I keep coming back to Nine Out of Ten Companies because it affects every part of digital life. I have been watching AI and cyber security trends closely for years, and the latest Accenture finding is not surprising: it is downright scary.
A new State of Cybersecurity Resilience 2025 report finds only one in ten global organisations is adequately prepared to defend against AI-augmented cyber threats. That means ninety percent of companies are essentially guessing. They have incident response plans written for human attackers, not machine-speed campaigns. They have formal generative AI use policies in roughly one in five firms. Most do not have encrypted or access-controlled data pipelines that could contain an AI-assisted breach before it spreads.
This is not theoretical. Earlier research showed the first documented large-scale cyber espionage campaign executed mostly by AI, with human operators making only a handful of key decisions. In that case, AI performed eighty to ninety percent of the work, scanning networks, harvesting credentials, writing custom exploit code, and categorising stolen data by intelligence value at thousands of requests per second. That is not a future threat. It is already happened, and most defenders were not ready for the speed or scale.
Meanwhile, ransomware hit record levels in 2025, and Malwarebytes confirmed the first fully AI-orchestrated attacks began in earnest. Remote encryption from unmanaged shadow IT systems became the dominant method, because attackers did not need direct access to endpoints. They found the hidden systems, locked the network from a single staging machine, and security teams had almost nothing visible to quarantine.
The enterprise response is still lagging. Only twenty five percent of organisations have fully leveraged encryption and access controls for sensitive data. In Asia Pacific, seventy one percent fall into the highest-risk exposure zone. Latin America shows seventy seven percent lack basic security strategies and capabilities.
If you run or advise any organisation, these numbers are your short list of fixes:
– Inventory every AI system in use, approved or shadow, before the next audit.
– Encrypt sensitive data and enforce least-privilege access at the model and pipeline level.
– Train staff on generative AI risks at least once per quarter.
– Move from reactive threat response to continuous monitoring with automated containment.
– Include AI-specific scenarios in tabletop exercises, especially prompt injection and agent misuse.
AI is not coming for your business. It is already here. The organisations that treat this as a board-level issue today will be the ones standing next year.
> The safest posture in an AI-driven threat landscape is not bigger firewalls. It is knowing which data your AI systems can touch, limiting that exposure by design, and detecting abnormal agent behaviour before it becomes a breach.