The security team at Samsung Electronics discovered the breach not through an intrusion alert, but through an employee confession. Three engineers, working independently across different divisions, had each fed proprietary code and internal meeting transcripts into ChatGPT to accelerate their work. Within twenty days in March 2023, semiconductor source code, test sequences for chip defect detection, and verbatim minutes from confidential strategy meetings had been ingested by OpenAI’s servers — and, under the model’s training protocols at the time, potentially incorporated into a system accessible to millions of users worldwide. Samsung banned ChatGPT for internal use within weeks. The data was already gone.
That incident predates the agentic AI era. The stakes today are considerably higher.
The New Threat Model
Conventional cybersecurity thinking organises itself around a relatively stable threat model: protect the perimeter, monitor for intrusion, control access to sensitive systems, detect anomalous behaviour. AI agents disrupt every element of this framework simultaneously. An agentic AI system — one capable of planning and executing multi-step tasks across enterprise tools — must, by design, have elevated access to the systems it is managing. It reads emails, writes code, queries databases, sends communications, and initiates transactions. The access that makes it useful is precisely the access that makes it dangerous if compromised, misdirected, or simply wrong.
The Cloud Security Alliance’s 2026 State of AI Cybersecurity report, drawing on responses from more than 1,500 security leaders, found that 93 per cent of organisations have experienced at least one AI-related security incident in the past year. The attack vectors are not theoretical. They are operational, they are multiplying, and the enterprises deploying AI agents at scale are doing so, in the majority of cases, without the governance architecture that would allow them to detect or contain a compromise before it propagates.
The Attack Vectors: Four Threats Reshaping the CISO’s Agenda
Prompt Injection: OWASP’s Top 10 for Large Language Models has ranked prompt injection as the number one vulnerability for AI systems since its inaugural publication. In a prompt injection attack, malicious input — embedded in a document the agent is asked to process, a webpage it is asked to summarise, or data it retrieves from an external source — overrides the agent’s original instructions and causes it to take actions its operators did not intend. A 2026 analysis by Lasso Security found prompt injection vulnerabilities present in 73 per cent of tested enterprise AI deployments. In agentic systems with broad tool access, the consequences of a successful prompt injection extend far beyond a misleading response: the agent may exfiltrate data, delete records, initiate financial transactions, or send communications on behalf of the organisation.
Privilege Escalation in Multi-Agent Systems: As enterprises deploy networks of specialised agents that collaborate on complex tasks, the security surface expands exponentially. Research from Stellar Cyber found that 87 per cent of documented multi-agent security incidents involved downstream system poisoning — where a compromised upstream agent fed corrupted data or instructions to dependent agents, causing errors to cascade through the system before any human reviewer encountered the output. The architecture of multi-agent collaboration, where agents pass context and instructions to one another with limited human oversight, creates a propagation pathway for both malicious compromise and honest error.
Hallucination Cascades and Legal Liability: The Air Canada case — Moffatt v. Air Canada, decided by the British Columbia Civil Resolution Tribunal in February 2024 — established a landmark precedent: organisations are legally liable for the incorrect outputs of their AI systems, regardless of whether the system disclosed its AI nature or the organisation intended the misinformation. Air Canada’s chatbot had provided a passenger with incorrect information about bereavement fare refund policies; the tribunal found Air Canada responsible for its agent’s representations. The implication extends beyond customer service: when AI agents generate incorrect legal interpretations, financial projections, or compliance assessments that are acted upon without adequate human review, the liability falls on the organisation, not the model provider.
Supply Chain Attacks on AI Infrastructure: The AI supply chain introduces security dependencies that most enterprise risk frameworks have not yet catalogued. Third-party AI models, fine-tuning datasets, vector databases, and agent frameworks each represent potential injection points. A poisoned training dataset can introduce systematic biases or backdoors into a model before it ever reaches enterprise deployment. A compromised model repository — the AI equivalent of the SolarWinds attack vector — could distribute malicious model weights to thousands of downstream users simultaneously. Security researchers have demonstrated proof-of-concept attacks in which malicious instructions embedded in a RAG (Retrieval-Augmented Generation) knowledge base caused enterprise AI agents to take unintended actions when querying that base.
Quantifying the Cost
IBM’s 2025 Cost of a Data Breach Report provides the most comprehensive financial benchmark available. The average cost of a data breach globally reached $4.44 million — but breaches involving “shadow AI” (unauthorised AI tool use by employees) carried a premium of $670,000, bringing the average exposure for AI-related incidents to approximately $5.11 million. Organisations that had deployed AI-powered security operations, by contrast, contained breaches 108 days faster on average and saved $1.9 million per incident compared to those relying on conventional security tooling.
