Shadow AI and autonomous agents expose critical security gaps as 80% of Fortune 500 deploy unvetted tools

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

When an employee installs an AI writing assistant, connects a coding copilot to their IDE, or starts summarizing meetings with a new browser tool, they are doing exactly what a productive employee should do: finding faster ways to work. Across most organizations today, employees are running three to five AI tools on any given day. Most were never reviewed by IT. A significant portion connect to corporate data through OAuth tokens or browser sessions, giving them access to shared drives, emails, and internal documents the employee never specifically intended to expose. Security teams often have no visibility into any of it. This is the shadow AI gap, and it is widening fast. Most security tools were built to monitor email and network traffic flowing through the corporate network. A browser-based AI tool that connects to company data through a quick login approval bypasses those controls entirely, because it never passes through the corporate network at all. According to Adaptive Security research, 80% of employees currently use unapproved generative AI applications at work, and only 12% of companies have a formal AI governance policy in place. The result is a growing disconnect between how employees work and what security teams can see. A program that channels AI adoption into a safe, visible, approved path gives security teams the visibility they need and employees the tools they want. The five steps below show exactly how to build one. A security program can only manage what it can see. The first step is discovering which AI tools are in use across the organization, and most security teams will find the answer surprising. Three areas account for the majority of shadow AI activity. A simple employee survey is also worth running. A survey framed around helping employees work more safely tends to get candid responses. Many shadow tools surface through surveys that automated discovery misses entirely. The goal of this step is a current, accurate inventory: every AI tool in use, who is using it, and what data it has access to. Most AI acceptable use policies stall for the same reason: they give employees a list of prohibited tools with no guidance on what the approved path looks like. A policy designed as a practical guide, one that identifies approved tools and provides a clear process for requesting new ones, is the foundation employees need to make good decisions. An effective AI governance policy covers five things. That last element matters more than it might seem. Employees who understand why OAuth connections carry data exposure risk apply that reasoning to every tool decision they make. Policy becomes a form of education when the reasoning is included. Shadow AI grows fastest in organizations where the official approval process cannot keep pace with the rate of AI product releases. An employee who needs a tool today and faces a six-week security review will find a workaround within days. The goal of this step is to remove that friction. Security teams that publish their approved tool list openly and keep it current typically see a meaningful reduction in shadow AI usage. When employees know where to find the right tools, they use them. Continuous visibility into AI tool usage across an organization serves two groups simultaneously. A browser-native monitoring approach gives security teams visibility into AI activity without rerouting employee web traffic or adding friction to daily work. The signals it captures feed into each employee's broader risk profile, sitting alongside their phishing simulation results and training completion data in one place. That combined view matters because risky behaviors compound. An employee who clicks phishing links, skips training, and runs unapproved AI tools with access to sensitive data presents a much higher risk than any single behavior would indicate. Seeing the full picture in one place helps security teams focus on the employees who need attention most. Security programs that make the secure choice the easiest choice are the ones employees follow. In the context of AI governance, two things drive that: just-in-time coaching and training that explains the reasoning behind the rules. Just-in-time coaching delivers a brief, contextual prompt at the moment an employee attempts to use an unsanctioned tool. This is more effective than quarterly training modules, because the intervention happens at the point of decision. A well-designed prompt tells the employee what the concern is, directs them to an approved alternative, and takes less than thirty seconds to read. Training that explains the reasoning behind AI governance policies builds the kind of judgment employees can apply across any situation they encounter, including tools and threats that emerge long after the training itself. The AI tool landscape is changing fast enough that no training program can anticipate every specific case. An employee who understands that OAuth connections to corporate Google Workspace can expose the entire shared drive to a third-party vendor will apply that understanding to tools that did not exist six months ago. AI adoption is a signal of productive teams doing their jobs well. Companies that build practical programs around that momentum, with clear paths to approved tools and real-time visibility for security teams, tend to handle it best. Security teams that close that gap find that shadow AI usage declines organically over time. Browser-native visibility, clear paths to approved tools, and just-in-time coaching at the moment of risk are what make that possible. When employees have access to effective, approved tools and a fast, transparent path to get new ones reviewed, the incentive to work around the system largely disappears. Adaptive Security's AI Governance product gives security teams real-time visibility into every AI tool and shadow app running across their organization, with automated policies and just-in-time employee coaching built in.

