Report | AI Security, 2026

Report | AI Security, 2026

Explore the 2026 AI Security Report to uncover emerging AI-powered cyber threats, real-world attack trends, and expert recommendations to help secure your organization in the age of AI.

Report | AI Security, 2026

Check Point Research

AI Security Report 2026

Check Point AI Report • 2nd Annual Edition

Check Point Research

AI Security Report 2026

Check Point AI Report • 2nd Annual Edition

Table of Contents

01 02

Introduction   AI-Powered Cyber Attacks

05 06 Data Leakage & Enterprise AI Exposure

Security for AI. Security by AI. Security with AI

03 Attacks against AI: AI as an attack surface

07

2026 CISO 
 Recommendations

04

Digital Identity Under Siege

Table of Contents

01

Introduction

02

AI-Powered Cyber Attacks

03

Attacks against AI: AI as an attack surface

04

Digital Identity Under Siege

05

Data Leakage & Enterprise AI Exposure

06

Security for AI. Security by AI. Security with AI

07

2026 CISO Recommendations

Introduction Introduction

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

04 AI Security Report 2026

Introduction

When AI Stopped Assisting and Started Operating

A year ago, we described AI as a force multiplier for cyber

attackers: something that made existing techniques faster, cheaper,

and more accessible. Over the past twelve months, the evidence we

collected tells a more significant story.

AI has crossed into the live attack chain. We documented intrusions

where AI ran exploitation workflows autonomously, generating

thousands of commands across dozens of sessions with minimal

human direction. We analyzed malware that a single developer

produced in under a week at a quality level our researchers initially

attributed to a multi-person team working for months. We watched

criminal groups breach government agencies at scale, using AI as

the primary operator rather than a background assistant. And in

most of those cases, what gave away the AI's role in the attack was

the attacker's own operational mistakes or monitoring by  the AI

provider, not anything the victim organization had detected or put in

place to catch it.

The shift matters because it changes what defenders need to

account for. The expertise barrier that once separated capable

attackers from the rest has been compressing steadily, and the

artifacts now coming out of AI-assisted operations are the clearest

evidence of how far that compression has gone.

The other half of this report looks inward. Organizations adopting AI

are generating an exposure surface that most security teams are

still working to understand. High-risk GenAI prompts doubled over

the past year. The average organization now runs ten AI applications

a month, many operating outside any formal approval process. The

models and infrastructure being adopted carry attack surfaces of

their own, and the security practices around them have not kept

pace with the rate of adoption.

Four chapters follow, grounded in Check Point Research incidents,

telemetry, and original case studies from the past twelve months.

What you will read is a record of what already

happened, setting the stage of

what’s expected to come.

Lotem Finkelstein

Vice President, Check Point Research

Introduction

When AI Stopped Assisting and Started Operating

A year ago, we described AI as a force multiplier for cyber

attackers: something that made existing techniques faster, cheaper,

and more accessible. Over the past twelve months, the evidence we

collected tells a more significant story.

AI has crossed into the live attack chain. We documented

intrusions where AI ran exploitation workflows autonomously, generating thousands of commands across dozens

of sessions with minimal human direction. We analyzed malware that a single developer produced in under a week at a

quality level our researchers initially attributed to a multi-person team working for months. We watched criminal groups breach government agencies at scale, using AI as the

primary operator rather than a background assistant. And in most of those cases, what gave away the AI's role in the attack was the attacker's own operational mistakes or monitoring by

the AI provider, not anything the victim organization had detected or put in place to catch it.

The shift matters because it changes what defenders need to account for. The

expertise barrier that once separated capable attackers from the rest has been

compressing steadily, and the artifacts now coming out of AI-assisted operations are

the clearest evidence of how far that compression has gone.

The other half of this report looks inward. Organizations adopting AI are generating an exposure surface that most security teams are still working to understand. High-risk GenAI prompts doubled over the past year. The average organization now runs ten AI applications a month, many operating outside any formal approval process. The models and infrastructure being

adopted carry attack surfaces of their own, and the security practices around them have not kept pace with the rate of adoption.

Four chapters follow, grounded in Check Point Research incidents, telemetry, and original case studies from the past twelve months. What you will read is a record of what already

happened, setting the stage of

what’s expected to come.

Lotem Finkelstein

Vice President, Check Point Research

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

04 AI Security Report 2026

AI-Powered
 Cyber Attacks

AI-Powered Cyber Attacks

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

06 AI Security Report 2026

AI-Powered Cyber Attacks

Over the past twelve months, public reporting and real

incidents show AI playing a role in nearly every stage of a cyber

attack chain: social engineering, malware development, live

intrusion support, building attacker tools, and vulnerability

research. The attack techniques themselves are mostly familiar.

What has changed is that AI now does in minutes what used to take

a skilled attacker hours or days, and at a fraction of the cost

and expertise required before.

Anthropic's analysis on misuse supports this pattern: attackers are

using AI less for initial access, but rather to do the work itself once

inside, increasing in post-compromise activity. The attackers posing

the highest risk aren't the ones with the fanciest tools; they're the

ones who've figured out how to orchestrate AI to chain multiple

stack stages without needing to step in themselves.

To achieve any of these goals, attackers first need to obtain usable

AI capability and remove its safety controls.

How attackers access AI capability

Attackers obtain AI capabilities through three routes, and all three

matured over the year, though not equally:

Abusing commercial models, accessed

legitimately or through stolen

credentials, remains the

most common route in practice.

Deploying self-hosted open-source models

avoids moderation and provider logging,

but stays more aspirational than practical.

Buying access to purpose-built malicious

services peaked and then declined as the

underground grew skeptical of their quality.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

06 AI Security Report 2026

AI-Powered Cyber Attacks

Over the past twelve

months, public reporting and real incidents show AI

playing a role in nearly every stage of a cyber attack chain:

social engineering, malware development, live intrusion

support, building attacker tools, and vulnerability research.

The attack techniques themselves are mostly familiar. What has

changed is that AI now does in minutes what used to take a skilled

attacker hours or days, and at a fraction of the cost and expertise required before.

Anthropic's analysis on

misuse supports this pattern: attackers are using AI less for initial access, but rather to do the work itself once inside, increasing in post-compromise activity. The attackers posing the

highest risk aren't the ones with the fanciest tools; they're the ones who've figured out how to orchestrate AI to chain multiple stack stages without needing to step in themselves.

To achieve any of these goals, attackers first need to obtain usable

AI capability and remove its safety controls.

How attackers access AI capability

Attackers obtain AI capabilities through three routes, and all three

matured over the year, though not equally:

Abusing commercial models, accessed

legitimately or through stolen credentials,

remains the most common route in practice.

Deploying self-hosted open-source models

avoids moderation and provider logging,

but stays more aspirational than practical.

Buying access to purpose-built malicious

services peaked and then declined as the

underground grew skeptical of their quality.

https://www.anthropic.com/news/AI-enabled-cyber-threats-mitre-attack https://www.anthropic.com/news/AI-enabled-cyber-threats-mitre-attack

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

07 AI Security Report 2026

Abusing commercial models

The simplest route is also the most popular: use an everyday tool

like ChatGPT, Gemini, or Claude and work around its safety rules.

Attackers break a malicious request into smaller, innocent-looking

steps, first asking the AI to explain a technique in general, then

asking for the actual code, and they gravitate toward whichever

mainstream tool has the weakest safety rules. Much of what we

know comes from the AI companies themselves: Google’s Threat

Intelligence Group has documented state-sponsored and

criminal abuse of Gemini to conduct reconnaissance, lure

development, and tooling, and Anthropic and OpenAI have reported

similar abuse of their own AI.

Access can also simply be stolen. Login credentials for AI tools are

now a deliberate target for theft, often pulled in bulk from developer

configuration .env files that were accidentally left exposed online.

One campaign, called Bissa Scanner, stole AI login details for

Anthropic, OpenAI, Google, and several other providers from more

than 30,000 of these exposed files, with AI accounts the single most

common type of credential stolen. The same group also used AI

itself to help run the operation (see “AI as a live attack

operator”). The stolen logins feed a resale market, known

as "LLMjacking," where criminals buy access to someone else's AI

account, both to save money and to make the activity look like it

came from the legitimate account holder instead of from them.

Self-hosted open-source models

The second route is to self-host a freely available AI open-source

models (Qwen, Kimi and others) and run it on the

attacker's own infrastructure, rather than routing requests through

a commercial provider. This avoids any safety checks, account bans,

or activity logs the AI company might otherwise apply.