The global cybersecurity market is projected to reach $244.2 billion in 2025, with the AI security segment growing at a compound annual rate of 23.6 per cent. CISO budget surveys consistently show AI-related security spending as the fastest-growing line item, with the majority of security leaders reporting that their AI-specific security budgets doubled between 2024 and 2026. The “cybersecurity tax” of AI deployment is real and measurable: organisations deploying agentic AI at scale are spending, on average, 18 to 24 per cent more on security than comparable organisations that have not yet moved to agentic architectures.
The Governance Gap
Gartner’s March 2026 assessment found that only 21 per cent of enterprises have mature governance frameworks for autonomous AI agents. IBM’s parallel research found that 63 per cent of organisations had no formal AI governance policies at all. Perhaps most strikingly, 97 per cent of organisations that experienced AI-related security breaches were found to have lacked adequate access controls for their AI systems at the time of the incident.
The governance gap is not primarily a technology problem — it is an organisational one. AI agents are being deployed by product, engineering, and business teams whose primary mandate is speed to value. Security reviews, when they occur, are often cursory. Procurement processes designed for software applications are being applied to AI systems with fundamentally different risk profiles. The result is a systematic underestimation of AI security risk at the point of deployment decision, followed by a scramble to retrofit controls after incidents occur.
The “shadow AI” dimension compounds the challenge. Employees use unauthorised AI tools — consumer-grade models, unvetted third-party agents, personal API keys connected to enterprise data — at a scale that most IT departments have not accurately measured. The Cloud Security Alliance found that the average enterprise has four times more AI tool usage than its IT department is aware of. Each shadow AI deployment represents an unreviewed, uncontrolled, and unmonitored extension of the enterprise’s AI attack surface.
A Strategic Framework for CISOs
Least-Privilege Agent Design: Every AI agent should be provisioned with the minimum permissions necessary for its specific task. An agent that summarises meeting notes does not need write access to the CRM. An agent that monitors inventory levels does not need the ability to initiate purchase orders. The principle of least privilege — foundational in conventional access management — must be applied to AI agents as non-human identities with their own identity governance lifecycle.
Mandatory Audit Trails: Every action taken by an AI agent — every query executed, every document read, every communication sent, every transaction initiated — should be logged in an immutable audit trail. This is not only a security requirement; it is increasingly a regulatory one, as the EU AI Act’s transparency obligations and India’s DPDP Act’s accountability provisions both create legal requirements for documented AI decision-making in high-stakes contexts.
Human-in-the-Loop Escalation: Not all agent actions can or should be subject to human review — that would defeat the purpose of automation. But threshold-based escalation — where actions above a defined risk level, value, or novelty threshold are automatically routed to a human reviewer before execution — provides a practical mechanism for containing the damage from both compromised and mistaken agents. The thresholds should be set by the CISO in consultation with business owners, not defaulted to vendor settings.
Supply Chain Due Diligence: Procurement of AI models, datasets, frameworks, and agent platforms requires the same security due diligence applied to any critical software dependency. This means reviewing model provenance, understanding data lineage, assessing the security practices of AI vendors, and maintaining visibility into the full dependency graph of every AI system in production.
Red-Teaming as Standard Practice: AI systems should be subjected to adversarial testing — red-team exercises specifically designed to probe for prompt injection vulnerabilities, privilege escalation pathways, and hallucination behaviours in high-stakes scenarios — before production deployment and on a regular cadence thereafter. The techniques for AI red-teaming are now well-established; the failure is not knowledge but process discipline.
The Path Forward
Gartner’s March 2026 forecast projects that by 2028, AI applications will be involved in 50 per cent of all cybersecurity incident response efforts — both as attack vectors and as defensive tools. That projection captures the dual nature of the AI security challenge: the same capabilities that make AI systems valuable make them dangerous when misused or compromised, and the same AI capabilities that enable sophisticated attacks also enable the detection and response capabilities that will contain them.
The organisations that will navigate this environment most effectively are those that treat AI security not as a separate domain bolted onto conventional cybersecurity, but as an integral dimension of how AI systems are designed, procured, and governed from the outset. The cybersecurity tax on AI is real. It is also, unlike most taxes, partially avoidable — for organisations willing to invest in governance architecture before the incident rather than after it.
