Fewer than a third of IT leaders say their companies are ready to withstand AI-powered cyberattacks, a global survey has found, as security teams battle to contain escalating risks from both hackers and rogue AI agents.
Although 61 per cent of surveyed enterprise IT leaders reported a “significant” or “moderate” increase in cybersecurity risk from AI-using cybercriminals, just 31 per cent said they were confident they could manage the risks that AI presents.
That’s a significant gap that is leaving businesses desperately outgunned, according to Lenovo’s new Reinforcing the Modern Workplace survey of 600 IT executives worldwide – 70 per cent of whom also see employee misuse of AI as a major risk.
The figures corroborate recent Accenture findings that just 13 per cent of businesses have the cyber security capabilities to defend against AI-driven threats – with the technology helping criminals create phishing attacks, malware, deepfakes, and more.
Cybercriminals’ growing use of AI is reflected in recent Acronis research that found AI had increased the prevalence of social engineering and business email compromise (BEC) to 25.6 per cent of attacks in the first half of this year, up from 20 per cent in 2024.
“With AI tools proliferating beyond IT’s visibility and attackers exploiting gaps traditional systems can’t recognise,” said Lenovo Digital Workplace Solutions VP and general manager Rakshit Ghura, “AI has changed the balance of power in cybersecurity.”
Agentic AI is a new insider threat
As well as facing cyber criminals that have become smarter and more adaptable by using AI, Lenovo found businesses are equally threatened by their rush to embrace autonomous ‘AI agents’.
Such agents – which collect, analyse, and repurpose information in the background – have been heralded as such a big deal for employee productivity that Atlassian recently spent $1 billion to enter the market, but they’re also a major business risk.
Even as tech giants spruik AI agent-driven utopias, just 37 per cent of the Lenovo survey respondents said they are confident they can manage their risks – with over 60 per cent conceding that AI agents are a new type of insider threat they aren’t ready to manage.
Human-driven insider threats already named in 27 reported incidents during the OAIC’s latest half-year data breaches report, but the prospect of autonomous AI agents quietly ferreting through corporate systems has security specialists worried.
The findings echo recent warnings by Gartner that more than 40 per cent of agentic AI projects will be cancelled by the end of 2027 because, as senior director analyst Anushree Verma said, businesses are still stabbing in the dark.
“Most agentic AI projects right now are early stage experiments or proof of concepts that are mostly driven by hype and are often misapplied,” Verma said, warning that “this can blind organisations to the real cost and complexity of deploying AI agents at scale.”
Staring down the new cyber risk
The warnings about AI-driven risk come as airports in London, Berlin, Brussels and other major cities scramble to recover after the cybersecurity breach of Collins Aerospace’s MUSE check-in and boarding system caused hundreds of flight delays.
Simultaneous breaches of Russian regional carrier KrasAvia, and of St Petersburg’s Pulkovo Airport, extend a series of global attacks on aviation sector targets that also hit airlines like Qantas as cybercriminals target one vulnerable industry after another.
The ever-escalating climate of cyberattacks has IT executives worried, with 83 per cent of IT leaders in the Lenovo survey ranking data protection as their highest priority – but 54 per cent doubtful they can address the risks AI poses to that data.
Significantly, that also includes new AI-related models, training data sets, and proprietary prompts that are shaping their mission-critical AI capabilities – all of which also need to be defended against manipulation and compromise.