Discussion of this approach has grown steadily in criminal forums.

In practice, the reality has not matched the

discussion. Attackers who've tried it report that these self-run

models perform worse, make more mistakes, and need expensive

computer hardware and fine-tuning to reach a useable standard. As

a result, most operators have returned to the more capable and

accessibly mainstream commercial tools, regardless of the risks

that come with using them.

The rise and fall of malicious "DarkGPT" services

The third route is to buy access to an AI tool built specifically for

crime, with no restrictions at all, like WormGPT and its many

imitators. This market rose and then fell over the past

year: underground users’ reports found these “dark LLM” criminal-

only tools are technically weak and mostly used by low-skill

criminals rather than serious operators. The reputation hit bottom

when WormGPT itself was breached, exposing the payment details

of more than 19,000 of its own paying customers. New, cheap

versions still pop up, such as the Tor-hosted DIG AI, but most

serious activity has shifted back to the first two routes.

Abusing commercial models

The simplest route is also the most popular: use an everyday tool

like ChatGPT, Gemini, or Claude and work around its safety rules.

Attackers break a malicious request into smaller, innocent-looking

steps, first asking the AI to explain a technique in general, then asking for the actual code, and they gravitate toward whichever mainstream tool has the weakest safety rules. Much of

what we know comes from the AI companies themselves: Google’s

Threat Intelligence Group has documented state-sponsored

and criminal abuse of Gemini to conduct reconnaissance,

lure development, and tooling, and Anthropic and OpenAI have reported similar abuse of their own AI.

Access can also simply be stolen. Login credentials for AI tools are

now a deliberate target for theft, often pulled in bulk from developer configuration .env files that were accidentally left exposed online. One campaign, called Bissa Scanner, stole AI

login details for Anthropic, OpenAI, Google, and several other

providers from more than 30,000 of these exposed files, with AI

accounts the single most common type of credential stolen. The

same group also used AI itself to help run the operation (see “AI as a live attack operator”). The stolen

logins feed a resale market, known as "LLMjacking," where criminals

buy access to someone else's AI account, both to save money and

to make the activity look like it came from the legitimate account holder instead of from them.

Self-hosted open-source models

The second route is to self-host a freely available AI open-source

models (Qwen, Kimi and others) and run it on the

attacker's own infrastructure, rather than routing requests through

a commercial provider. This avoids any safety checks, account bans,

or activity logs the AI company might otherwise apply.

Discussion of this approach has grown steadily in criminal forums.

In practice, the reality has not matched the discussion. Attackers who've tried it report that these self-run models perform worse, make more mistakes, and need

expensive computer hardware and fine-tuning to reach a useable

standard. As a result, most operators have returned to the more

capable and accessibly mainstream commercial tools, regardless

of the risks that come with using them.

The rise and fall of malicious "DarkGPT" services

The third route is to buy access to an AI tool built specifically

for crime, with no restrictions at all, like WormGPT and its

many imitators. This market rose and then fell over the

past year: underground users’ reports found these “dark LLM” criminal-only tools are technically weak and mostly used by

low-skill criminals rather than serious operators. The reputation

hit bottom when WormGPT itself was breached, exposing the payment

details of more than 19,000 of its own paying customers. New,

cheap versions still pop up, such as the Tor-hosted DIG AI,

but most serious activity has shifted back to the first two routes.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

07 AI Security Report 2026

https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai https://www.anthropic.com/news/detecting-countering-misuse-aug-2025 https://cdn.openai.com/threat-intelligence-reports/5f73af09-a3a3-4a55-992e-069237681620/disrupting-malicious-uses-of-ai-june-2025.pdf https://thedfirreport.com/2026/04/22/bissa-scanner-exposed-ai-assisted-mass-exploitation-and-credential-harvesting/ https://socradar.io/blog/wormgpt-the-blueprint-for-malicious-ai/ https://cybernews.com/security/dig-ai-new-cyber-weapon-abused-by-hackers/ https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai https://www.anthropic.com/news/detecting-countering-misuse-aug-2025 https://cdn.openai.com/threat-intelligence-reports/5f73af09-a3a3-4a55-992e-069237681620/disrupting-malicious-uses-of-ai-june-2025.pdf https://thedfirreport.com/2026/04/22/bissa-scanner-exposed-ai-assisted-mass-exploitation-and-credential-harvesting/ https://socradar.io/blog/wormgpt-the-blueprint-for-malicious-ai/ https://cybernews.com/security/dig-ai-new-cyber-weapon-abused-by-hackers/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

08 AI Security Report 2026

Case study:
 "The Gentlemen" - one group, the whole access question

The Gentlemen is a financially-motivated ransomware-as-a-service operation with over 330 published victims by May 2026. Check

Point Research's analysis of the group's communications demonstrates, in the group's own words, how attackers approach AI:

Which AI tool to use: they prefer less-restricted Chinese commercial AI tools (DeepSeek, Kimi, Emi, Qwen). One member

recommended a setup running on “Qwen 3.5 with all barriers removed… Zero refusals. Absolutely no restrictions.” Their real

question wasn't whether to use a commercial or local tool, it was simply which commercial tool has the weakest safety guardrails.

Self-hosting their own AI stayed theoretical:

The group discussed running a local model on stolen data but admitted they didn’t know how.

AI builds tools, but skill steers it: the group's administrator built it’s “Glocker” management tool for their operation in three days with

AI's help, while cautioning fellow members, “you still need to understand what you are doing.”

What makes this case useful is exactly how unremarkable it is: an ordinary, mid-tier criminal group, using the same mainstream AI

tools anyone can access, getting real results despite having no local alternative available.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

08 AI Security Report 2026

Case study: "The Gentlemen" - one group, the whole access question

The Gentlemen is a financially-motivated ransomware-as-a-service operation with over 330 published victims by May 2026. Check

Point Research's analysis of the group's communications demonstrates, in the group's own words, how attackers approach AI:

Which AI tool to use: they prefer less-restricted Chinese commercial AI tools (DeepSeek, Kimi, Emi, Qwen). One member

recommended a setup running on “Qwen 3.5 with all barriers removed… Zero refusals. Absolutely no restrictions.” Their real

question wasn't whether to use a commercial or local tool, it was simply which commercial tool has the weakest safety guardrails.

Self-hosting their own AI stayed theoretical:

The group discussed running a local model on stolen data but admitted they didn’t know how.

AI builds tools, but skill steers it: the group's administrator built it’s “Glocker” management tool for their operation in three days

with AI's help, while cautioning fellow members, “you still need to understand what you are doing.”

What makes this case useful is exactly how unremarkable it is: an ordinary, mid-tier criminal group, using the same mainstream AI

tools anyone can access, getting real results despite having no local alternative available.

https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/ https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

09 AI Security Report 2026

Jailbreaking: from a clever prompt to a bypass that never expires

Whichever route supplies the model, its safety rules still have to be

removed before it will do what an attacker wants, a process known as

jailbreaking. The classic approach is a cleverly worded prompt that

tricks the AI into ignoring its own rules. One popular technique,

nicknamed “Echo Chamber,” works by steering the model toward

a prohibited output through a series of small, harmless-seeming

questions rather than asking for it outright, and it succeeds more than

90% of the time against several leading AI tools. But these single-

prompt jailbreaks are increasinlgy fragile: AI companies keep patching

them and banning abused accounts almost immediately.

The bigger and more lasting shift is structural: attackers no longer

bother with clever prompts at all. AI coding agents like Claude Code

and Cursor automatically read certain files such as CLAUDE.md at the

start of every session and treat whatever is written there

as authoritative instructions, loading them automatically at the start of

every session without scrutiny. That means an attacker can plant a

jailbreak in one of those files a single time, and every future session of

that AI agent inherits the bypass automatically, with no need for a new

prompt. In the In the Mexico government breach described later in this

chapter, the attacker did exactly that: pasted hacking instructions

into CLAUDE.md once, and every session after that followed that

malicious behavior without a new jailbreak. This is now sold as

ready-made CLAUDE.md jailbreak kits on criminal forums.

AI in malware development

AI's role in malware development moved from experimental to

operational. There are two distinct ways it is used. In the first and

far more common pattern, AI builds the malware during

development, writing and refining the code, but the finished

program contains no AI and behaves like any other malware at

runtime, so the AI involvement is invisible after the fact. In the

second, rarer pattern, the malware communicates with an AI model

while it's running on the victim's machine, using it to generate new

commands or rewrite its own code on the fly.

