When AI becomes a Cyber attacker

The cyber risk landscape is rapidly changing with deepfakes emerging as a major threat. AI can now create highly realistic audio and video using minimal data, allowing attackers to impersonate individuals in real time. In 2024, criminals used this technology to mimic a CFO in a video call and trick an employee into transferring $25 million.

Beyond financial fraud, deepfakes are increasingly used to damage reputations  for example, by spreading false statements, manipulating stock prices, or triggering crises with fake news. To respond, organizations are strengthening verification processes for high-risk transactions and enhancing their ability to manage and respond to disinformation quickly.

A new frontier is emerging as advanced AI systems begin to automate hacking and vulnerability discovery at unprecedented scale. Anthropic’s Claude “Mythos” model, launched in 2026, illustrates this shift: in controlled tests it identified thousands of previously unknown vulnerabilities, including long-hidden flaws that had evaded decades of human scrutiny. In effect, it matched, and in some cases surpassed, the capabilities of highly skilled human hackers.

Such power has triggered caution. Access to Mythos was tightly controlled to give defenders time to adapt, recognizing that these tools may initially favor attackers as offensive AI outpaces defensive capabilities. This dynamic has raised concerns among cybersecurity leaders and policymakers about systemic risks.

The broader implication is clear: AI is rapidly collapsing the time and skill barriers in cyber operations. Tasks that once required expert teams over months can now be completed in hours. For organizations with unpatched systems or latent vulnerabilities, this means exposure can be identified and exploited almost instantly, a fundamental shift that leadership teams can no longer ignore.

From IT Issue to Board Priority

The rise of AI-driven threats is elevating cybersecurity from a technical concern to a core leadership issue. Regulators and stakeholders are taking notes and increasingly expect boards and C-suites to be directly accountable for cyber resilience. In Europe, the new NIS2 Directive explicitly requires company boards to oversee cybersecurity risk, shifting cybersecurity from purely an IT issue to a governance issue. Yet a key gap remains, in a World Economic Forum survey, 66 percent of organizations expected AI to significantly impact their cyber risk by 2025, but only 37 percent had processes to assess AI’s security before deployment. This disconnect shows that many leadership teams know AI will reshape their threat landscape, but they haven’t fully adjusted their risk management and oversight to match.

For boards and executives, the mandate is clear: close the preparedness gap by proactively engaging with cyber risks, especially those related to AI, as part of core strategic governance.

Building Resilience in the AI-Era of Cyber Risk

To navigate these evolving threats, organizations should focus on resilience and readiness, starting from the top:

1. Rigorous verification of high-risk actions: Integrate checks and balances so that no single person can execute a sensitive action (like transferring funds or changing vendor bank details) without secondary approval. This “two-person rule” ensures no individual employee can be duped by a fake voice or email into making a costly mistake. Skepticism should be encouraged especially when handling urgent, high-stakes requests that seem to come from senior leaders or partners.
2. AI-enabled defense: Just as adversaries weaponize AI, organizations should use AI for cyber defense. Modern security tools can leverage machine learning to detect anomalies faster, predict potential attack paths, and automatically scan code for vulnerabilities, helping to shrink the window attackers might exploit. By adopting AI defensively, companies can regain some of the speed and scale advantage that attackers currently enjoy.
3. Executive-level drills: Run regular cyber crisis simulations and table-top exercises, including deepfake deception scenarios and ultra-fast “AI hack” situations, with C-suite and board involvement. Practicing worst-case incidents, especially those involving AI-enabled threats, improves cross-functional coordination and ensures top decision-makers are ready to respond rapidly when a real incident strikes.
4. Continuous governance improvements: Keep leadership educated and engaged on emerging tech risks. Many boards are now adding cyber risk to every meeting agenda and receiving specialized briefings or training. Directors don’t need to become technical experts, but they must ask probing questions and set clear expectations for management on cyber risk mitigation and incident readiness. In essence, boards should treat cybersecurity with the same rigor as financial, legal, or operational risks, maintaining oversight and documented accountability for how the company is managing these evolving threats.

Insurance as a Safety Net

Cyber insurance remains a valuable backstop in this landscape, but it is not a standalone solution. Modern policies have evolved to address some of these emerging scenarios with coverage for certain types of social engineering fraud or access to specialist response teams. Insurers like Zurich can play a role as partners in resilience by sharing threat intelligence, providing risk engineering support, and helping companies plan for incidents. But to secure coverage on reasonable terms and truly benefit from it, organizations must demonstrate strong internal controls and a culture of security. Ultimately, insurance works best as one pillar of a comprehensive risk strategy, combining prevention, detection, response, and risk transfer.

Leading in the Age of AI-Driven Cyber Risks

AI-driven cyber threats are fundamentally changing how organizations manage risk. Cybersecurity is no longer an IT challenge, it is a strategic business issue for boards and executive teams.

As AI accelerates the scale and speed of attacks, organizations must shift from reactive defenses to proactive resilience. This means treating AI-related cyber scenarios as inevitable, strengthening verification controls, training employees, and ensuring robust response plans are in place.

Cyber risk must be embedded into enterprise risk management, with readiness across the organization, from front-line staff to the board. The organizations that succeed will be those whose leaders take a proactive, collaborative approach and foster a culture of security and adaptability.

For more information on how Zurich can help protect your business against cyber threats, please contact Yves Timmermans, Underwriter Cyber.