The AI security gap nobody wants to admit is already here

On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code to the public npm registry. Around 512,000 lines of TypeScript across 1,906 files, including 44 hidden feature flags and references to an unreleased model codenamed Mythos, sat openly accessible on a Cloudflare storage bucket until a security researcher found it and posted the link on X. Within hours the codebase had been mirrored across GitHub, amassing thousands of stars before Anthropic could issue DMCA takedowns. Anthropic called it a packaging error caused by human error. That explanation is accurate and also somewhat beside the point. By exposing the blueprints of Claude Code, Anthropic handed a roadmap to anyone who wanted to design malicious repositories specifically tailored to trick Claude Code into running background commands or exfiltrating data before a user ever sees a trust prompt. The permission enforcement logic, the sandboxing architecture, the exact orchestration mechanics that govern how the agent validates what it is allowed to do: all of it now sits permanently in the wild across tens of thousands of forked repositories that no DMCA notice will fully reach. What the leak exposed about the state of AI security is more uncomfortable than the leak itself. The conventional framing around AI in cybersecurity treats it as a rough equilibrium, an arms race where offense and defense accelerate together. That framing does not hold up well against the specifics of what actually happened in March, or against what security teams describe working with day to day. The exposed hook and permission logic from the Claude Code leak makes silent device takeover more reliable for attackers who know where to look. Defenders, meanwhile, are integrating AI into existing security stacks and validating that it will not generate false positives before it becomes operationally useful. Those two timelines are not comparable. Tim Burke, who has run managed security operations for over 30 years at Quest Technology Management, puts the asymmetry plainly. "Attackers got the entire blueprint for how an agentic AI validates permissions and handles credentials without having to reverse-engineer any of it," he says. "That means attackers are operating with AI that moves faster than most detection systems were designed to handle while security teams are still figuring out how to deploy AI tools without creating more work for already overwhelmed SOCs." Google's Threat Intelligence Group identified the first confirmed zero-day exploit developed entirely with AI assistance earlier this month and stopped a planned mass exploitation event before it could execute, which represents the optimistic version of this story. Most organizations defending against those same capabilities are not Google, and their detection infrastructure was not built for what is now possible. "Most organizations are still running detection infrastructure that was designed to catch human attackers who move methodically through networks over days or weeks," Burke says. "AI compressed those timelines to hours and in some cases minutes, which means the window between intrusion and damage is now shorter than the time it takes most SOCs to investigate a single alert." Underneath the speed problem is something more structural. Security platforms are built to detect behavioral anomalies, things that look like malicious activity based on what is happening rather than what is driving it. What they cannot tell you is whether an attack was initiated by a human or an AI agent operating autonomously. No platform currently surfaces that distinction. The vulnerability discovered in Claude Code after the leak illustrated this directly: a malicious file can instruct the AI to generate a command pipeline that looks exactly like a legitimate build process, triggering behavior that bypasses the permission system entirely without raising a flag that would appear in a conventional SIEM. "AI agents can be manipulated through tool descriptions and prompts in ways that bypass traditional access controls without ever triggering an authentication failure or raising an alert in your SIEM," Burke says. "That means detection needs to start tracking what the agent understood it was doing and why it made that decision, rather than flagging policy violations after the fact." The Claude Mythos references in the leaked files add a layer to this that has not received much attention. What was exposed was not just the current tool but the architectural direction of where agentic AI is heading, including enhanced reasoning capabilities and deeper native tool-use integration. Security teams are building defenses against what these systems can do today. The leaked roadmap describes something considerably more capable. "Right now the vast majority of platforms can't make that distinction between AI and human origin," Burke says, "and security teams are essentially defending blind against an entire category of threat they have no visibility into." The Anthropic leak was a misconfigured debug file. The organizations now trying to figure out whether their security infrastructure can detect what an AI agent believed it was authorized to do are working on a problem that existed before March 31 and will exist long after the DMCA notices are processed.

