Insights at a Glance
Generative AI application launches, such as Anthropic’s Claude Mythos, have dramatically shortened the time CIOs and CISOs have to address long-existing cybersecurity vulnerabilities. CIOs and CISOs must act now to secure the organization against the following key impacts: Expansion of the attack surface.
Increase in volume and velocity of cyberattacks.
Increased risk from existing and growing technical debt and legacy vulnerabilities.
New third-party and supply chain risks.
Regulatory and policy shifts.
New employee-driven vulnerabilities.
Critical Actions CIOs Must Take:
Issue
Expansion of the attack surface — AI integration broadens the technological landscape through the complexity of multiple AI models and introduces multidomain threats that span physical, cyber, and sensor-based environments.
Increase in volume and velocity of cyberattacks — Cybercriminals can use AI to refine their attack methods, often at scale, outpacing traditional defensive measures. It also lowers the barrier to entry for bad actors making attacks more accessible.
Increased risk from technical debt and legacy vulnerabilities — The implementation of AI solutions without updating foundational cybersecurity controls has compounded the risks and vulnerabilities arising from technical debt, adding to the layers of legacy systems and custom integrations.
New third-party and supply chain risks — Supply chain vulnerabilities are further aggravated by AI, as partners and vendors increasingly deploy AI applications that interface with the organization’s systems.
Regulatory and policy shifts — Compliance with stringent standards in data protection, vulnerability management, and incident response is increasingly non-negotiable. Organizations must not only adhere to evolving regulations but also proactively anticipate future legislative changes that differ across the globe.
Expanded employee-driven vulnerabilities — AI has increased the number of ways an employee can inadvertently allow a bad actor to breach the organization’s security, such as through social engineering or data leaks.
Impact
The time to kick unaddressed cybersecurity vulnerabilities down the road has run out. Unresolved vulnerabilities and incomplete resilience measures are now more likely to cause expensive or even business-threatening events because of the speed that AI can lend to bad actors.
More Detail
Leaps in generative AI have increased the pressure on CIOs and CISOs to address age-old vulnerabilities long swept under the carpet. Anthropic’s recently launched Claude Mythos is capable of unearthing decades-old vulnerabilities in widely used open-source dependencies for tens of dollars per finding.
Even before this launch, 87% of cybersecurity leaders identified AI-related vulnerabilities as the fastest-growing cyber risk over the course of 2025.1
Gartner position:
AI attacks are not novel, but AI dramatically accelerates the speed and scale of attacks.
Gartner’s research demonstrates that CIOs must work closely with CISOs to address six key impacts AI has on cybersecurity to secure the organization (see Table 1).
AI’s impact on cybersecurity | Top actions for CIOs in partnership with the CISO |
| |
| Cyber resilience: Shift from prevention to minimizing the business impact from cyber incidents. AI-first cybersecurity: Move toward an AI-driven cybersecurity program. Communicate: Convince boards to invest in resilience.
|
| Identify: Track tech debt to understand how it affects systems before seeking investment to address it. Govern: Address the systemic and strategic friction that erodes value. Communicate: Use metrics to present tech debt as a choice.
|
| Pivot: Shift third-party cyber risk management resourcing from due diligence assurance to risk-based monitoring. Redirect: Use AI to move human effort toward more valuable risk management activities. Alerts: Adopt AI-driven risk scoring solutions with real-time alerts.
|
| Reframe: Focus on the ways requirements can be met based on risk tolerance levels. Automate: Use AI governance platforms to keep pace. Shift: Adapt to AI sovereignty by shifting from global standards to regional autonomy.
|
| Track: Measure what people actually do wrong and target those behaviors. Personalize: Customize training on a variety of real scenarios. Amnesty: Launch an interim amnesty policy to capture shadow AI usage without penalty.
|
|
Source: Gartner (May 2026)
Expansion of the Attack Surface
AI integration has broadened the technological landscape through the complexity of multiple AI models and introduces multidomain threats that span physical, digital, and sensor-based environments. This has resulted in a more permeable and ever-growing perimeter.
CIOs Should Partner With CISOs to:
Increase in Volume and Velocity of Cyberattacks
Cybercriminals can use AI to refine their attack methods, often at scale, outpacing traditional defensive measures. It also lowers the barrier to entry for bad actors making attacks more accessible.
CIOs Should Partner With CISOs to:
Move toward AI-first cybersecurity. AI‑first cybersecurity embeds automation across workflows, including zero‑click compliance, automated alert processing, and continuous security testing (see IT 2030: AI-First Cybersecurity Is Unavoidable).
New Third-Party and Supply Chain Risks
Supply chain vulnerabilities are further aggravated by AI, as partners and vendors increasingly deploy AI
applications that interface with the organization’s systems.
CIOs Should Partner With CISOs to:
Regulatory and Policy Shifts
Compliance with stringent standards in data protection, vulnerability management, and incident response is
increasingly non-negotiable. Organizations must not only adhere to evolving regulations, such as the newly introduced EU AI Act, but also proactively anticipate future legislative changes that differ across the globe.
CIOs Should Partner With CISOs to:
Obtain organizational alignment on a risk-based approach to scope compliance plans. This approach distinguishes between risks that are prohibited for the organization and encourages the organization to embrace risk taking where existing controls are sufficient (see Build AI Governance Programs That Keep Pace With Regulatory Change). Adopt technology that automates risk mitigation via policy engines, such as AI governance platforms, to keep pace with the rapidly changing AI regulatory landscape.
New Employee-Driven Vulnerabilities
AI has increased the number of ways an employee can inadvertently allow a bad actor to breach the organization’s security, such as through social engineering or data leaks.
CIOs Should Partner With CISOs to:
Personalize training on a variety of real scenarios. Employees want more, but better training: short, targeted, based on real scenarios.
Launch an interim amnesty policy to capture shadow AI usage without penalty. Publish a temporary “safe harbor” policy stating that employees will not be penalized for reporting current unauthorized AI usage. Use this moment to highlight that security is here to help users safely innovate. This shifts the culture from “hiding” to “collaborating” (see Use Agile, Adaptive, AI-ready [3A] Data Security Governance to Secure Shadow AI).