AI-Powered Cyberattacks on the Rise

- Phishing constituted 83% of all email-based threats in the latter half of 2025, with a 16% increase in such attacks per organization. Cybercriminals are now operationally integrating AI into their workflows for reconnaissance, social engineering, and even ransomware negotiations, enhancing the speed and scale of their campaigns. - The U.S. Securities and Exchange Commission (SEC) now mandates disclosure of material cybersecurity incidents within four business days of determination. Annual reports on Form 10-K must also detail the board's oversight of cyber risks and how the company assesses, identifies, and manages them. - Escalating U.S.-China trade tensions and tariffs may provoke retaliatory cyberattacks from nation-state actors, particularly targeting critical manufacturing and supply chains. These geopolitical risks necessitate increased third-party risk management and supplier audits to prevent the introduction of new vulnerabilities. - For Operational Technology (OT), which is increasingly connected to IT systems, CISA and international partners have released guidelines for securely integrating AI. The guidance stresses the importance of human-in-the-loop decision-making, establishing clear governance frameworks, and thoroughly testing AI models before deployment in production environments. - Internal audit's role is shifting to proactively embed within the AI design and deployment lifecycle, rather than assessing risks post-implementation. This involves creating a comprehensive inventory of all AI systems, including third-party models, to inform audit planning and assess the integrity of data used to train these models. - The National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) has become a widely adopted standard for AI governance. It provides a voluntary structure for managing AI risks across the lifecycle, focusing on principles like transparency, fairness, and accountability.