Skip to main content
CybersecuritySocial Engineering

AI-driven social engineering: Must-Have Risk Fix

AI-driven social engineering: Must-Have Risk Fix

“We are not as ready as we think.” That blunt takeaway from a new ISACA survey should jolt every security leader. Only one in ten IT and cybersecurity professionals feels “very prepared” to manage the risks posed by generative AI — a single statistic that frames a growing paradox: the same technology promising productivity gains and creative breakthroughs is also arming adversaries with scalable tools for deception. At the top of ISACA’s threat list for 2026 sits AI-driven social engineering, and the survey makes clear that capability is racing ahead of preparedness.

AI-driven social engineering: why it tops the list

Generative models now create voice, video, and written content that can convincingly impersonate trusted insiders. That capability transforms social engineering from handcrafted, time-consuming campaigns into high-volume, highly personalized attacks. An attacker can synthesize a CEO’s voice asking for an urgent wire transfer, dress it with contextual details from a scraped calendar, and send a follow-up “official” memo — all in minutes. ISACA’s research signals that defenders lack the specialized playbooks, cross-functional coordination, and regular simulations needed to meet this new threat.

For technologists, generative AI is both an opportunity and an emergency. Automation offers faster detection, smarter triage, and novel ways to analyze adversary behavior. Yet attackers use the same building blocks to scale phishing, impersonation, and fraud. From a criminal’s vantage, generative AI reduces marginal costs and lowers barriers to entry; where once a convincing campaign required scripting and reconnaissance, now it can be spun up rapidly with minimal expertise. Nation-state actors and organized cybercriminals alike can amplify influence operations and financial scams with alarming speed.

Organizational gaps: people, policy, and practice

ISACA’s survey exposes a set of organizational weaknesses as much as technical ones. Most organizations lack clear governance for AI risk, cross-functional playbooks linking security, HR, and legal, and regular tabletop exercises that simulate AI-enabled breaches. Workforce readiness is not merely a checkbox; it requires continuous training, leadership attention, and cultural change. Employees, customers, and citizens remain the central nodes that social engineering targets — improving technical controls without addressing human behavior will not suffice.

Policymakers are wrestling with disclosure rules, liability frameworks, and provenance standards for synthetic content. But regulatory processes lag behind model releases and open-source diffusion. By the time rules are final, attackers may already exploit new vectors. ISACA’s findings imply that compliance alone won’t inoculate organizations against sophisticated social engineering. Practical, operational defenses are urgently needed alongside policy interventions.

Technical defenses and their limits

A layered defense reduces risk, but it’s imperfect. Stronger identity controls — phishing-resistant multi-factor authentication, device-based attestation, and anomaly-based session analytics — remain foundational. Updated incident response plans that include AI-specific scenarios and regular executive-level simulations can prepare teams for realistic attacks. Verification protocols for high-risk transactions (multi-party signoffs, out-of-band confirmations, cryptographic signing) can interrupt attacker workflows.

However, high-fidelity synthetic content often targets out-of-band trust channels such as phone calls, video meetings, and trusted messaging platforms. Detection models trained on pre-AI datasets may misclassify sophisticated fakes, and watermarking techniques can be stripped or obscured by determined actors. Investing in provenance and metadata analysis, model-based detectors, and industry-standard watermarking will help, but defenders cannot rely on any single control.

Recommended practical measures include:
– Implement phishing-resistant MFA and device attestation; monitor for session anomalies.
– Update IR playbooks for AI scenarios and run frequent tabletop exercises that include executives, comms, and third parties.
– Enforce multi-party signoffs and out-of-band confirmation for high-value transactions.
– Invest in provenance-based detection, metadata analysis, and standardized watermarking frameworks.
– Shift user education toward verification habits and friction-friendly practices that encourage confirmation rather than punishment for asking questions.

Trade-offs, coordination, and the path forward

Defensive choices come with trade-offs. Stronger verification can add friction and hurt customer experience; overly aggressive automated detectors produce false positives that disrupt operations; heavy-handed regulation can stifle beneficial innovation. Leaders must weigh these costs transparently and prioritize the most credible threat scenarios and critical operations.

International coordination is essential. Attackers operate across borders, and a fragmented regulatory landscape creates safe havens. ISACA implicitly calls for an industry-and-government mix: harmonized standards, information sharing, and coordinated incident response frameworks to raise baseline defenses for organizations of all sizes.

There is reason for cautious optimism. Security teams that combine technical controls, realistic training, updated governance, and executive engagement can blunt many AI-enabled scams. Vendors are developing tools to detect synthetic media and bind actions to cryptographic attestations. Yet these tools are not magic bullets; attackers innovate too, and the cycle of offense and defense will continue.

The core lesson from ISACA’s finding is stark and actionable: AI-driven social engineering empowers both the good and the bad, and preparedness is an active choice. If only one in ten professionals feels very prepared today, organizations must decide whether to treat readiness as a compliance checkbox or as strategic resilience that deserves budget, leadership attention, and cross-disciplinary collaboration. As generative AI becomes embedded across business and society, the question is not if attacks will come, but how effectively we will respond when they do.