AI-built malware has matured quickly. In late 2024, Check Point

Research found that a ransomware-as-a-service group

called FunkSec, had likely used AI to help build its encryption tool,

letting a relatively inexperienced developer produce work above

their skill level. By mid-2025, OpenAI took down “ScopeCreep,” a

Russian-speaking actor who used ChatGPT to repeatedly write and

debug Windows malware. By early 2026, AI-built malware had

matured significantly: The clearest example is VoidLink, a

professional-grade attack framework built by a single developer

using a commercial AI development environment. This pattern

now shows up among both criminal groups and nation-state

actors.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

09 AI Security Report 2026

Jailbreaking: from a clever prompt to a bypass that never expires

Whichever route supplies the model, its

safety rules still have to be removed before it will do what an

attacker wants, a process known as jailbreaking. The classic approach

is a cleverly worded prompt that tricks the AI into ignoring its own

rules. One popular technique, nicknamed “Echo Chamber,” works by

steering the model toward a prohibited output through a series of

small, harmless-seeming questions rather than asking for it

outright, and it succeeds more than 90% of the time against several

leading AI tools. But these single-prompt jailbreaks are increasinlgy fragile: AI companies keep patching them and banning abused accounts almost immediately.

The bigger and more lasting shift is structural:

attackers no longer bother with clever prompts at all. AI coding agents like Claude Code and Cursor automatically read

certain files such as CLAUDE.md at the start of every session and

treat whatever is written there as authoritative instructions, loading them automatically at the start of every session without scrutiny. That means an attacker can plant a

jailbreak in one of those files a single time, and every future session of that AI agent inherits the bypass automatically, with

no need for a new prompt. In the In the Mexico government breach

described later in this chapter, the attacker did exactly that:

pasted hacking instructions into CLAUDE.md once, and every

session after that followed that malicious behavior without a

new jailbreak. This is now sold as ready-made CLAUDE.md jailbreak kits on criminal forums.

AI in malware development

AI's role in malware development moved from experimental

to operational. There are two distinct ways it is used. In the first and far more common pattern, AI builds the malware during development, writing and refining the code, but the finished program contains no AI and behaves like any other malware at runtime, so the AI involvement is invisible after the fact. In the second, rarer pattern, the malware communicates with an AI model while it's

running on the victim's machine, using

it to generate new commands or rewrite its own code on the fly.

AI-built malware has matured quickly. In late 2024, Check

Point Research found that a ransomware-as-a-service group called

FunkSec, had likely used AI to help build its encryption tool,

letting a relatively inexperienced developer produce work above their

skill level. By mid-2025, OpenAI took down “ScopeCreep,” a Russian-speaking actor who used ChatGPT to repeatedly write and

debug Windows malware. By early 2026, AI-built malware had

matured significantly: The clearest example is VoidLink, a professional-grade attack framework built by a single developer

using a commercial AI development environment. This pattern now

shows up among both criminal groups and nation-state actors.

https://neuraltrust.ai/blog/echo-chamber-context-poisoning-jailbreak https://gambit.security/blog-posts/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ https://cdn.openai.com/threat-intelligence-reports/5f73af09-a3a3-4a55-992e-069237681620/disrupting-malicious-uses-of-ai-june-2025.pdf https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/ https://neuraltrust.ai/blog/echo-chamber-context-poisoning-jailbreak https://gambit.security/blog-posts/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/ https://cdn.openai.com/threat-intelligence-reports/5f73af09-a3a3-4a55-992e-069237681620/disrupting-malicious-uses-of-ai-june-2025.pdf https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

10 AI Security Report 2026

These are just a few examples among many. The Pakistan-

linked group, Transparent Tribe (APT36), mass-produced disposable

malware on an AI "assembly line" targeting Indian

government systems. A Russian-linked group, tracked

as GREYVIBE, built custom malware with ChatGPT and Gemini for

operations against Ukraine, and Check Point

Research documented North Korea's ‘KONNI’ group using AI to

generate PowerShell backdoor for Windows.

The rarer, more advanced pattern, malware that calls an LLM while

actively running on a victim's computer, has also now been seen in

the wild.  The first known example, reported in mid-2025, was

Russian-linked LAMEHUG’ malware reported in July 2025 by

Ukraine's CERT-UA. LAMEHUG queried AI Model ‘Qwen’ through

the Hugging Face API to generate its code on demand. PromptLock,

known as the first "AI-powered ransomware", worked the same way,

though both remain more proof-of-concept than something used at

scale.

AI also builds attacker tools that aren't malware themselves,

capabilities like scripts and utilities that support an attack. That

involvement is usually invisible in the finished product, so analysts

should now assume AI was involved somewhere by default rather

than wait to find proof of it. AI makes a skilled attacker faster, but

it doesn't replace the judgment a human still needs to use the tool

effectively.

88,000 lines of functional

command-and- control

malware, built by a single

developer in under a week.

88,000 lines of functional

command-and-control

malware,

built by a single

developer in under a week.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

10 AI Security Report 2026

These are just a few examples among many. The Pakistan-linked group, Transparent Tribe (APT36), mass-produced

disposable malware on an AI "assembly line" targeting Indian government systems. A Russian-linked group, tracked as GREYVIBE, built custom malware

with ChatGPT and Gemini for operations against Ukraine, and Check Point Research documented North

Korea's ‘KONNI’ group using AI to generate PowerShell backdoor for Windows.

The rarer, more advanced pattern, malware that calls an LLM while

actively running on a victim's computer, has also now been seen

in the wild. The first known example, reported in mid-2025,

was Russian-linked LAMEHUG’ malware reported in July 2025

by Ukraine's CERT-UA. LAMEHUG queried AI Model ‘Qwen’ through

the Hugging Face API to generate its code on demand. PromptLock,

known as the first "AI-powered ransomware", worked the same way,

though both remain more proof-of-concept than something used at scale.

AI also builds attacker tools that aren't malware themselves,

capabilities like scripts and utilities that support an attack. That involvement is usually invisible in the finished product, so

analysts should now assume AI was involved somewhere by default

rather than wait to find proof of it. AI makes a skilled attacker

faster, but it doesn't replace the judgment a human still needs to

use the tool effectively.

https://businessinsights.bitdefender.com/apt36-nightmare-vibeware https://www.withsecure.com/en/resources-hub/w-labs/greyvibe/ https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/ https://cert.gov.ua/article/6284730 https://businessinsights.bitdefender.com/apt36-nightmare-vibeware https://www.withsecure.com/en/resources-hub/w-labs/greyvibe/ https://research.checkpoint.com/2026/konni-targets-developers-with-ai-malware/ https://cert.gov.ua/article/6284730

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

11 AI Security Report 2026

Case study:
 VoidLink - AI-built malware crosses the threshold

In January 2026, Check Point Research reported VoidLink, a

sophisticated modular Linux command-and-control

(C2) framework with deep stealth and persistence

capabilities and more than 30 post-exploitation plugins for

use after breaking in. Its quality initially suggested it was built

over several months by a multi-person team. A mistake by the

developer, accidentally exposing their own work process, told

a different story: it was written by one person, using TRAE

SOLO, a commercial AI coding tool, following a disciplined

process of writing detailed specifications and letting the AI

implement, test, and refine the code. The result was roughly

88,000 lines of working code in under a week.

VoidLink makes two points clearly. First, AI-assisted

development can now produce malware that's ready for real-

world use, not just a rough proof of concept. Second, and

more importantly, there was nothing in the finished code

that gave away AI involvement; it only came to light because of

an unrelated operations-security mistake by the developer.

AI as a live attack operator

AI has moved from prepping attacks to running them. In November

2025, Anthropic disclosed GTG-1002, a Chinese-linked espionage

campaign in which its own Claude Code reportedly handled 80–90% of

the tactical work (reconnaissance, exploitation, credential harvesting,

lateral movement, and data triage) across roughly 30 target

organizations. The disclosure included no indicators of compromise,

which limited independent verification.

In the Mexican government breach reported in April 2026, a financially

motivated operator ran the same architecture at scale (see details

below). In the Bissa Scanner operation, AI remained one step back

from exploitation: Claude Code and the open-source OpenClaw

assistant served as the operator's working environment for reading the

scanner codebase, refining the collection pipeline, and prioritizing

high-value access across a mass-exploitation campaign (for the

credential-harvesting side, see “How attackers access AI”).

