top of page

The AI Shift in Cyber Risk: Why Trust and Governance Must Keep Pace

  • 3 days ago
  • 3 min read

By Tom Pepper, AI Security Practice Partner


The recent NCSC warning on the changing cyber risk landscape should not come as a surprise.

For some time now, security leaders have recognised that artificial intelligence is changing the speed, scale and accessibility of cyber threats. The barriers to entry are lowering, the time between vulnerability discovery and exploitation is shrinking, and activities that once required specialist expertise are becoming increasingly accessible.


In my view however, many organisations are asking the wrong question. It’s not a case of whether AI introduces new cyber risks, it is whether organisations are building the governance, oversight and trust required to adopt AI safely and responsibly.


AI Is Not Just Changing Technology

Much of the discussion surrounding AI focuses on the technology itself. New tools, new capabilities, new efficiencies - yet the biggest challenge I see is behavioural as opposed to technological.


Across almost every sector, AI adoption is accelerating faster than governance can keep pace. Business leaders are under pressure to innovate, employees are experimenting with new tools, and development teams are leveraging platforms such as Claude Code to increase efficiencies…but in many cases, the technology arrives long before the guardrails are well-established.


This creates a dangerous imbalance. Organisations become focused on what AI can do, without fully understanding how it should be governed.


The Leadership Gap

In previous blogs and articles, I have argued that AI risk should no longer be viewed solely as a technology issue. It is increasingly a leadership issue, and this remains true.

Many organisations have invested heavily in workforce AI policies, awareness programmes and acceptable use guidance. Yet some of the most significant risks continue to emerge at leadership level, where autonomy is highest, oversight is limited, and decisions carry the greatest consequence.


When senior leaders rely on AI outputs without sufficient challenge, share sensitive information with unapproved tools, or operate outside established governance frameworks, they unintentionally create a culture where controls become optional.


Trust in AI adoption is not created through policy documents alone, it stems from the behaviours of the organisational leadership that can flow down into the wider workforce.


The Governance Challenge

The NCSC's warning highlights how AI is accelerating existing cyber threats.  However, from my perspective, the greater challenge is organisational readiness.

Many organisations still struggle to answer fundamental questions:


  • Do we know where AI is being used?

  • Do we understand the risks associated with those use cases?

  • Who is accountable for AI-related decisions?

  • What governance exists to challenge AI outputs?

  • How are we ensuring human oversight remains effective?


These are not technical questions, they are governance questions and more increasingly, they are becoming board-level questions.


Why Trust Matters

Trust is often discussed as an outcome of successful AI adoption but I would argue it should be viewed as a prerequisite.  Employees need confidence that AI tools can be used safely, customers need confidence that AI-enabled services are being governed responsibly and boards need confidence that decisions influenced by AI remain accountable and explainable.


Without trust, adoption becomes fragile.  With trust, organisations can innovate with confidence.


Building AI With Confidence

The organisations that will succeed over the coming years will be those that establish the right balance between innovation, governance and security.


That means:

  • Clear policies and acceptable use guidance.

  • Defined accountability and decision ownership.

  • Human-in-the-loop oversight for high-impact decisions.

  • Security and privacy considerations embedded from the outset.

  • Executive leadership that models responsible AI use.


The objective should not be to slow AI adoption but to ensure that adoption is sustainable, secure and trusted.


The NCSC is right to highlight the changing cyber threat landscape but as organisations continue their AI journey, the greatest challenge may not be the technology itself but whether governance, accountability and trust can keep pace with the speed of innovation.

 

 

bottom of page