Why self-running agents are creating the biggest security crisis of 2026

Autonomous AI agents require new, proactive security strategies The enterprise relationship with Artificial Intelligence has previously been defined by a simple exchange of prompts and answers. Organizations have experimented with language models to draft emails, summarize documents, or generate code. In 2026, this dynamic has shifted into the era of the agentic enterprise. AI is no longer a passive recipient of instructions. It has become a network of active, autonomous agents that act on behalf of a customer or employee to move data, interact with core business systems, and execute multi-step workflows without intervention. While this transition offers unprecedented scale, it has created a significant trust gap. Traditional security tools often fail to distinguish between legitimate autonomous workflows and malicious exploits, leaving a critical blind spot in the modern tech stack. Security teams must now manage risks that move faster than human oversight, making the distinction between automated utility and automated threat an urgent priority. The expanding attack surface of AI The rapid adoption of autonomous agents has fundamentally altered the corporate attack surface. Every new Model Context Protocol server or API represents a potential doorway into the heart of a business. This has given rise to Shadow AI 2.0. Previously, the primary concern was employees using unapproved web-based chat accounts to process company data. Today, the risk involves unsanctioned agents spinning up on the network and creating hidden paths to sensitive internal information. These unauthorized agents often operate outside the purview of standard identity and access management protocols. Because they are designed to connect disparate systems to accomplish tasks, they inherently possess the permissions required to traverse sensitive parts of the network. Organizations must establish a continuous and automated AI asset inventory. The logic is identical to that of securing the Internet of Things. Just as a security team must know a physical device exists before they can patch it, they must now map every tool endpoint and server involved in an AI workflow. Without a comprehensive map of these connections, blind spots become permanent fixtures in the network architecture. This inventory must be dynamic, capable of identifying new agents as they are created and decommissioned in real time. Real-time monitoring and the intent gap Monitoring an autonomous agent in real time presents a unique technical challenge because traditional perimeter tools are insufficient for tracking internal movement. Standard firewalls and endpoint solutions are built to guard the gates, but they often lack the granularity to inspect the complex traffic flows occurring deep within the network fabric. When an agent initiates a complex sequence of actions across different departments, determining if the agent is compromised is difficult. A set of actions that looks normal in isolation might represent a serious breach when viewed as a collective sequence. The solution lies in deep network observability. All AI-related traffic must be analyzed and decrypted to correlate actions across the entire stack. This level of visibility allows security teams to track how permissions move across a workflow and makes it possible to detect if an agent is attempting to escalate its own privileges or move data to an unvetted destination. Focusing on the behavior of the data rather than just the identity of the user, organizations can reveal when an agent has veered away from its intended purpose. Defending against prompt injection and behavioral deviations Adversaries are increasingly using prompt injection to manipulate agent behavior at the network level. By feeding specific instructions into a system, a malicious actor can trick an agent into ignoring its security constraints or leaking proprietary data. These attacks often look like legitimate traffic to a firewall, meaning they require a different defensive approach. Traditional signature-based detection fails here because the attack is delivered through natural language, which appears as standard, non-malicious interaction to legacy monitoring tools. Using the network as a source of truth is the most effective way to counter these maneuvers. Monitoring for deviations from established behavioral baselines, security teams can spot anomalous prompt structures or data flows as they happen. This does not rely on knowing what a specific attack looks like in advance. It relies on knowing what normal looks like for a specific agent and flagging anything that falls outside those parameters. For instance, if an agent typically accesses a database to generate a report, a sudden attempt to initiate a file transfer to an external IP address would act as an immediate trigger for investigation. Compliance and policy frameworks are frequently the first elements to fail during periods of rapid technological scaling. As enterprises rush to deploy more agents, the gap between official policy and actual network activity tends to widen. Governance should not be viewed as a set of static rules but as an active process supported by forensic visibility. Ensuring that AI remains within its defined operational lines requires the ability to audit every action and decision-making path. This level of oversight provides the necessary evidence for regulatory compliance while giving the business the confidence to innovate. When security teams can prove that an agent is operating safely and transparently, AI moves from being a perceived risk to a verified asset. The objective is to create a digital environment where the benefits of agentic automation can be fully realized without sacrificing the integrity of the underlying data infrastructure. Comprehensive oversight is the only way to ensure that the era of the agentic enterprise is as secure as it is productive. As the line between AI decision-making and business outcomes continues to blur, the ability to monitor and govern these autonomous actors will define the long-term success of the enterprise. We've featured the best AI tool. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

