AI Misuse: Emerging Threats from the Top Down

April 2026, Tom Pepper, Partner

Published on: Cyber Security Insiders

For the past two years, organisations have rightly invested significant time and effort into governing how employees use artificial intelligence. Policies have been drafted, training rolled out, and controls implemented to reduce the risk of data leakage, bias, and misuse. But in focusing so heavily on the workforce, many organisations have overlooked a critical blind spot: the behaviour of their most senior leaders.

In my experience, executive misuse of AI is considerably high as a result of fundamental misalignment of incentives and guardrails at the very top. I believe that many CEOs feel they must “personally embody” AI transformation, so they experiment with powerful tools without the training or constraints they expect everyone else to follow. Combine that with huge time pressure, high autonomy, and broad access to sensitive data, and you get the perfect storm: overconfidence, under-skilling, and very little challenge.

The three AI misuse patterns emerging at the top

I’ve seen three patterns again and again.

1. AI outside CEOs competence.

Executives are increasingly turning to AI tools to accelerate decision-making, but often in areas far beyond their expertise – drafting legal language, interpreting complex datasets, or summarising regulatory obligations. The issue is not the use of AI itself; it is the weight given to its outputs. Because these tools are perceived as “trusted” and “reliable,” their outputs can be accepted with insufficient scrutiny. What should be a starting point for expert review instead becomes a substitute for it.

2. Exposure of highly confidential information.

Senior leaders, under pressure to move quickly, may paste sensitive board-level material, such as commercial strategies, acquisition plans, or personnel decisions, into unsanctioned AI tools to obtain rapid insights. This behaviour bypasses established security controls and creates significant exposure. Unlike employees, who are often restricted by monitored systems and clearer policies, executives can operate with fewer technical and procedural constraints.

3. Ignorance about AI policies 

There is often a quiet but persistent belief at the board level that AI governance frameworks are designed for “the organisation,” not for individual leaders. This creates a cultural loophole where protocols are informally bypassed when speed or convenience is at stake. Over time, this undermines the credibility of governance efforts across the entire organisation.

The hidden dangers of this AI misuse

What makes executive AI misuse particularly dangerous is not just the behaviour itself, but the context in which it occurs. Senior leaders operate with high autonomy, limited oversight, and direct influence over strategic decisions. When AI is introduced into that environment without tailored guardrails, the consequences can be disproportionate.

Moreover, leadership behaviour sets the tone. If executives are seen to cut corners, rely uncritically on AI outputs, or bypass controls, those behaviours will cascade. Governance frameworks become performative rather than effective.

This is why AI risk must now be upgraded to being far more than a technical or operational issue, but as a leadership behaviour issue.

Executive AI use should have its own risk category 

So how do compliance and risk teams respond? In my opinion, the starting point is to treat executive AI use as a distinct risk category, not just another user group. From there, organisations can take a series of practical steps.

1. Define executive-specific AI playbooks

Generic policies are not enough. Executives need tailored guidance that reflects the realities of their role. This should include clear red lines (what they must never do, such as inputting sensitive data into unapproved tools), green lines (safe and encouraged use cases), and amber areas that require expert review. The goal is for clarity.

2. Mandate human oversight

For high-impact decisions, including strategy, financial reporting, major workforce changes, or regulatory responses, AI should never be the sole decision-maker. Embedding mandatory human oversight ensures that outputs are interpreted, challenged, and contextualised appropriately.

3. Build friction in the right places

Rather than relying solely on policy, organisations should design environments where compliant behaviour is the default. This means providing approved tools, pre-configured secure workspaces, and standardised prompt templates. If the safest option is also the easiest, adoption will follow naturally.

4. Reinforce accountability

Governance must be reinforced through accountability. Including AI governance objectives in executive scorecards and board evaluations sends a clear signal that responsible AI use is not optional. Misuse should have visible consequences, just as strong governance should be recognised and rewarded.

5. Normalise challenge at the top table

Risk, compliance, and AI assurance teams must be empowered to question and, if necessary, pause AI-driven decisions at the highest level. This requires both formal authority and cultural backing. Without it, governance functions risk becoming advisory rather than effective.

Ultimately, the organisations that will navigate AI risk most successfully are those where leaders model the behaviours they expect from others. When CEOs and boards demonstrate disciplined, transparent AI use and accept the same controls as their teams they create a culture where governance is taken seriously.

The alternative is a growing disconnect: robust policies on paper, but inconsistent behaviour in practice.

The key takeaway is this: AI risk is no longer just a technology issue. It is a leadership issue. And until organisations address the behaviours at the very top, their governance frameworks will remain incomplete.