Another indication that AI now makes real-time operational decisions

is provided by a documented incident in which an autonomous agent

conducted post-exploitation activity and exfiltrated a database in less

than an hour. Separately, AI has been used at multiple stages of large-

scale intrusions, with attackers using DeepSeek and Claude together

to compromise FortiGate devices worldwide.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

11 AI Security Report 2026

Case study: VoidLink - AI-built malware crosses the threshold

In January 2026, Check Point Research reported VoidLink, a

sophisticated modular Linux command-and-control (C2)

framework with deep stealth and persistence capabilities and more than 30 post-exploitation plugins for

use after breaking in. Its quality initially suggested it was

built over several months by a multi-person team. A mistake by

the developer, accidentally exposing their own work process,

told a different story: it was written by one person, using TRAE SOLO, a commercial AI coding tool, following a

disciplined process of writing detailed specifications and

letting the AI implement, test, and refine the code. The

result was roughly 88,000 lines of working code in under a week.

VoidLink makes two points clearly. First, AI-assisted development can now produce malware that's ready

for real-world use, not just a rough proof of concept.

Second, and more importantly, there was nothing in the

finished code that gave away AI involvement; it only came to

light because of an unrelated operations-security mistake by the developer.

AI as a live attack operator

AI has moved from prepping attacks to running them. In November

2025, Anthropic disclosed GTG-1002, a Chinese-linked espionage

campaign in which its own Claude Code reportedly handled 80–90% of

the tactical work (reconnaissance, exploitation, credential harvesting, lateral movement, and data triage) across

roughly 30 target organizations. The disclosure included no indicators of compromise, which limited independent verification.

In the Mexican government breach reported in April 2026, a financially

motivated operator ran the same architecture at scale (see details

below). In the Bissa Scanner operation, AI remained one step back

from exploitation: Claude Code and the open-source OpenClaw

assistant served as the operator's working environment for reading the

scanner codebase, refining the collection pipeline, and prioritizing high-value access across a mass-exploitation

campaign (for the credential-harvesting side, see “How attackers access AI”).

Another indication that AI now makes real-time operational decisions

is provided by a documented incident in which an autonomous agent

conducted post-exploitation activity and exfiltrated a database in

less than an hour. Separately, AI has been used at multiple stages of

large-scale intrusions, with attackers using DeepSeek and Claude

together to compromise FortiGate devices worldwide.

https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/ https://www.anthropic.com/news/disrupting-AI-espionage https://thedfirreport.com/2026/04/22/bissa-scanner-exposed-ai-assisted-mass-exploitation-and-credential-harvesting/ https://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots#timeline https://cyberandramen.net/2026/02/21/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents/ https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/ https://www.anthropic.com/news/disrupting-AI-espionage https://thedfirreport.com/2026/04/22/bissa-scanner-exposed-ai-assisted-mass-exploitation-and-credential-harvesting/ https://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots#timeline https://cyberandramen.net/2026/02/21/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

12 AI Security Report 2026

This pattern of AI agent as an operator is also being packaged into

open-source frameworks anyone can download and reuse. One such

tool, RAPTOR, released in late 2025 by a team of legitimate security

researchers, turns Claude Code into an autonomous offensive and

defensive agent.  RAPTOR is a legitimate research tool and generates

patches as readily as exploits, but it packages the same agent-as-o

perator workflow into public, permissively licensed code, of which

criminal communities have taken note. From the defender's side, it

shows the same configuration-as-control pattern seen in jailbreaking.

The agent's behavior is defined almost entirely by markdown

configuration, not compiled code.

Case study:
 The Mexican government breach

Between late December 2025 and mid-February 2026, a single operator compromised nine Mexican government agencies,

exposing roughly 400 million records covering tax, civil-registry, vehicle, patient, and electoral data. Researchers were able to

reconstruct exactly how it happened from the attacker's own servers: 1,088 typed instructions produced 5,317 AI-executed commands

across 34 separate sessions.

The attacker used two AI tools together: Claude Code to actively break in and explore the networks, and GPT-4.1 to

automatically analyze the stolen data, which then fed instructions back into more Claude sessions. When Claude initially refused to

help with the attack, the attacker pasted a penetration-testing cheat-sheet into CLAUDE.md, so every later session inherited the

bypass without a repeated jailbreak. As with the other cases in this chapter, this AI involvement only came to light because of the

attacker's own mistake, not because any victim caught it.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

12 AI Security Report 2026

This pattern of AI agent as an operator is also being packaged

into open-source frameworks anyone can download and reuse. One such

tool, RAPTOR, released in late 2025 by a team of legitimate security researchers, turns Claude Code into an autonomous

offensive and defensive agent. RAPTOR is a legitimate research tool

and generates patches as readily as exploits, but it packages the same agent-as-o

perator workflow into public, permissively licensed code, of which

criminal communities have taken note. From the defender's side, it

shows the same configuration-as-control pattern seen in jailbreaking.

The agent's behavior is defined almost entirely by markdown

configuration, not compiled code.

Case study: The Mexican government breach

Between late December 2025 and mid-February 2026, a single operator compromised nine Mexican government agencies,

exposing roughly 400 million records covering tax, civil-registry, vehicle, patient, and electoral data. Researchers were

able to reconstruct exactly how it happened from the attacker's own servers: 1,088 typed instructions produced 5,317 AI-executed

commands across 34 separate sessions.

The attacker used two AI tools together: Claude Code to actively break in and explore the networks, and GPT-4.1 to

automatically analyze the stolen data, which then fed instructions back into more Claude sessions. When Claude initially refused to

help with the attack, the attacker pasted a penetration-testing cheat-sheet into CLAUDE.md, so every later session inherited the

bypass without a repeated jailbreak. As with the other cases in this chapter, this AI involvement only came to light because of

the attacker's own mistake, not because any victim caught it.

https://research.checkpoint.com/2026/ai-threat-landscape-digest-january-february-2026/ https://gambit.security/blog-posts/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report https://research.checkpoint.com/2026/ai-threat-landscape-digest-january-february-2026/ https://gambit.security/blog-posts/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

13 AI Security Report 2026

The AI-enabled criminal tooling market

The capabilities described above are increasingly packaged and sold as

a ready made product, so a buyer no longer needs any AI skill at all.

The clearest example is EvilTokens, a commercial Phishing-as-a-

Service platform that integrates an LLM pipeline directly into the attack

workflow. Fake login phishing pages steal a victim’s access

credentials, then Groq-hosted Llama models automatically scan the

stolen email account for financial details and writes a convincing

scam email mimicking the victim’s own writing style, while GPT-4o-

mini handles translation. The jailbreak is built into the platform:

it’s written once by whoever runs it, and every paying customer inherits

it automatically. A companion module plants fake calendar invitations

to make a fraudulent request look like it was expected in advance.

This is now a whole category of criminal product, not just one tool.

Bluekit is another phishing kit with an embedded AI assistant that

auto-builds fake login pages for more than 40 platforms with MFA-

bypass support. On the phone-call side, a platform called ATHR sells

fully automated AI voice agents for credential and one-time-password

theft at scale, no human caller needed. The common pattern is the

"jailbreak-as-a-product": the AI tool, the safety bypass, and the delivery

method are all bundled together and sold as one product, letting

someone with very little skill run a sophisticated, multi-step scam.

AI in vulnerability research and the compressed patch window

AI is now good enough at reasoning about code that it speeds up

both sides of the race: finding security flaws

before they're exploited, and finding ways to exploit them

before they're fixed. The window between a flaw being found and a

fix being deployed is shrinking from both directions at once.

On the defensive side, the gains are real. As part of an internal

research effort, Project Glasswing, Anthropic's unreleased Claude

Mythos model autonomously found more than 10,000 high and

critical-severity zero-day vulnerabilities across major operating

systems and browsers in its first month of operation.  However, the

same capability is available to attackers: Google's Threat

Intelligence Group reported the first AI-assisted zero-day built for

mass exploitation. Other research has shown current frontier

models producing working zero-day exploits at scale.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

13 AI Security Report 2026

The AI-enabled criminal tooling market

The capabilities described above are increasingly packaged and sold as a

ready made product, so a buyer no longer needs any AI skill at all.

The clearest example is EvilTokens, a commercial Phishing-as-a-Service platform that integrates an LLM pipeline directly

into the attack workflow. Fake login phishing pages steal a

victim’s access credentials, then Groq-hosted Llama models automatically scan the stolen email account for financial details

and writes a convincing scam email mimicking the victim’s own writing

style, while GPT-4o-mini handles translation. The jailbreak is

built into the platform: it’s written once by whoever runs it, and every

paying customer inherits it automatically. A companion module plants

fake calendar invitations to make a fraudulent request look like it was expected in advance.