How AI agents are wrecking havoc in legacy security setups and enterprises are catching up

AI agents outpace security controls, creating enterprise risk 80% of Fortune 500 companies have unleashed AI agents into live environments. Unfortunately, only 14 percent have received full security approval, according to Mimecast at RSAC 2026. That gap is not a compliance footnote; it is the defining security condition of the enterprise right now. Those agents are in production, touching sensitive data, operating with persistent credentials, making autonomous decisions, and in the vast majority of cases, the security model governing them was designed for a world where only humans asked questions. That mismatch is a problem. Role-based security was built for humans. But AI agents aren't human Traditional access control uses "role": a user is in a group, the group has a permission, and the permission is reviewed once a year. That model worked reasonably well when the identities in question were people operating within predictable workflows. But, AI agents break every one of those assumptions. They run continuously. They chain tasks across systems. They act on behalf of users without those users knowing exactly what data was touched. They accumulate entitlements. And they inherit whatever credentials they were handed at provisioning, usually far more than any specific task requires. The IBM 2025 Cost of a Data Breach Report spells this out in actual numbers: 97 percent of organizations that experienced an AI-related breach did not have proper AI access controls. Sixty-three percent had no AI governance policies at all. The WEF Global Cybersecurity Outlook 2026 found that 87 percent of security leaders identified AI-related vulnerabilities as the fastest-growing cyber risk of the past year. Fortune captured the practical reality in March 2026: most enterprises can tell you how many human users have access to their financial systems. Few can tell you how many AI agents do. Security needs context too. Just not the same kind The context that security needs is not the same as the context AI uses to generate a useful answer. It's a different set of signals entirely: who is making this request, human or non-human; what sensitivity classification applies to the data being requested; what task is currently in scope; what are the entitlements of the human user on whose behalf this agent is operating; and does all of that, together, justify access under current policy. That evaluation has to happen at runtime, for every request, at the data tier. Not at provisioning. Not at the orchestration layer. At the point where data actually changes hands. This is also why identity propagation matters. An agent running as a service account should not be able to access data the human who triggered the workflow isn't authorized to see. The agent's permissions need to be dynamically scoped to the person behind the prompt. Without that binding, agents become a structural bypass for human access controls, through architecture rather than intent. Shadow AI makes this worse. IBM found it was a factor in one in five breaches, adding $670,000 to average costs. The WEF noted that the top security concern for 2026 has shifted: data leaks through agentic systems now outrank adversarial AI capabilities. The threat model has shifted from AI as a weapon to AI as an exposure vector. Attackers are moving at machine speed. Your approval queue isn't Context-aware enforcement has to be automated because the attacks sure are. At RSAC 2026, CrowdStrike reported that the fastest recorded adversary breakout is now 27 seconds. Gartner projects that by 2027, AI agents will cut the time to exploit account exposures by 50 percent. A human approval queue cannot keep up in that environment. IBM's data shows what automated, context-aware security delivers: organizations using it extensively saved $1.9 million per breach on average and cut the breach lifecycle by 80 days. Speed is not a feature. It's a structural requirement. Keeping an eye on what agents do is not the same as stopping them Logging what agents do, monitoring at the orchestration layer, and generating access reports are all useful prerequisites for data security. But none of it stops a bad request before the data moves. Enforcement has to live at the data tier, and every request should be evaluated against real-time context: who is asking, how sensitive the data is, whether the task scope justifies the request, and whether the conditions under which access was granted are still relevant. When the request doesn't meet the criteria, access is automatically blocked, masked, or scoped down. Organizations that have built that enforcement layer see the results: 90 percent faster remediation of access misconfigurations, provisioning reduced from days to minutes, and audit preparation time cut by 25 percent. The fix is not slower AI. It's smarter security AI systems work because they were designed to understand context before acting. Security systems fail because most of them weren't. Throttling agents down or bubble-wrapping them in manual approval processes isn't the answer. Building a security layer with its own relevant context is: role and entitlement data from HR and identity systems, risk signals from security tools, and location and behavior data from network monitoring. Cross-referencing what a user or agent is supposed to be doing against what they're actually doing, in real time, and adjusting access controls the moment something doesn't add up. Security context isn't about making AI smarter. It's about knowing enough about the environment to know when something is wrong. We've featured the best AI tools. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

What is Shadow AI, and why should your business be concerned about it?

