The AI security readiness gap is real, and it is widening fast. Only 9% of global firms are redesigning roles and responsibilities to handle artificial intelligence properly, yet 91% of UK security teams now prioritize agentic AI adoption as urgent. The gap between ambition and capability has become a critical vulnerability—one that attackers are already exploiting.
Key Takeaways
- Only 9% of businesses are redesigning roles for AI; most layer it onto existing jobs without transformation.
- 83% of firms plan to increase AI investment despite skills shortages and low preparedness levels.
- 76% of UK organizations have faced deepfake attacks; 50% experienced personalized deepfake phishing.
- 58-59% of employees use shadow AI tools, sharing datasets (33%), employee data (27%), and financial data (23%).
- Only 32% of organizations believe their CEO could reliably identify a deepfake.
The AI Security Readiness Reality Check
Firms are moving fast on AI adoption without moving faster on security. According to Ivanti research, what Daniel Spicer, the company’s Chief Security Officer, calls a “Cybersecurity Readiness Deficit” is widening year-over-year—the gap between organizations’ ability to defend their data, people, and networks and the evolving threat landscape. The numbers tell a stark story. Eighty-three percent of UK businesses plan to increase AI investment this year. Yet only 9% are actually redesigning their organizational structures and job responsibilities to accommodate AI safely. The rest are simply bolting AI onto existing workflows, existing teams, and existing security frameworks that were never designed for this.
This is not transformation. It is friction. Senior Strategic Advisor Matt Burney put it plainly: “It is difficult to embed [AI] effectively when treated as an add-on to existing workloads. When implementation is layered onto already stretched teams, the impact is rarely acceleration. It is friction”. That friction creates blind spots. Those blind spots become attack surfaces.
Shadow AI Is the Security Team’s Nightmare
Employees are not waiting for corporate approval. They are using unauthorized AI tools at scale, and they are doing it with company data. Between 58% and 59% of workers admit to using shadow AI—unapproved tools like ChatGPT, Claude, or other generative systems—without IT oversight. When asked what they share with these tools, the answers are chilling: 33% have uploaded datasets, 27% have shared employee data, and 23% have entered financial information. One study found that 93% of workers put company data into unauthorized tools.
BlackFog CEO Dr Darren Williams warned that shadow AI “should raise red flags for security teams and highlights the need for greater oversight and visibility into these security blind spots”. But the problem runs deeper than oversight. Security Researcher Mantas Sabeckis identified the core tension: “That creates a gray zone where employees feel encouraged to use AI, but companies lose oversight of how and where sensitive information is being shared”. Managers are complicit. Fifty-seven percent of managers support unapproved AI use, and 60% accept security risks if they mean meeting deadlines. The pressure to move fast is overriding the instinct to move safely.
Deepfakes and the CEO Problem
The threat landscape has shifted. Deepfake attacks are no longer hypothetical. Seventy-six percent of UK organizations have already faced deepfake attacks, and 50% have experienced personalized deepfake phishing—where attackers create fake videos or audio of executives to manipulate employees. The vulnerability is not technical. It is human. Only 32% of organizations believe their CEO could reliably identify a deepfake. If leadership cannot spot a convincing fake, how can rank-and-file employees be expected to?
This is where AI security readiness becomes a leadership issue, not just an IT issue. Executives are investing in AI tools without understanding the threats those tools enable. They are pushing for faster AI adoption without ensuring their teams have the skills to use it safely. And they are, statistically, among the least equipped to recognize when they are being socially engineered by AI-generated content.
The Skills Shortage That No One Is Fixing
The path forward requires constant user identity verification, continuous monitoring, and a fundamental rethinking of how organizations authenticate and authorize access. Yet 27% of firms cite skills shortages and outdated learning systems as barriers to AI adoption. Only 43% plan to upskill employees this year. That means more than half of organizations are moving forward without equipping their teams.
The irony is sharp. Seventy-one percent of CIOs expect hiring increases to support AI initiatives. But hiring new people does not solve the problem if those new people inherit the same broken processes, the same lack of training, and the same organizational culture that treats AI as an add-on rather than a transformation. Employees are less likely than their bosses to believe they have foundational AI training. The knowledge gap between leadership and staff is itself a security risk.
What True AI Security Readiness Looks Like
The 9% of organizations that are redesigning roles and responsibilities are doing something fundamentally different. They are not adding AI to job descriptions. They are rebuilding job descriptions around AI. They are treating AI adoption as a strategic restructuring, not a tool rollout. They are investing in training before deployment, not after. And they are building security into the architecture from the start, not bolting it on later.
For the 91% still struggling, the path is clear but difficult. Constant identity verification, real-time monitoring, and transparent policies about what AI tools employees can and cannot use are non-negotiable. But those technical controls only work if the organizational culture shifts. Managers need to stop rewarding speed at the expense of security. Executives need to understand the threats they are creating. And employees need training that actually sticks—not a one-off webinar, but ongoing education that keeps pace with the threat landscape.
Is your organization truly ready for AI security threats?
If you are redesigning roles, investing in training, and building identity verification into your core processes, you are in the 9%. If you are adding AI to existing jobs and hoping security handles it, you are in the 91%—and you are taking on risk you may not fully understand.
What counts as shadow AI, and why should security teams care?
Shadow AI refers to unapproved artificial intelligence tools that employees use without IT oversight or authorization. Security teams should care because 58-59% of workers are already doing this, sharing sensitive datasets, employee records, and financial data with these unvetted systems. The risk is not the AI itself—it is the data leakage and the loss of visibility into how company information is being processed.
Can deepfake attacks really fool senior executives?
Yes. Fifty percent of UK organizations have experienced personalized deepfake phishing, and only 32% of firms believe their CEO could reliably identify a deepfake. Leadership is not immune to social engineering, especially when the attack is sophisticated enough to mimic a trusted voice or face. This is why identity verification and authentication need to be constant, not contextual.
The AI security readiness crisis is not a technical problem waiting for a technical fix. It is an organizational problem. Firms are moving too fast without thinking hard enough about what they are building, who has access to it, and what data is flowing through it. The 9% that are prepared are treating AI adoption as a moment to rebuild their security architecture. The 91% are treating it as a checkbox on a roadmap. That gap will only widen until the cost of being unprepared becomes impossible to ignore.
Edited by the All Things Geek team.
Source: TechRadar
