Corporate Security Faces New Threats from Shadow AI and Compliance Issues

The latest findings from the State of Information Security Report 2025 by IO reveal that corporate security is increasingly compromised by emerging technologies, specifically artificial intelligence (AI). The report, which surveyed over 3,000 security professionals in the UK and the US, highlights a significant rise in risks associated with AI, compliance, and supply chain security that are dominating discussions at the board level.

AI is becoming an integral part of both security operations and business processes. Almost 80% of respondents indicated their organizations had adopted AI or machine learning technologies in the past year. Despite this widespread adoption, many organizations are struggling with responsible management. A critical concern identified in the report is the prevalence of shadow AI, with 37% of employees reportedly using generative tools without formal approval. This unregulated usage poses risks such as accidental data leaks and potential violations of the General Data Protection Regulation (GDPR).

Threat actors are increasingly exploiting AI technologies, using methods such as data poisoning, deepfake impersonation, and AI-generated phishing campaigns. Respondents flagged AI-powered misinformation and disinformation as their foremost concern for the upcoming year. As they navigate these challenges, many organizations are planning to invest in AI-driven defensive measures, including tools for detection, validation, and governance.

Governance and Compliance: A Growing Priority

Chris Newton-Smith, CEO of IO, emphasizes the dual nature of AI, stating, “AI has always been a double-edged sword. While it offers enormous promise, the risks are evolving just as fast as the technology itself. Too many organizations rushed in and are now paying the price.” He further stressed the need for stronger governance to protect businesses and the public.

The report indicates that 71% of organizations received fines over the past year due to data breaches or compliance failures. Nearly one-third faced penalties exceeding £250,000. In light of these challenges, many firms are viewing compliance frameworks like ISO 27001 and SOC 2 as not only necessary to avoid fines but also valuable for building trust, enhancing decision-making, and accessing new markets.

Despite this recognition, compliance remains a daunting task. Two-thirds of respondents admitted they struggle to manage compliance requirements internally, with smaller organizations feeling the pressure most acutely. The rapid pace and complexity of regulatory changes have been noted as persistent challenges, with many respondents calling for more alignment across jurisdictions. Nevertheless, achieving or maintaining compliance certifications continues to be a top priority.

Supply Chain Vulnerabilities and Rising Investment

Supply chain security is another area of concern, with 61% of respondents reporting that their organizations had been impacted by a third-party incident within the past year. Such incidents frequently result in customer or employee data breaches, financial losses, and reputational damage. Regulatory scrutiny is intensifying, particularly with new requirements under NIS2, DORA, and the UK’s Cyber Security and Resilience Bill, which are compelling firms to enhance oversight of their suppliers.

According to the report, 64% of organizations plan to increase their spending on third-party risk management this year, with 80% having already strengthened their programs. Despite these efforts, smaller suppliers remain a significant concern due to their often limited investment in risk controls.

The findings from IO’s report underscore the necessity for organizations to navigate the complexities of AI, compliance, and supply chain security effectively. As threats evolve, the call for robust governance and strategic investment in security measures has never been more critical.