As you may have noticed by now, AI has moved into the workplace faster than most security policies can keep up. Employees now use it to for many core work functions - often with little more than a browser tab, a free account, or a new feature inside an existing app. For businesses, that creates a difficult balance. AI can clearly make teams faster and more productive, especially when it is deployed through approved tools with proper identity, data, and compliance controls. The risk comes when employees find their own shortcuts, feed company information into unapproved services, or connect AI tools to workplace data without IT teams knowing what has been shared, stored, or automated. This is the problem known as "shadow AI". The phenomenon is closely related to "shadow IT", but the stakes can be higher: prompts may contain sensitive customer data, internal strategy, or source code, while newer AI agents may be able to act across business systems rather than simply generate text. For enterprise leaders, shadow AI is now a visibility and governance issue as much as a technology trend. Please note: All of the information is correct as of May 2026. Microsoft regularly updates its products, so some steps or features may change. What is shadow AI? In simple terms, "Shadow AI" is the use of AI tools, apps, models, extensions, or agents without approval, oversight, or governance from the business. In practice, it covers any AI use that sits outside the systems IT, security, legal, or compliance teams have reviewed. The most obvious example is an employee pasting a confidential document into a public chatbot to get a quick summary. The term can also cover less visible behaviour, such as a developer using an unapproved AI coding assistant or a team installing an AI meeting transcription tool. It can also include AI agents connected to workplace systems. These tools may be able to search files, use plugins, query databases, trigger workflows, or call external services. Essentially, the more AI becomes embedded into day-to-day software, the harder it becomes for businesses to tell where approved productivity ends and unmanaged risk begins. Why employees turn to unsanctioned AI Employees usually turn to unsanctioned AI for a simple reason: it helps them get through the working day. A public chatbot can turn a messy brief into a clean first draft, an AI spreadsheet tool can make a dataset easier to read, and so on. We've all been there. The problem usually appears when the business has not provided an approved alternative, or when staff do not know which tools are safe to use. A blanket ban rarely fixes that. Employees may keep using the tools that make their work easier, only with less visibility for IT and security teams. A better approach starts by recognizing the demand, then giving people clear rules and secure options that match the way they actually work. Why shadow AI is risky for businesses Shadow AI creates risk because sensitive work can move into places the business cannot see or control. For example, an employee might upload customer records to an AI analysis tool, or ask an unapproved assistant to review internal strategy documents. Even when the goal is harmless, the data may end up in a system the organization has not reviewed, contracted with, or configured for enterprise use. This situation creates obvious problems for security and compliance teams. Regulated data may be processed without the right safeguards, audit trails may be incomplete, and retention policies may not apply. If a business cannot prove where information went, who accessed it, or how long it was stored, it becomes much harder to manage legal, regulatory, and customer obligations. There is also a quality risk. AI outputs can be wrong, outdated, or too confident, especially when employees use them without checking the source material. Approved enterprise AI tools reduce many of these risks by keeping usage inside a managed environment, but they still rely on good data hygiene underneath. Why AI agents raise the stakes Shadow AI becomes more difficult to manage as AI tools gain the ability to act across business systems. A chatbot might summarize a document or draft a reply, but an AI agent may be able to search files and query data. These abilities change the shape of the risk: An unmanaged agent could have access to information the business has not reviewed, use permissions that are too broad, or take actions without the right audit trail. The same issues that apply to human users - identity, access, data classification, and oversight - now have to apply to AI systems as well. Agentic AI also blurs accountability. A person might ask for a task to be completed, but the agent may decide which systems to query, what information to use, and which steps to take. Without clear controls, shadow AI can move from an isolated productivity shortcut into unmanaged automation running inside everyday work. Why visibility has to come first Shadow AI is difficult to control because it often starts quietly. One team tries an AI note-taking app, another uses a browser extension, while a developer