This is now a whole category of criminal product, not just one

tool. Bluekit is another phishing kit with an embedded AI assistant

that auto-builds fake login pages for more than 40 platforms with

MFA-bypass support. On the phone-call side, a platform called ATHR

sells fully automated AI voice agents for credential and one-time-password theft at scale, no human caller needed. The common

pattern is the "jailbreak-as-a-product": the AI tool, the safety bypass,

and the delivery method are all bundled together and sold as one

product, letting someone with very little skill run a sophisticated, multi-step scam.

AI in vulnerability research and the compressed patch window

AI is now good enough at reasoning about code

that it speeds up both sides of the race: finding security flaws

before they're exploited, and finding ways to

exploit them before they're fixed. The window between a flaw

being found and a fix being deployed is shrinking from both directions at once.

On the defensive side, the gains are real. As part of

an internal research effort, Project Glasswing, Anthropic's unreleased Claude Mythos model autonomously found more than 10,000 high and critical-severity zero-day vulnerabilities across major operating systems and browsers in its first month of operation. However, the same capability is available to attackers: Google's Threat Intelligence Group reported the first AI-assisted zero-day built for mass exploitation. Other research has shown current frontier models producing working zero-day exploits at scale.

https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/ https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/ https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/ https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks https://www.anthropic.com/glasswing https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access https://cybersecuritynews.com/new-study-shows-gpt-5-2-can-reliably/ https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/ https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/ https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/ https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks https://www.anthropic.com/glasswing https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access https://cybersecuritynews.com/new-study-shows-gpt-5-2-can-reliably/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

14 AI Security Report 2026

The practical effect is speed. As attackers can now turn a new

vulnerability disclosure into a working exploit within hours of it made

public, the gap between disclosure and exploitation is shrinking fast. In

response, US Government CISA issued a binding directive requiring

federal civilian agencies to remediate certain highest-risk vulnerabilities

within three days of disclosure. India’s cyber security authority, CERT-

In, went further, advising organizations to contain and patch their most

critical and internet-facing systems immediately within 12

hours of discovery. A timeline that would have sounded unreasonable a

year ago.

Discovery of vulnerabilities is becoming cheap and near-automatic.

The real bottleneck is now how fast humans can review and deploy

fixes. Code quality compounds the problem: a substantial share of AI-

generated code ships with security flaws (see Chapter 5).

Case study:
 Claude Mythos / Project Glasswing (AI versus the patch window)

Anthropic's Project Glasswing uses an unreleased frontier

model, Claude Mythos Preview, to find and fix

vulnerabilities in critical software. In its first month, it

autonomously identified more than 10,000 high- and

critical-severity zero-days across every major operating

system and browser, and successfully produced a working

exploit on the first attempt in roughly 83% of cases.

Anthropic deliberately kept this model out of public release,

worried it could be misused, but gave a small number of

trusted organizations access and committed $100 million in

usage credits. When finding these flaws becomes this

cheap and this fast, whoever moves quicker wins:

defenders who can patch at machine speed, or attackers

who get their hands on equally capable AI.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

14 AI Security Report 2026

The practical effect is speed. As attackers can now turn a new

vulnerability disclosure into a working exploit within hours of it made

public, the gap between disclosure and exploitation is shrinking fast. In

response, US Government CISA issued a binding directive requiring

federal civilian agencies to remediate certain highest-risk vulnerabilities within three days of disclosure. India’s cyber security

authority, CERT-In, went further, advising organizations to contain and

patch their most critical and internet-facing systems

immediately within 12 hours of discovery. A timeline that would have

sounded unreasonable a year ago.

Discovery of vulnerabilities is becoming cheap and near-automatic.

The real bottleneck is now how fast humans can review and deploy

fixes. Code quality compounds the problem: a substantial share of

AI-generated code ships with security flaws (see Chapter 5).

Case study: Claude Mythos / Project Glasswing (AI versus the patch window)

Anthropic's Project Glasswing uses an unreleased frontier

model, Claude Mythos Preview, to find and fix vulnerabilities in critical software. In its first

month, it autonomously identified more than 10,000

high- and critical-severity zero-days across every major

operating system and browser, and successfully produced a

working exploit on the first attempt in roughly 83% of cases.

Anthropic deliberately kept this model out of public release, worried it could be misused, but gave a small

number of trusted organizations access and committed $100

million in usage credits. When finding these flaws becomes this cheap and this fast, whoever moves

quicker wins: defenders who can patch at machine speed,

or attackers who get their hands on equally capable AI.

https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk https://cybersecuritynews.com/cert-in-asks-patch-vulnerabilities-12-hours/ https://www.anthropic.com/glasswing https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk https://cybersecuritynews.com/cert-in-asks-patch-vulnerabilities-12-hours/ https://www.anthropic.com/glasswing

Attacks against AI:
 AI as an attack surface

Attacks against AI: AI as an attack surface

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

16 AI Security Report 2026

Attacks against AI: 
 AI as an attack surface

The previous chapter examined AI in the hands of attackers. This chapter turns to AI systems as the target. Over the past year, organizations embedded

AI into email, documents, code, browsers, and core business workflows, giving it access to sensitive data and the ability to act on their behalf. As that

footprint grew, the AI software itself has become an attack surface, one expanding faster than it is being secured.

There are two basic causes for attacks on the AI stack.

01 Unique to AI 
 A language model reads both its instructions and the

data it's working with as one continuous block of text, with

no hard line between the two. That means content that was

only meant to be data, like the text of a document or a web

page, can end up being read and obeyed as if it were a

command. This single weakness is behind most of the

attacks in this chapter: tricking an AI with hidden

instructions (prompt injection), abusing trusted

configuration files (configuration abuse), and slowly

corrupting what an AI remembers (runtime poisoning).

02 Ordinary software risk
 AI tools are still just software, and they inherit all the usual

weaknesses any software has. Those old weaknesses are

now showing up faster than ever, because AI is being

adopted so quickly, and they're made worse by AI agents

that act on their own, hold more access than they need, and

install and trust new components with almost no human

checking them first. This second reason is what's behind

the attacks on AI infrastructure and the software supply

chain described later in this chapter.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

16 AI Security Report 2026

Attacks against AI: AI as an attack surface

The previous chapter examined AI in the hands of attackers. This chapter turns to AI systems as the target. Over the past year, organizations embedded AI

into email, documents, code, browsers, and core business workflows, giving it access to sensitive data and the ability to act on their behalf. As that

footprint grew, the AI software itself has become an attack surface, one expanding faster than it is being secured. There are two basic causes for attacks on the AI stack.

01 Unique to AI A language model reads both its instructions and the

data it's working with as one continuous block of text, with no hard line between the two. That means content that

was only meant to be data, like the text of a document or a

web page, can end up being read and obeyed as if it

were a command. This single weakness is behind most of

the attacks in this chapter: tricking an AI with hidden instructions (prompt injection), abusing

trusted configuration files (configuration abuse),

and slowly corrupting what an AI remembers (runtime poisoning).

02 Ordinary software risk AI tools are still just software, and they inherit all the usual weaknesses any software has. Those old weaknesses

are now showing up faster than ever, because AI is

being adopted so quickly, and they're made worse by AI

agents that act on their own, hold more access than they

need, and install and trust new components with almost no

human checking them first. This second reason is what's

behind the attacks on AI infrastructure and the software

supply chain described later in this chapter.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

17

Prompt injection: manipulating model behavior

There are two flavors of this. In direct injection, the attacker simply

types instructions designed to override the model's own rules, this is

how most jailbreaking works. In indirect prompt injection, the

malicious instruction is hidden inside external content the AI reads -

an email, a web page, a calendar invite, a document. Indirect injection

is generally seen as more dangerous because they target agents

operating on untrusted external content and may require fewer direct

interactions to succeed.  The amount of damage it can do depends

entirely on how much access and privileges that AI agents have been

given. Check Point AI Security characterizes this as a problem with

how systems are set up, not a flaw in any one AI model.

