Cyber Risk
AI is Expanding the Attack Surface — A Strategic, Proactive Response is Needed
Artificial intelligence is rapidly transforming the way organisations operate, offering new efficiencies, insights, and capabilities. However, it is also expanding the cyber attack surface in ways that many businesses are only beginning to fully understand.
Save to Folio
Recent research highlights a 219% increase in mentions of malicious AI tools on the dark web. Threat actors are using AI to enhance phishing campaigns, automate vulnerability discovery, and accelerate account takeover attempts. Yet, despite these clear signals, fewer than half of security leaders strongly agree that AI will significantly increase the complexity and scale of cyber-attacks.
This disconnect is concerning. AI introduces a new category of risk, from shadow IT created by the use of unauthorised generative AI platforms, to potential vulnerabilities within custom-built large language models. These risks come on top of existing challenges around cloud environments, remote working, and third-party supplier ecosystems, all of which continue to grow the enterprise attack surface.
Managing this environment effectively requires more than traditional perimeter defences. It calls for continuous, proactive cyber risk exposure management with real-time asset discovery, vulnerability identification, and intelligent prioritisation of security actions.
Today, however, just two-fifths of organisations use dedicated tools to manage their cyber risk exposure proactively. Investment in this area remains relatively low, with only a quarter of security budgets allocated to exposure management activities. Many organisations also lack robust processes to monitor third-party vulnerabilities, further increasing risk.
At the same time, AI offers significant potential to improve security outcomes. Modern cyber risk exposure management platforms leverage AI to scan dynamic environments continuously, highlight misconfigurations and vulnerabilities, and recommend efficient remediation paths. This enables security teams to focus on the highest-impact threats, improving resilience without adding operational burden.
Security leaders increasingly recognise that effective attack surface management is tied to broader business outcomes, including operational continuity, customer trust, financial performance, and regulatory compliance. The next step is to embed these practices into core security strategies and communicate their value clearly to executive boards.
As AI continues to evolve, so too must cybersecurity. Organisations that take a strategic, proactive approach to managing cyber risk exposure will be better equipped to navigate the opportunities and challenges of the AI era, and to maintain trust, resilience, and competitive advantage.