all be misused as entry points into your systems.
• Enforce access controls – restrict AI system permissions to minimize damage in case of compromise.

By treating AI as part of the security surface, organizations strengthen both protection and trust.

At Skuridat, we help you proactively uncover and address the threats where your AI systems could expose sensitive data or be exploited by attackers.

Get in touch with us today to gain clarity on your AI risks and strengthen your defenses.