CISOs warn AI scams widen leadership cyber risk gap
Thu, 9th Jul 2026 (Today)
MetaCompliance has published research showing that 78% of chief information security officers say senior leaders do not fully understand employee-driven cyber risk. The survey covered 200 CISOs across the UK, France, Germany and Sweden.
The findings point to a widening gap between the rise of AI-enabled scams and the level of support security leaders believe they receive from the top of their organisations. Nearly half of those who felt less confident in their organisation's cyber resilience than they did 12 months earlier blamed increasingly sophisticated AI-enabled social engineering attacks.
Employees were identified as the biggest security risk by 68% of respondents, underlining how attacks are increasingly aimed at judgement and behaviour rather than technical weaknesses alone. The research also found that 79% said executive support for security awareness initiatives fades over time.
That combination is leaving security teams to manage growing threats without sustained leadership attention. Some 76% of respondents said they struggle to meet competing demands for human-risk metrics from different stakeholders, while nearly a quarter said cross-functional stakeholder alignment was one of the areas where they felt least confident in managing human cyber risk.
AI pressure
The survey suggests AI is changing both the scale and nature of attacks facing businesses. More than four in ten CISOs said they were concerned about AI increasing the speed and impact of social engineering attacks, while 40% feared employees were sharing sensitive information with generative AI platforms.
Another 41% said they were concerned that malicious insiders could use AI to support fraud, cybercrime or data theft. In the UK, more than half of CISOs identified deepfake impersonation attacks as a major threat to their organisation, the highest level among the four markets in the study.
As AI-generated material becomes harder to distinguish from legitimate communications, security teams are placing more emphasis on human-focused defences. Almost a quarter of CISOs said improving resilience against AI-enabled social engineering attacks would be a priority over the next 12 months.
James Mackay, Chief Executive Officer of MetaCompliance, set out the company's view of the shift in risk.
"AI has changed the context for human risk. Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale. That makes senior leadership alignment more important than ever. Human cyber risk is no longer just an awareness issue or a training issue; it is a strategic business risk. But our research shows that many CISOs are still trying to drive change without consistent senior support, clear ownership or a shared understanding of the risk across the business. If leadership support fades after the initial push, organisations are left exposed. Building resilience against AI-enabled threats requires sustained executive backing, better stakeholder alignment and a more intelligent, behaviour-led approach to managing human cyber risk," Mackay said.
Leadership gap
The results add to broader concerns in the security sector about the limits of technical controls when attacks are designed to manipulate people. AI tools have made it easier for criminals to produce convincing phishing messages, fake internal requests and impersonation attempts that appear authentic enough to bypass employees' suspicion.
For CISOs, that appears to be creating a governance problem as well as a security one. If senior leaders do not fully understand the exposure created by staff behaviour, security teams may find it harder to secure budget, sustain internal attention and build joined-up responses across departments such as IT, HR, compliance and operations.
The figures showing support fading over time also suggest that awareness campaigns may still be treated as short-term programmes rather than an ongoing management issue. That matters even more as AI reduces the effort needed to produce targeted attacks and increases the volume of messages reaching staff.
The organisations best placed to respond will be those that focus on behaviour at the point where risk occurs, rather than relying only on periodic training, according to MetaCompliance. The company argues that a more targeted approach is needed as employees face a steady flow of messages, requests and digital interactions that may now be generated or altered by AI.
Mackay outlined that approach in a second statement.
"The organisations best placed to respond will be those that treat human cyber risk as a continuous management challenge, not a periodic training exercise. Employees need support in the moments where risk actually happens. That means using behavioural insight, real-time targeting and contextual guidance to help people make better security decisions as AI-enabled attacks become harder to detect," Mackay said.