Check Point AI Security Research has catalogued the recurring

techniques:

Role Playing:

Getting the AI to adopt a fictional character with

no restrictions, using roleplay to bypass its safety

rules entirely

Obfuscation and token smuggling:

Disguising malicious instructions in ways that

automated safety filters do not recognize or catch

Multi-turn manipulation:

Building the attack gradually across several

messages rather than making the request

directly, so no single prompt triggers a refusal

Context hijacking:

Rewriting what the AI remembers about the

conversation to gradually steer its behavior in a

different direction

Multi-language attacks:

Switching to languages where the AI's safety

training is less thorough, exploiting the uneven

coverage across different languages

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

17

Prompt injection: manipulating model behavior There are two

flavors of this. In direct injection, the attacker simply types instructions designed to override the model's own rules,

this is how most jailbreaking works. In indirect prompt injection, the malicious instruction is hidden inside external

content the AI reads - an email, a web page, a calendar invite,

a document. Indirect injection is generally seen as more dangerous because they target agents operating on untrusted

external content and may require fewer direct interactions to

succeed. The amount of damage it can do depends entirely on how

much access and privileges that AI agents have been given.

Check Point AI Security characterizes this as a

problem with how systems are set up, not a flaw in any one AI model.

Check Point AI Security Research has catalogued the recurring techniques:

Role Playing:

Getting the AI to adopt a fictional character with

no restrictions, using roleplay to bypass its safety

rules entirely

Obfuscation and token smuggling:

Disguising malicious instructions in ways that

automated safety filters do not recognize or catch

Multi-turn manipulation:

Building the attack gradually across several

messages rather than making the request

directly, so no single prompt triggers a refusal

Context hijacking:

Rewriting what the AI remembers about the

conversation to gradually steer its behavior in a different direction

Multi-language attacks:

Switching to languages where the AI's safety

training is less thorough, exploiting the uneven coverage across different languages

https://www.lakera.ai/blog/the-year-of-the-agent-what-recent-attacks-revealed-in-q4-2025-and-what-it-means-for-2026 https://www.lakera.ai/blog/indirect-prompt-injection https://www.lakera.ai/blog/guide-to-prompt-injection https://www.lakera.ai/blog/the-year-of-the-agent-what-recent-attacks-revealed-in-q4-2025-and-what-it-means-for-2026 https://www.lakera.ai/blog/indirect-prompt-injection https://www.lakera.ai/blog/guide-to-prompt-injection

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

18 AI Security Report 2026

Check Point AI Security Research also found that, across the attacks it

reviewed in late 2025, the attackers’ most common goal was extracting

the system prompt to reveal the AI’s role definitions, tool descriptions

and policy boundaries.

These attacks have moved from proof-of-concept to routine use over

the past year. One study scanned 1.2 billion URLs and found roughly

15,300 indirect-injection payloads planted in public web pages, with

about 70% of them buried in non-rendered HTML, parts of the page a

human visitor never actually sees, like headers, comments, and

metadata. The motives vary. Some are simple sabotage, getting an AI

to malfunction or produce garbage. Others are about reputation,

nudging a tool to describe a product or company more favorably.

And it isn't always hackers behind it; ordinary marketers, publishers,

and website owners are quietly leaving instructions for the AI tools that

now browse the web on people's behalf. Other research confirmed 10

verified in-the-wild cases aimed at fraud, data destruction, and API-key

theft. Check Point AI Security telemetry tells the same story: while

detection rates for short malicious payloads remained broadly stable,

detections for larger payloads rose sharply, increasing roughly fivefold

between March and May and approaching 1% of everything

observed in May. Because large payloads are more typical of content-

borne and agentic attack paths, this pattern is consistent with indirect

prompt injection becoming an operational threat rather than just a

theoretical one.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

18 AI Security Report 2026

Check Point AI Security Research also found that, across the attacks it

reviewed in late 2025, the attackers’ most common goal was extracting

the system prompt to reveal the AI’s role definitions, tool descriptions and policy boundaries.

These attacks have moved from proof-of-concept to routine use over

the past year. One study scanned 1.2 billion URLs and found roughly

15,300 indirect-injection payloads planted in public web pages,

with about 70% of them buried in non-rendered HTML, parts of the

page a human visitor never actually sees, like headers, comments, and metadata. The motives vary. Some are simple sabotage,

getting an AI to malfunction or produce garbage. Others are

about reputation, nudging a tool to describe a product or company more favorably.

And it isn't always hackers behind it; ordinary marketers, publishers, and website owners are quietly leaving instructions for the

AI tools that now browse the web on people's behalf. Other research

confirmed 10 verified in-the-wild cases aimed at fraud, data destruction, and API-key theft. Check Point AI Security telemetry

tells the same story: while detection rates for short malicious payloads remained broadly stable, detections for larger payloads rose

sharply, increasing roughly fivefold between March and May

and approaching 1% of everything observed in May. Because large

payloads are more typical of content-borne and agentic attack paths,

this pattern is consistent with indirect prompt injection becoming an operational threat rather than just a theoretical one.

https://www.lakera.ai/blog/the-year-of-the-agent-what-recent-attacks-revealed-in-q4-2025-and-what-it-means-for-2026 https://arxiv.org/abs/2604.27202 https://www.forcepoint.com/blog/x-labs/indirect-prompt-injection-payloads https://www.lakera.ai/blog/the-year-of-the-agent-what-recent-attacks-revealed-in-q4-2025-and-what-it-means-for-2026 https://arxiv.org/abs/2604.27202 https://www.forcepoint.com/blog/x-labs/indirect-prompt-injection-payloads

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

19 AI Security Report 2026

Median Prompt detection rate by month
 Short vs long payload

Short payload Long payload

1.0%

0.8%

M ed

ia n

de te

ct io

n ra

te (%

) 0.6%

0.4%

0.2%

0%

Jan Feb Mar APR MAY

Figure 2.1 — Malicious prompt detection rate by payload size.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

19 AI Security Report 2026

Median Prompt detection rate by month

Short vs long payload

1.0%

0.8%

0.6%

0.4%

0.2%

0%

Jan Feb Mar APR MAY

Median

detection

rate

(%)

Short payload Long payload

Figure 2.1 — Malicious prompt detection rate by payload size.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

20 AI Security Report 2026

As agentic workflows became more common, prompts they

process grew to include large blocks of external content: web

pages, documents, and output of other tools. Indirect injection

conceals itself in exactly that type of content, so as

more organizations adopted these AI agents, they directly

expanded the attack surface.

AI-powered web browsers, a new category of product that act inside

the user's already-logged-in sessions, are at the greatest risk. A

poisoned web page or invite can be acted on using that person’s

own login credentials. In a controlled test, researchers used a

single malicious calendar invite to trick Perplexity's Comet

browser into surrendering a user’s saved passwords. In a separate

test, the same kind of browser was tricked completing an

entire phishing flow in less than four minutes, with no human

involved. Both of these events were controlled tests, but

the underlying capability is already in consumers’ hands.

Detections of long, malicious

prompt-injection payloads

rose roughly fivefold between  March and May

2026.

As agentic workflows became more common, prompts they process grew

to include large blocks of external content: web pages, documents,

and output of other tools. Indirect injection conceals itself in

exactly that type of content, so as more organizations

adopted these AI agents, they directly expanded the attack surface.

AI-powered web browsers, a

new category of product that act inside the user's already-logged-in sessions, are at the greatest risk. A poisoned web page or invite can be acted on using that person’s own login credentials. In a controlled test, researchers used a single malicious calendar invite to trick Perplexity's Comet browser into surrendering a user’s saved

passwords. In a separate test, the same kind of browser

was tricked completing an entire phishing flow in less than four minutes, with no human involved. Both of these

events were controlled tests, but the underlying capability is already in consumers’ hands.

Detections of

long, malicious prompt-injection

payloads rose roughly

fivefold between

March and May 2026.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

20 AI Security Report 2026

https://hackread.com/pleasefix-flaw-hackers-1password-vault-comet-ai-browser/ https://hackread.com/pleasefix-flaw-hackers-1password-vault-comet-ai-browser/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

21 AI Security Report 2026

The agentic supply chain:
 MCP and configuration abuse

AI agents extend their reach through two things they're built to trust

automatically: Model Context Protocol (MCP) servers which

connect an agent to external tools and services, and project

configuration files that the agent reads the moment it opens a

project. Previously, we showed how attackers use trusted files to

remove their own agent from AI’s safety restrictions.  That same

automatic trust can be turned into a weapon against someone else:

a poisoned configuration file slipped into a project that the victim

opens can compromise the victim's own AI agent without them

realizing it.