connects an assistant to a codebase. None of these decisions is a problem in and of itself, and some may even go through IT, but each one can create a new route for company data to leave approved systems. The first job is discovery. Businesses need to understand which AI tools are in use, who is using them, and whether sensitive information is being uploaded, pasted, processed, or retained. Once those patterns are visible, security teams can make informed, better decisions about which tools to approve, monitor, restrict, or block. Microsoft's security tools can fit into that process by giving IT teams a clearer view of AI use across the organization. Defender for Cloud Apps can help identify AI app usage and assess risk, while Entra Global Secure Access can detect traffic to unsanctioned AI tools. On top of these, Purview then adds the data protection layer, helping businesses apply compliance, classification, and loss-prevention controls around sensitive information. How businesses can control shadow AI A heavy-handed ban may look clean on paper, but it rarely matches how people work. Employees turn to AI because it saves time, cuts through admin, and helps them handle tasks that might otherwise sit unfinished. Removing those tools without offering a useful alternative can simply push the same behaviour further out of sight and accountability. A better starting point is to give staff approved AI tools they can actually use. Microsoft 365 Copilot, for example, keeps AI closer to the systems, permissions, and compliance controls many organizations already rely on. Of course, using 365 Copilot doesn't remove the need for oversight, but it does give employees a safer route than personal accounts or unreviewed third-party services.

If everyone is rushing to board the AI ship why are so few workflows secure?

AI adoption outpaces security, governance and risk controls More than half of the world's enterprises have now deployed generative AI in some form. That figure might sound like a success story and in many respects, it is. The pace at which organizations have moved from experimenting with AI to embedding it in day-to-day operations, from security workflows to business decision-making, has been remarkable by almost any measure. But a less comfortable truth sits just beneath the surface of this momentum: adoption is moving considerably faster than the governance, security and risk management infrastructure needed to support it. The gap between what AI is being asked to do and what organizations have actually put in place to oversee it is widening and that is a problem the industry can no longer afford to defer. Only around one in five respondents has reached what could genuinely be described as AI mature, a state in which cybersecurity applications are fully deployed, security risks are systematically assessed and effectiveness is tracked against meaningful benchmarks. The remaining are navigating AI deployment while still constructing the foundations meant to underpin it. A growing gap between AI momentum and AI controls Across industries, enthusiasm for AI is undeniable. Enterprises are implementing GenAI tools to boost productivity, streamline operations and enhance decision-making. As these tools spread, the structures meant to govern them are lagging. Fewer than half of the organizations have a risk-based strategy in place to evaluate and manage AI systems. Fewer still have AI-specific data privacy policies. This lack of foundational governance intersects with several core risks tied to AI behavior and data use. Model bias and related ethical concerns often embedded deep within training data and architectures remain difficult to manage at scale and can produce unfair, inaccurate or unreliable outcomes. Prompt and input risks such as misleading or harmful outputs are a concern. Meanwhile, user-driven risks, including the unintended spread of misinformation generated with AI assistance affect more than half of organizations that have deployed these tools. These governance gaps do not exist in isolation. As enterprises scale AI across more workflows and touchpoints, the risks compound. Without clear policies around how systems learn, what data they access and how outputs are validated, organizations expose themselves to operational, ethical, and regulatory vulnerabilities that will only become harder to manage over time. The security implications are coming into sharper focus AI promises and, in many cases, already delivers meaningful advances for security teams. Faster detection of anomalies, enhanced analysis, and reduced manual workloads all rank highly among its benefits. Yet paradoxically, many organizations report that AI is also making it harder to maintain strong privacy and security practices. This challenge stems partly from the scale and autonomy of modern AI systems. As models interact with larger volumes of data and operate with fewer human checkpoints, they introduce new vectors for privacy loss, data exposure, and unauthorized access. Additionally, reliability concerns persist. Errors in AI decision rules and issues stemming from