Cybersecurity

AI Adoption Outpaces Security Policies, Heightens Cyber Risk

Analyst 207||Source: InfoSecMag
Busy office workspace with employees at desks, laptops, and papers, surrounded by cubicles and office furniture.

"90% of digital trust professionals believe that employees in their organization use AI tools."

AI adoption far ahead of formal policies

New research published by ISACA on May 5 finds that generative and other AI tools are widely used inside organizations, yet formal governance has not kept pace. The ISACA AI Pulse Poll reported that 90% of digital trust professionals said employees in their organization use AI tools. But only 38% of respondents said their organization has a formal, comprehensive AI policy to manage that use; another 30% said they have a limited policy. One-in-four organizations — 25% — reported having no AI policy at all.

Those proportions suggest a broad mismatch between deployment and rule-setting: AI is embedded in day-to-day work even where formal controls do not exist or are only partial.

Shadow AI and the risk of leaking sensitive information

ISACA’s report names Shadow AI — employee use of external AI tools without IT or security oversight — as a direct consequence of that policy gap. The poll warned employees using large language models and similar tools could share sensitive company information with models outside corporate controls. Respondents said it is unclear whether they could prevent a security incident caused by a Shadow AI tool unknown to security and IT teams.

That uncertainty elevates basic data governance questions: if workers feed proprietary or regulated data into third-party models, organizations may be exposed to data breaches and privacy failures even when other security programs are in place.

Many organizations cannot say how to halt an AI system

The research highlights operational-readiness weaknesses beyond policy. Fifty-six percent of respondents said they do not know how long it would take to halt an AI system because of a security incident. Only 20% said their organization has any process to shut down or override AI systems if something goes wrong — for example, when an AI performs malicious activity or is impacted by data-poisoning attacks.

That combination — widespread tool use, sparse policy coverage, and a majority unable to estimate shutdown time — frames a concrete governance shortfall in the event of an incident involving an AI system.

AI alters the threat landscape and defenders’ toolset

Respondents also see AI changing both offense and defense. A majority said AI-powered threats are getting harder to spot and to authenticate. In the poll:

  • 71% said AI-powered phishing and social engineering attacks are now more difficult to spot;
  • 58% said AI has made it significantly harder to authenticate digital information;
  • 38% said their trust in traditional threat-detection methods has declined as a result.

At the same time, many practitioners said AI is improving defensive capabilities: 43% reported that deploying AI-based cybersecurity tools has improved their organization’s ability to detect and respond to cyber threats. The picture in the poll is therefore mixed — AI is expanding both the attacker’s toolkit and defenders’ options.

What this means for technologists, boards, and enterprises

Technologists and security teams: Expect to confront Shadow AI disclosures and to be asked whether existing incident response plans cover AI-specific failures; the poll indicates many teams lack a defined shutdown or override process.

Boards and senior leadership: The survey notes a confidence gap in executive understanding of AI risk. “With only 38% of practitioners confident in their board’s understanding of AI risks, the leadership deficit is as real as the technology one,” said Ulrika Dellrud, member of ISACA’s Emerging Trends Working Group and chief privacy and data ethics officer at Smarter Contracts. That shortfall, the research suggests, undermines efforts to weave AI governance onto established privacy and data-management practices.

Enterprises and procurement leaders: The findings tie effective AI governance to basic data stewardship. “Effective AI governance also starts with mastering your data: without strong data and privacy governance as a foundation, organizations cannot manage AI risk, ensure trust, or unlock sustainable value,” Dellrud said. For organizations buying or building AI, the poll implies governance and data controls should be part of contracting and deployment.

The ISACA AI Pulse Poll is based on the responses of 3,400 global digital trust professionals across IT audit, governance, cybersecurity, privacy and emerging technology roles. Their responses draw a consistent portrait: AI is in use everywhere, but formal policy, leadership understanding and operational shutdown procedures lag behind — and many defenders already see the tactical effects in the form of harder-to-detect phishing and weaker faith in legacy detection methods.

The report leaves a practical gap in plain numbers: a large majority using AI coupled with only one-fifth having explicit shutdown processes. For organizations that shared those responses, the next step named by respondents is clear in the data itself — close the policy, leadership and operational gaps before the next incident.

Read the original ISACA coverage here: https://www.infosecurity-magazine.com/news/ai-adoption-outpaces-safety-policy/

Artificial IntelligenceCyber RiskDigital TrustEmerging ThreatsGenerative AiGovernanceAi AdoptionOrganizational RiskISACAPolicy Management
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207