The rise of artificial intelligence has rendered portions of your current cybersecurity playbook obsolete. Unless Chief Information Security Officers (CISOs) act quickly to reorient their thinking, they may be unaware of and unprepared to face emerging AI-related threats. Learn how to secure your organization’s AI usage and ensure implementation won’t have negative consequences.

The Serious Security Risks Introduced by AI

AI usage is on the rise, and with it come security concerns. According to the 2025 Cyberhaven AI Adoption Risk Report, workplace AI usage increased by a magnitude of 61 from 2023 to 2025. Most of the enterprise data these tools process ends up on high or critical-risk platforms, and much of the information employees input is sensitive. 

Regardless of your personal opinions on AI, it is essential to recognize that it has significant cybersecurity implications. They apply to you regardless of whether you build an internal model from the ground up, develop a lightweight agent, or source an AI-enabled tool from a third-party software-as-a-service (SaaS) vendor.

What Risks Should CISOs Prioritize in 2026?

Shadow AI Risks (Ungoverned AI Usage)

• The 2025 State of Shadow AI report found that 81% of employees use unauthorized AI tools at work. There was a positive correlation between frequent unapproved usage and a high understanding of internal protocols, suggesting that, as their knowledge increases, so does their confidence in making judgments about that risk, even if it means violating company policies.
• Unauthorized/ungoverned use of AI tools by employees (not just ChatGPT and Claude), as 40+% of all SaaS applications are now AI-enabled (e.g., Grammarly, Zoom).
• Lack of visibility into model usage, prompts, and outputs that may contain sensitive data.
• Unvetted third-party AI integrations within SaaS applications (bypassing procurement/security review).
• Non-compliance with internal AI governance policies, leading to regulatory exposure (e.g., NYC Bias Act, Colorado AI Act, EU AI Act).
• Model drift from unmanaged tools impacts organizational decisions or output quality.

Adversarial AI & Cyber Threats

• Deepfake-based phishing or social engineering (voice/video impersonation of executives).
• Adversarial machine learning attacks (e.g., data poisoning, evasion attacks on AI-based defenses).
• Weaponization of LLMs by threat actors for malware creation, phishing, or automation of attacks.
• Model extraction or inversion attacks, where attackers reverse-engineer or extract sensitive data from deployed models.
• Manipulation of AI-generated content to spread disinformation or mislead users in critical systems.

AI Development & Supply Chain Risks

• Use of insecure or unvetted open-source AI models/libraries (introducing vulnerabilities – look into Model Whitelisting).
• Inadequate model training hygiene, including training on biased, toxic, or proprietary datasets.
• Lack of secure MLOps pipelines, enabling tampering with training data, model weights, or configurations.
• Dependency on third-party AI APIs, with uncertain SLAs, model updates, or data retention policies.
• Intellectual property leakage during training or fine-tuning processes.

AI Risk Realizations (Operational Failures)

• Hallucination: LLMs generating incorrect, misleading, or fabricated content that may influence decisions.
• Sensitive data leakage via model outputs or logs (e.g., PII, customer data, source code).
• Over-reliance on AI-generated decisions, leading to legal, financial, or ethical consequences.
• Model bias and discrimination lead to reputational and legal risks.
• Prompt injection or jailbreak attacks on LLM-based applications.
• Inaccurate content summarization or decision support, leading to business disruption.

Legal, Compliance & Ethical Risks

• Violations of data privacy laws (e.g., GDPR, HIPAA) through improper data use in training or inference.
• Lack of model explainability/auditability, challenging compliance with AI regulations.
• Failure to meet legal/contractual obligations (e.g., EU AI Act, NIST AI RMF, ISO 42001).
• Misuse of copyrighted or licensed content in training or content generation.
• Negligence liability for harm caused by AI-assisted decisions or actions.

As a leading information security consulting firm, CBIZ Pivot Point Security can leverage forward-thinking insights to help you prepare your next steps. Even if you have deep technical knowledge, you’ll want to listen to expert recommendations from an outside partner drawing on the work they are doing with dozens of other organizations facing similar challenges.

What CISOs Often Get Wrong About AI Security Risk

1. Third-Party AI Tools Are Safe

Consider that 56% of organizations using third-party AI tools experienced at least one incident of sensitive data exposure, and only 23% have incorporated AI-specific evaluations into their third-party risk assessments.

The Harvard Extension School surveyed a panel of CISOs and cybersecurity leaders. One was Naveen Balakrishnan, the managing director at TD Securities. He estimated 70% of AI-driven cyberattacks enter his organization’s environments through third-party vendors. 

2. You Can Control Workers’ AI Usage

At CBIZ Pivot Point Security, we believe shadow AI is among the most pressing AI risks facing CISOs. Given that 40% or more of SaaS applications are AI-enabled, every organization is consuming far more AI than they assume. For the average midmarket organization, this equates to 60 unmanaged AI applications. 

3. AI Vendor Contracts Will Protect You

Airtight vendor agreements may protect your company from liability, but they won’t prevent indirect financial or reputational damage. Evolving law makes the user of the AI-enabled application liable in the event that it fails (e.g., discriminates against a particular ethnic group), rather than the vendor, unless the end user organization has a robust AI-Governance program in place and has done due diligence against the vendor.

4. In-House Models Are More Secure

Developing a machine learning model in-house provides more control over development; however, it still carries risks, including hallucinations, discrimination, unsafe output, copyright violations, and data leakage. The vast majority of developers now utilize AI-enabled development tools, which have recently been targeted by malicious adversaries. 

Mitigating AI Risk 

Mitigating AI risk requires a comprehensive approach. CISOs should establish an internal AI governance/risk management program aligned with prevailing good practice (e.g., NIST AI RMF, ISO 42001).

Core elements include (but are not limited to):

• Shadow AI detection
• Incorporating AI reviews into Third-Party Risk Management
• AI Acceptable Use Policy and End User Education
• An AI Intake process
• AI threat modeling 
• Deploy AI usage policies and training programs across the org
• Implement secure MLOps practices (if developing)
• Leverage AI-powered security tools as possible
• Stay current on emerging AI laws/regulations 

Rethink How You Manage AI in the Workplace

The threats AI poses in business environments are varied and dynamic, making it challenging to protect the workplace. Whether you develop your own systems or just use AI-enabled SaaS, ensuring secure and strategic AI usage will advance business objectives. 

Even with all of this knowledge, navigating emerging AI threats can be challenging. If employee training backfires or valued vendors create attack vectors, the experts at CBIZ Pivot Point Security can help you anticipate your next steps and turn risks into opportunities. Contact them today to stay ahead of the evolving cybersecurity landscape.