poor or incomplete data are cited frequently as barriers to AI effectiveness. These reliability gaps also impact trust. Just over half of practitioners believe human oversight remains essential not as a matter of preference but because AI systems cannot yet be relied upon to operate independently with sufficient consistency or safety. None of this signals that AI is failing. Enterprise investment in generative and agentic AI shows little sign of slowing. But the technology is not the bottleneck, the institutional infrastructure required to govern it is still catching up and closing that gap is what responsible AI adoption now depends on. What enterprises need to build trustworthy, scalable AI Despite these challenges, the path to responsible and secure AI adoption is becoming clearer even if the journey remains uneven. Four pillars stand out as critical to aligning AI innovation with enterprise risk and compliance needs: These are not novel concepts in enterprise technology management. They are adaptations of established principles to a new and rapidly evolving context. The challenge is that the pace of AI adoption has, in many organizations, outrun the pace at which those adaptations have been made. The true value of AI emerges when security, governance, and information management are integrated from the start. Enterprises still see enormous promise in generative and agentic AI. But their ability to unlock that value depends on balancing innovation with responsibility. For organizations pushing forward, the path to AI maturity will require not only investment in advanced tools, but also in clear policies, reliable data practices, and robust oversight mechanisms. Companies that succeed will be those that build trust as intentionally as they build capability, ensuring AI operates transparently, securely and with a governance framework designed for long-term success. We've featured the best endpoint protection software. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Weaponized AI: Real-World Attacks Move from Theory to Reality in Spring 2026

Between late December 2025 and mid-February 2026, Gambit found that a single operator compromised nine Mexican government agencies, reaching tax records, civil registry data, patient files, and electoral infrastructure across a two-month campaign. What made it remarkable was not the scope but the method: the attacker ran the entire operation with commercial AI handling the exploitation work, and researchers only discovered what had happened after recovering materials from attacker-controlled servers. AI was not a productivity tool running in the background. It was the operational core of the attack. Check Point Research's March-April 2026 Threat Landscape Digest documents this breach alongside several other cases that collectively confirm something the industry has been watching for: AI-enabled attacks have moved out of the experimental phase and into routine criminal deployment. Key Findings: What the Data Actually Says The Check Point Research team's March-April 2026 Threat Landscape Digest surfaces something the industry has been bracing for: AI has crossed from the development phase into live attack deployment. Here is what stands out: * AI-orchestrated attacks have progressed from experimental, state-sponsored use to in-the-wild criminal deployment. A single operator. Nine government agencies. Over 5,000 AI-executed commands. The Mexico breach shows this capability is no longer limited to nation-state actors. Financially motivated criminals are using it, at scale, today. * Agentic configuration files are being weaponized as persistent jailbreak vectors. Rather than arguing with an AI's safety controls, attackers are changing the rules it operates under. By planting malicious instructions in the configuration files that AI coding tools load automatically at startup, they can override model behavior once and have it persist silently across every session, including on developers' machines who have no idea the file is there. * AI-enabled attack platforms are commercializing AI capabilities. EvilTokens packages a complete AI attack pipeline into a product any criminal can purchase. Model selection, jailbreaking, and output delivery are all handled behind the scenes. The sophistication was built once and now ships automatically to every customer, dramatically lowering the barrier to running advanced AI-powered fraud. * AI provider credentials have become a high-value target. API keys for Anthropic, OpenAI, Groq, Mistral, and others are being harvested deliberately alongside traditional credentials. Stolen keys give attackers access to powerful AI services without an account, make their operations appear to originate from legitimate users, and are difficult for providers to shut down once taken. Figure 1 - User sharing a non-restricted/monitored AI assistant recommendation table The Mechanics of What Actually Happened Mexico: One Operator, Nine Agencies The architecture the Mexico attacker built is worth understanding in detail, because it is almost certainly being replicated elsewhere. The attacker ran two