Case study:
 Claude Code project files as an execution layer (Check Point Research)

Check Point Research found that configuration files trusted by a coding agent can be turned into a way of delivering malware. In one

vulnerability (CVE-2025-59536), a hidden setting buried in a project's files (.claude/settings.json) would run an attacker's command

the instant the AI opened the project, before the developer even saw the file, and a related path (.mcp.json) could silently start a

malicious MCP server with no warning shown to the user at all. In a second vulnerability (CVE-2026-21852), attackers could quietly

reroute a developer's session through a server they controlled, capturing login tokens and access keys and compromising an entire

team's shared workspace before anyone saw a single security warning.

In both cases, the way in was the software supply chain: a poisoned settings file embedded in a pull request, a booby-trapped honeypot

repository, or a compromised codebase. Both flaws were patched, but the underlying design pattern they exploited, an agent that

automatically trusts and loads project files on a developer's machine, is shared by several other popular coding AIs, such as Cursor,

Windsurf, and GitHub Copilot, resulting in a broader problem outliving the individual fix. Months later, an in-the-wild piece of self-

spreading malware ‘worm’ confirmed the risk was not just theoretical, planting itself permanently inside Claude Code and other AI

coding tools as it spread between machines (see “AI software supply chain”).

The agentic supply chain: MCP and configuration abuse

AI agents extend their reach through two things they're built to trust automatically: Model Context Protocol (MCP) servers

which connect an agent to external tools and services, and project

configuration files that the agent reads the moment it opens a

project. Previously, we showed how attackers use trusted files to

remove their own agent from AI’s safety restrictions. That same

automatic trust can be turned into a weapon against someone else: a

poisoned configuration file slipped into a project that the victim

opens can compromise the victim's own AI agent without them

realizing it.

Case study: Claude Code project files as an execution layer (Check Point Research)

Check Point Research found that configuration files trusted by a coding agent can be turned into a way of delivering malware. In one

vulnerability (CVE-2025-59536), a hidden setting buried in a project's files (.claude/settings.json) would run an attacker's command

the instant the AI opened the project, before the developer even saw the file, and a related path (.mcp.json) could silently

start a malicious MCP server with no warning shown to the user at all. In a second vulnerability (CVE-2026-21852), attackers could

quietly reroute a developer's session through a server they controlled, capturing login tokens and access keys and compromising an

entire team's shared workspace before anyone saw a single security warning.

In both cases, the way in was the software supply chain: a poisoned settings file embedded in a pull request, a booby-trapped honeypot

repository, or a compromised codebase. Both flaws were patched, but the underlying design pattern they exploited, an agent that

automatically trusts and loads project files on a developer's machine, is shared by several other popular coding AIs, such as Cursor,

Windsurf, and GitHub Copilot, resulting in a broader problem outliving the individual fix. Months later, an in-the-wild piece of

self-spreading malware ‘worm’ confirmed the risk was not just theoretical, planting itself permanently inside Claude Code and other

AI coding tools as it spread between machines (see “AI software supply chain”).

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

21 AI Security Report 2026

https://blog.checkpoint.com/research/check-point-researchers-expose-critical-claude-code-flaws/ https://blog.checkpoint.com/research/check-point-researchers-expose-critical-claude-code-flaws/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

22 AI Security Report 2026

This isn’t a problem limited to one single vendor: Google patched a

maximum-severity remote-code-execution flaw in the Gemini CLI

around the same time, and similar issues turned up in Cursor.

The MCP ecosystem is now drawing threat actors’ attention. One

self-spreading piece of malware, GlassWorm, hides itself inside

developer extensions using invisible Unicode characters that are

easy to miss on review, and it spread by copying itself into MCP

packages across more than 150 repositories, even using an AI tool

to write its commit messages to blend in. Such worms increasingly

target the AI toolchain itself, injecting MCP servers and stealing API

keys as they spread. See the most consequential example in the

“Supply-chain” section below.

The same trusted files can also accidentally leak secrets. Check

Point AI Security Research found that Claude Code saves the

commands approved by developers to a local settings file (.claude/

settings.local.json) that Node Package Manager (NPM) do not

exclude from publication by default when a developer shares their

code publicly. Sometimes these saved commands include a

developer’s own login credentials. Scanning roughly 46,500

published code packages, they found the local settings file had been

accidentally published in 428 of them, and live credentials (NPM

tokens, GitHub and Hugging Face keys) were included in about one

in 13 of those. In addition, Check Point AI Security Research

identified security weaknesses in 40% of 10,000 MCP servers

reviewed, underlining how exposed this whole area still is.

428 / 46,500 Published packages found to have accidentally leaked a

local Claude Code settings file — about 1 in 13 of those

carried live credentials.

40% Of 10,000 MCP servers reviewed by Check Point AI Security

Research carried security weaknesses.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

22 AI Security Report 2026

This isn’t a problem limited to one single vendor: Google patched

a maximum-severity remote-code-execution flaw in the Gemini CLI

around the same time, and similar issues turned up in Cursor.

The MCP ecosystem is now drawing threat actors’ attention. One

self-spreading piece of malware, GlassWorm, hides itself inside

developer extensions using invisible Unicode characters that are

easy to miss on review, and it spread by copying itself into MCP packages across more than 150 repositories, even using an AI

tool to write its commit messages to blend in. Such worms increasingly target the AI toolchain itself, injecting MCP servers

and stealing API keys as they spread. See the most consequential

example in the “Supply-chain” section below.

The same trusted files can also accidentally leak secrets. Check Point AI Security Research found that Claude Code

saves the commands approved by developers to a local settings file

(.claude/settings.local.json) that Node Package Manager (NPM)

do not exclude from publication by default when a developer shares their code publicly. Sometimes these saved commands

include a developer’s own login credentials. Scanning roughly 46,500

published code packages, they found the local settings file had been

accidentally published in 428 of them, and live credentials (NPM

tokens, GitHub and Hugging Face keys) were included in about one in

13 of those. In addition, Check Point AI Security Research

identified security weaknesses in 40% of 10,000 MCP servers

reviewed, underlining how exposed this whole area still is.

428 / 46,500 Published packages found to have accidentally leaked a

local Claude Code settings file — about 1 in 13 of those carried live credentials.

40% Of 10,000 MCP servers reviewed by Check Point AI Security

Research carried security weaknesses.

https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html https://www.koi.ai/blog/glassworm-hits-mcp-5th-wave-with-new-delivery-techniques https://www.lakera.ai/blog/your-ai-coding-assistant-just-shipped-your-api-keys https://www.checkpoint.com/press-releases/check-point-softwares-2026-cyber-security-report-shows-global-attacks-reach-record-levels-as-ai-accelerates-the-threat-landscape/ https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html https://www.koi.ai/blog/glassworm-hits-mcp-5th-wave-with-new-delivery-techniques https://www.lakera.ai/blog/your-ai-coding-assistant-just-shipped-your-api-keys https://www.checkpoint.com/press-releases/check-point-softwares-2026-cyber-security-report-shows-global-attacks-reach-record-levels-as-ai-accelerates-the-threat-landscape/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

23 AI Security Report 2026

Attacks on AI infrastructure

This section covers ordinary, familiar attack techniques being aimed

at AI systems specifically, things like leaving a service exposed to the

internet, weak authentication, and vulnerable software with known

bugs. None of these techniques are new, but their impact here is AI-

specific, because what they expose is an organization's prompts,

credentials, AI models, and internal workflows.

Much of the AI stack is ordinary infrastructure: model servers,

inference frameworks, orchestration clusters, and agent control

panels. The rush to self-hosted models, which we described

previously, caused major parts of this infrastructure to be assembled

quickly and with relatively weak security. As a result, these

conventional attacks are among the most actively exploited.

Exposed model servers are the clearest case. A critical flaw

in Ollama, nicknamed "Bleeding Llama," left roughly 300,000

internet-facing servers leaking prompts, keys, and environment

variables to a handful of API calls. GreyNoise recorded around 91,000

attack sessions probing LLM deployments in a single quarter.

Exposed infrastructure is also being repurposed as attack

infrastructure: the ShadowRay 2.0 campaign hijacked unsecured Ray

clusters to mine cryptocurrency. Lower in the stack, insecure

deserialization remains pervasive, with researchers finding remote-

code-execution bugs across inference frameworks from Meta, Nvidia,

and Microsoft. The agent layer now exposes its own control

panels, with thousands of OpenClaw and Moltbot panels reachable

on the open internet and vulnerable to takeover. These attacks all

exploit the ordinary infrastructure around AI; they don’t need a

model to misbehave.

