AI-driven cyber threats in 2026: what every organisation needs to know

Security7 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

The threat landscape in 2026 is fundamentally different from what it was two years ago. The reason: artificial intelligence. Not as an abstract concept, but as a concrete tool that both attackers and defenders deploy. For organisations that take their information security seriously, it is essential to understand what has changed and what that means for their risk picture.

The attacker has embraced AI

The most visible shift is in social engineering. Phishing emails that two years ago could be recognised by language errors and generic salutations are now virtually indistinguishable from legitimate communication. AI models generate flawless, context-rich messages in any language, tailored to the recipient, the company and current events. The volume has risen explosively while the quality has improved at the same time.

Deepfakes are a second category that has shifted from theoretical risk to practical threat. In 2025 and 2026, multiple cases have been documented internationally in which executives were impersonated via video or audio to authorise payments or gain access. The technology is now available to anyone with a laptop and a few minutes of audio material of the target.

Automated vulnerability exploitation is the third pillar. AI tools can analyse public vulnerabilities faster and generate exploits more quickly than human researchers. The time between the publication of a CVE and the appearance of working exploit code has dropped from weeks to hours. This makes patch management not just important but time-critical.

What does this mean for your organisation?

The answer is not that existing security measures should be thrown overboard. The answer is that the bar has been raised. Security awareness training must be adapted to the reality of AI-generated phishing. Spotting language errors is no longer an effective defence. Training must focus on procedural controls: verify payment requests through a second channel, call back on a known number, do not blindly trust video or audio.

Technical measures must be tightened. Multi-factor authentication is no longer a nice-to-have but a baseline requirement for all systems. Email security must go beyond spam filters; DMARC, SPF and DKIM must be configured correctly to prevent spoofing. Endpoint detection and response must be capable of detecting anomalous behaviour that traditional signature-based detection misses.

Patch management must be accelerated. The window of opportunity for attackers is smaller than ever, which means the window for defenders is too. Organisations that still roll out patches monthly are running a significant risk. Critical patches must be applied within days or hours.

AI as a means of defence

At the same time, AI also offers opportunities for defence. AI-driven SIEM systems can detect patterns in log data that remain invisible to human analysts. Anomaly detection can flag deviant user behaviour before it becomes an incident. Automated threat analysis can accelerate the triage of security alerts and reduce the workload on security teams.

But deploying AI for security brings its own risks. AI models can be misled by adversarial inputs. They can generate false positives that lead to alert fatigue. And they require governance: who is responsible for the decisions an AI system makes in the context of incident response?

The audit consequences

For IT auditors, the assessment framework changes along with all this. We look not only at whether measures exist, but at whether they have been adapted to the current threat landscape. A security awareness programme dating from 2023 is no longer sufficient. A patch policy with a turnaround time of thirty days is no longer proportionate for critical vulnerabilities.

In addition, regulators and certifiers expect organisations to update their risk analysis on the basis of AI-related threats. ISO 27001, NIS2 and DORA all require risks to be reviewed periodically. AI threats are now a standard part of that.

Concrete steps

Update your risk analysis and explicitly include AI threats. Strengthen security awareness training with a focus on procedural verification. Check whether DMARC, SPF and DKIM are configured correctly (using, for example, the free scan on ScanZeker.nl). Accelerate patch management for critical systems. Implement multi-factor authentication everywhere it is not yet in place. Consider AI-driven detection as a supplement to existing monitoring.

Secure Audit helps organisations assess their security level in light of the current threat landscape. Get in touch for a security assessment or IT audit.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us