commercial AI systems in parallel, one handling the live exploitation work, the other processing harvested data and feeding instructions back into the first. The cognitive load of what would previously have required a skilled team was handled automatically, in a loop, across weeks of persistent access. The jailbreak method was elegant in its simplicity. Instead of arguing with the AI, the attacker changed the environment the AI operated in. They simply changed the file it reads at startup, embedding instructions that every subsequent session inherited without question. From that point, the AI operated under the attacker's rules, not the developer's. The attacker had effectively reprogrammed the AI's default behavior at the architectural level rather than the conversational one. EvilTokens: The Jailbreak as Product Feature EvilTokens is what happens when that kind of capability gets packaged into a product, commoditization. A buyer purchases access and receives AI-generated phishing emails written in the target's own style, automated extraction of financial data from thousands of inboxes, and fake calendar invites timed to create pressure around wire transfer requests. The complexity is entirely invisible to the buyer. The social engineering pressure is coordinated across channels, automatically. Figure 2 - Calendar Invite module UI with Sender Spoofing section - From EvilTokens promotional forum postings The Vulnerability Race Nobody Is Winning AI is surfacing vulnerabilities that sat undetected in core infrastructure for decades, while on the other side attackers are turning newly published advisories into working exploits within hours. The gap between disclosure and exploitation used to be measured in weeks. It is now measured in hours. Organizations that run monthly patch cycles are operating on a timeline that belongs to a different era of security. What This Means for Organizations The through-line across every case in this report is the same: AI is compressing time, expanding scale, and lowering the skill threshold required to execute sophisticated attacks. Defenses calibrated to human attack tempo are not equipped for this environment. Organizations need to reckon a few things directly: * Shadow AI is a data leakage problem. One in five corporate AI prompts contains potentially sensitive information, and most organizations have limited visibility into what is being sent to which tools. * AI configuration files are now a supply chain risk. A malicious file in a pull request or compromised repository can silently redefine how an AI agent behaves before any human reviews it. These files need the same scrutiny as third-party code dependencies. * AI credentials need the same protection as cloud access keys. They provide persistent access, enable identity misattribution, and are being actively harvested at scale. * Patch cycles need to get faster. Working exploits are appearing within hours of public vulnerability disclosures. Weekly or monthly patch review cycles are no longer matched to the speed of the threat. The attribution gap is structural. Every operation documented in this report was discovered through attacker errors or provider-side monitoring, not through victim-side controls. AI-executed commands look like skilled human activity. Organizations that rely on behavioral detection alone are not seeing the full picture. Securing What Comes Next Check Point's approach to this environment is built around one principle: prevention has to come first. Reaction time that works against human attackers does not work against machine-speed attacks. By the time an alert fires, the AI has already moved. Securing your AI transformation means securing the full AI stack, from the employees using AI tools day to day, to the applications being built with AI capabilities, to the autonomous agents operating across systems. It also means securing the network infrastructure that AI traffic runs through, from the firewall to the data center. * Workforce AI Security gives security teams visibility and control over employee AI usage, enforcing policy and preventing sensitive data exposure in real time. * AI Agent Security provides end-to-end coverage for enterprise-built agents, from discovering what exists and assessing risk, to runtime enforcement that blocks unsafe actions before they execute. * MCP Security verifies that large language models like ChatGPT, Claude, and Gemini have strict policy-based authorization to access enterprise databases, sensitive files, and external development tools like GitHub. * Generative AI Security gives enterprises full visibility and control over employee use of generative AI tools to prevent data loss or misuse. * AI-Native Application Security secures APIs and private large language models against specialized AI attacks including prompt injection, data poisoning, and model abuse. * AI Factory Firewall secures private enterprise LLMs and NVIDIA AI GPU server clusters in AI data centers, running as a containerized firewall with no impact on GPU performance. The threat landscape changed. The security posture has to change with it.