Key Actions for CIOs to Prepare Cybersecurity for AI Evolution

13 May 2026 - ID G00850371 - 8 min read
By Emily Tan, Nathan Lewis
AI’s rapid evolution is decreasing the threshold to action for bad actors, raising the volume and velocity of attacks. CIOs can ensure their cybersecurity protections are defensible and prepared for an AI-driven future by working closely with the CISO.

Insights at a Glance


Generative AI application launches, such as Anthropic’s Claude Mythos, have dramatically shortened the time CIOs and CISOs have to address long-existing cybersecurity vulnerabilities. CIOs and CISOs must act now to secure the organization against the following key impacts:
  • Expansion of the attack surface.
  • Increase in volume and velocity of cyberattacks.
  • Increased risk from existing and growing technical debt and legacy vulnerabilities.
  • New third-party and supply chain risks​.
  • Regulatory and policy shifts.
  • New employee-driven vulnerabilities.
Critical Actions CIOs Must Take:
  • Establish targeted protection levels using outcome-driven metrics to calibrate investments against current threats.
  • Increase investments in cyber resilience to minimize business impact from cyber incidents.
  • Move toward an AI-first cybersecurity program to increase speed and redirect human effort toward more valuable risk-mitigation activities.

Issue


  • Expansion of the attack surface AI integration broadens the technological landscape through the complexity of multiple AI models and introduces multidomain threats that span physical, cyber, and sensor-based environments.
  • Increase in volume and velocity of cyberattacks Cybercriminals can use AI to refine their attack methods, often at scale, outpacing traditional defensive measures. It also lowers the barrier to entry for bad actors making attacks more accessible.​
  • Increased risk from technical debt and legacy vulnerabilities The implementation of AI solutions without updating foundational cybersecurity controls has compounded the risks and vulnerabilities arising from technical debt, adding to the layers of legacy systems and custom integrations. ​
  • New third-party and supply chain risks​ Supply chain vulnerabilities are further aggravated by AI, as partners and vendors increasingly deploy AI applications that interface with the organization’s systems.​
  • Regulatory and policy shifts​ Compliance with stringent standards in data protection, vulnerability management, and incident response is increasingly non-negotiable. Organizations must not only adhere to evolving regulations but also proactively anticipate future legislative changes that differ across the globe.​
  • Expanded employee-driven vulnerabilities​ AI has increased the number of ways an employee can inadvertently allow a bad actor to breach the organization’s security, such as through social engineering or data leaks. ​

Impact


The time to kick unaddressed cybersecurity vulnerabilities down the road has run out. Unresolved vulnerabilities and incomplete resilience measures are now more likely to cause expensive or even business-threatening events because of the speed that AI can lend to bad actors.

More Detail


Leaps in generative AI have increased the pressure on CIOs and CISOs to address age-old vulnerabilities long swept under the carpet. Anthropic’s recently launched Claude Mythos is capable of unearthing decades-old vulnerabilities in widely used open-source dependencies for tens of dollars per finding.
Even before this launch, 87% of cybersecurity leaders identified AI-related vulnerabilities as the fastest-growing cyber risk over the course of 2025.1
Gartner position:
AI attacks are not novel, but AI dramatically accelerates the speed and scale of attacks.
Gartner’s research demonstrates that CIOs must work closely with CISOs to address six key impacts AI has on cybersecurity to secure the organization (see Table 1).

Six Key Impacts AI Has on Cybersecurity

AI’s impact on cybersecurity
Top actions for CIOs in partnership with the CISO
  • Expansion of the attack surface
  • Metrics: Establish targeted protection levels with your CISO to calibrate investment.
  • Business engagement: Collaborate and negotiate with business owners.
  • Increase in volume and velocity of cyberattacks
  • Cyber resilience: Shift from prevention to minimizing the business impact from cyber incidents.
  • AI-first cybersecurity: Move toward an AI-driven cybersecurity program.
  • Communicate: Convince boards to invest in resilience.
  • Increased risk from technical debt and legacy vulnerabilities
  • Identify: Track tech debt to understand how it affects systems before seeking investment to address it.
  • Govern: Address the systemic and strategic friction that erodes value.
  • Communicate: Use metrics to present tech debt as a choice.
  • New third-party and supply chain risks
  • Pivot: Shift third-party cyber risk management resourcing from due diligence assurance to risk-based monitoring. ​
  • Redirect: Use AI to move human effort toward more valuable risk management activities.
  • Alerts: Adopt AI-driven risk scoring solutions with real-time alerts.
  • Regulatory and policy shifts
  • Reframe: Focus on the ways requirements can be met based on risk tolerance levels.
  • Automate: Use AI governance platforms to keep pace.
  • Shift: Adapt to AI sovereignty by shifting from global standards to regional autonomy.
  • Expanded employee-driven vulnerabilities
  • Track: Measure what people actually do wrong and target those behaviors.
  • Personalize: Customize training on a variety of real scenarios.
  • Amnesty: Launch an interim amnesty policy to capture shadow AI usage without penalty.
Source: Gartner (May 2026)

Expansion of the Attack Surface

AI integration has broadened the technological landscape through the complexity of multiple AI models and introduces multidomain threats that span physical, digital, and sensor-based environments. This has resulted in a more permeable and ever-growing perimeter.

CIOs Should Partner With CISOs to:

Increase in Volume and Velocity of Cyberattacks

Cybercriminals can use AI to refine their attack methods, often at scale, outpacing traditional defensive measures. It also lowers the barrier to entry for bad actors making attacks more accessible.​

CIOs Should Partner With CISOs to:

New Third-Party and Supply Chain Risks​

Supply chain vulnerabilities are further aggravated by AI, as partners and vendors increasingly deploy AI
applications that interface with the organization’s systems.​

CIOs Should Partner With CISOs to:

Regulatory and Policy Shifts

Compliance with stringent standards in data protection, vulnerability management, and incident response is
increasingly non-negotiable. Organizations must not only adhere to evolving regulations, such as the newly introduced EU AI Act, but also proactively anticipate future legislative changes that differ across the globe.​

CIOs Should Partner With CISOs to:

New Employee-Driven Vulnerabilities​

AI has increased the number of ways an employee can inadvertently allow a bad actor to breach the organization’s security, such as through social engineering or data leaks.

CIOs Should Partner With CISOs to:

  • Set the standard for AI literacy. Define it in operational terms for specific teams and set defined goals or milestones for learning (see A CISO’s Guide to AI Cyber Stewardship).
  • Measure what people actually do wrong and target those behaviors. Employee benchmarking shows a wide range of risky behavior, not just phishing (see Drive Secure Behavior With 4 Employee-Focused Tactics).
  • Personalize training on a variety of real scenarios. Employees want more, but better training: short, targeted, based on real scenarios.
  • Launch an interim amnesty policy to capture shadow AI usage without penalty. Publish a temporary “safe harbor” policy stating that employees will not be penalized for reporting current unauthorized AI usage. Use this moment to highlight that security is here to help users safely innovate. This shifts the culture from “hiding” to “collaborating” (see Use Agile, Adaptive, AI-ready [3A] Data Security Governance to Secure Shadow AI).

Evidence


1 Global Cybersecurity Outlook 2026, World Economic Forum.