Poisoning the knowledge layer

Poisoning corrupts what a model knows or retrieves, rather than how

it is prompted. Unlike prompt injection, which affects the current

context, poisoning may persist across sessions. Poisoning takes two

distinct forms that are often blurred together but differ in who can

carry it out and how far it has progressed from theory to practice.

The first form poisons knowledge at scale, by seeding the public web

with content the model will later absorb through training or retrieval.

In practice the overwhelming majority of these type of attacks are

carried out by nation-states. The Pravda network, also tracked as

Portal Kombat, published an estimated 3.6 million articles across

roughly 150 sites in 2024 to launder pro-Russia narratives into AI

systems; an audit of 10 leading chatbots found they repeated those

narratives about a third of the time, a tactic researchers called "LLM

grooming."

Attacks on AI infrastructure

This section covers ordinary, familiar attack techniques being aimed

at AI systems specifically, things like leaving a service exposed to

the internet, weak authentication, and vulnerable software with

known bugs. None of these techniques are new, but their impact here

is AI-specific, because what they expose is an organization's prompts, credentials, AI models, and internal workflows.

Much of the AI stack is ordinary infrastructure: model servers,

inference frameworks, orchestration clusters, and agent control

panels. The rush to self-hosted models, which we described

previously, caused major parts of this infrastructure to be assembled

quickly and with relatively weak security. As a result, these conventional attacks are among the most actively exploited.

Exposed model servers are the clearest case. A critical flaw

in Ollama, nicknamed "Bleeding Llama," left roughly 300,000

internet-facing servers leaking prompts, keys, and environment

variables to a handful of API calls. GreyNoise recorded around 91,000

attack sessions probing LLM deployments in a single quarter.

Exposed infrastructure is also being repurposed as attack

infrastructure: the ShadowRay 2.0 campaign hijacked unsecured Ray

clusters to mine cryptocurrency. Lower in the stack, insecure deserialization remains pervasive, with researchers finding remote-code-execution bugs across inference frameworks from

Meta, Nvidia, and Microsoft. The agent layer now exposes its own control

panels, with thousands of OpenClaw and Moltbot panels reachable on

the open internet and vulnerable to takeover. These attacks all

exploit the ordinary infrastructure around AI; they don’t need a model to misbehave.

Poisoning the knowledge layer

Poisoning corrupts what a model knows or retrieves, rather than how it is prompted. Unlike prompt injection, which affects the current context, poisoning may persist across sessions. Poisoning takes two distinct forms that are often blurred together but differ in who can carry

it out and how far it has progressed from theory to practice. The first form poisons knowledge at scale, by seeding the public web with

content the model will later absorb through training or retrieval. In

practice the overwhelming majority of these type of attacks are carried out

by nation-states. The Pravda network, also tracked as Portal Kombat,

published an estimated 3.6 million articles across roughly 150 sites in

2024 to launder pro-Russia narratives into AI systems; an audit of 10 leading

chatbots found they repeated those narratives about a third of the time, a

tactic researchers called "LLM grooming."

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

23 AI Security Report 2026

https://www.cyera.com/research/bleeding-llama-critical-unauthenticated-memory-leak-in-ollama https://www.greynoise.io/blog/threat-actors-actively-targeting-llms https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys https://www.newsguardtech.com/special-reports/moscow-based-global-news-network-infected-western-artificial-intelligence-russian-propaganda/ https://www.cyera.com/research/bleeding-llama-critical-unauthenticated-memory-leak-in-ollama https://www.greynoise.io/blog/threat-actors-actively-targeting-llms https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys https://www.newsguardtech.com/special-reports/moscow-based-global-news-network-infected-western-artificial-intelligence-russian-propaganda/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

24 AI Security Report 2026

The risk calculus changed due to a study from late 2025, which

found that roughly 250 malicious documents were enough to plant a

backdoor in a model regardless of its size, a near-constant actual

number rather than a percentage of the training data. If the

requirement is a fixed handful of documents instead of a share of a

vast corpus, large-scale poisoning no longer demands the

resources of a Pravda network but is now within reach of much

smaller actors.

The second form poisons the model at runtime, corrupting the

content it retrieves or the memory it carries between sessions.

Check Point AI Security Research showed the clearest case: over a

series of ordinary Discord messages, a user with no special

privileges gradually filled an OpenClaw agent's long-term memory

with notes that were trusted, until the agent ranked their requests

above its own rules and ran a malicious "system update" that

opened a reverse shell on the host machine. The same command

was refused before the agent’s memory was corrupted, so the

attack was the slow rewriting of its memory, not a prompt-injection

trick. Microsoft found the same idea already in use in the wild and

at scale, reporting 50 cases from 31 companies that hid instructions

in "Summarize with AI" links so that one click wrote a durable "treat

this company as a trusted source" note into the AI’s memory. The

perpetrators were not attackers seeking intrusion but legitimate

businesses skewing their own recommendations. Regardless of

intent, this shows that memory poisoning is being exploited in the

real world, not just the lab.

The AI software supply chain

Malicious packages and typosquats predate AI. What makes this

category AI-specific is a combination of four factors:

01 The goal is to obtain AI-provider

credentials

02 The attack is scaled or camouflaged

with AI

03 Distribution runs through AI-native channels:

MCP registries, agent-skill stores, model hubs

04 The consumer is an autonomous agent that installs

and trusts components with little if any human review

Unlike the infrastructure attacks mentioned earlier where a system

is hit at runtime, here a poisoned component is introduced.

The risk calculus changed due to a study from late 2025, which

found that roughly 250 malicious documents were enough to plant a

backdoor in a model regardless of its size, a near-constant actual

number rather than a percentage of the training data. If the requirement is a fixed handful of documents instead of a share

of a vast corpus, large-scale poisoning no longer demands the resources of a Pravda network but is now within reach of

much smaller actors.

The second form poisons the model at runtime, corrupting the

content it retrieves or the memory it carries between sessions.

Check Point AI Security Research showed the clearest case: over a

series of ordinary Discord messages, a user with no special

privileges gradually filled an OpenClaw agent's long-term memory

with notes that were trusted, until the agent ranked their requests above its own rules and ran a malicious "system

update" that opened a reverse shell on the host machine. The same

command was refused before the agent’s memory was corrupted,

so the attack was the slow rewriting of its memory, not a prompt-injection trick. Microsoft found the same idea already in

use in the wild and at scale, reporting 50 cases from 31 companies that hid instructions in "Summarize with AI" links so that one click

wrote a durable "treat this company as a trusted source" note

into the AI’s memory. The perpetrators were not attackers seeking intrusion but legitimate businesses skewing their own

recommendations. Regardless of intent, this shows that memory

poisoning is being exploited in the real world, not just the lab.

The AI software supply chain

Malicious packages and typosquats predate AI. What makes this

category AI-specific is a combination of four factors:

01 The goal is to obtain AI-provider credentials

02 The attack is scaled or camouflaged with AI

03 Distribution runs through AI-native channels:

MCP registries, agent-skill stores, model hubs

04 The consumer is an autonomous agent that installs

and trusts components with little if any human review

Unlike the infrastructure attacks mentioned earlier where a system

is hit at runtime, here a poisoned component is introduced.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

24 AI Security Report 2026

https://www.anthropic.com/research/small-samples-poison https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/ https://www.anthropic.com/research/small-samples-poison https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

25 AI Security Report 2026

The biggest single event was the Shai-Hulud worm in November

2025, which compromised hundreds of widely used code packages

and tens of thousands of code repositories, stealing cloud and

developer login credentials as it spread automatically through

companies' build pipelines. After the worm's code was made public

in May 2026, a copycat campaign, called Megalodon, hit more than

5,500 code repositories in a single afternoon and planted reboot-

surviving persistence inside Claude Code and other AI coding tools.

The behind-the-scenes software that routes traffic between

different AI providers is its own weak point too: a compromise of

one the LiteLLM gateway exposed all the login credentials it was

handling for its customers.

The agent-skill store is the newest channel, marketplaces where

people download pre-built skiills for their AI agents. Check Point AI

Security Research looked at 221 of these skills for the OpenClaw

agent and found 70% over-requested credentials, and 43% carried

command-injection patterns. One campaign, ClawHavoc, slipped 44

malicious skills into the store; they were downloaded over 12,500

times and quietly installed credential infostealer on each download.

The same pattern showed up elsewhere: Trojanized AI coding

extensions harvested code from an estimated 1.5 million

developers, a model on Hugging Face disguised as an "OpenAI

privacy filter" was downloaded 244,000 times before researchers

caught it installing malware, and an actively exploited Langflow flaw

entered CISA's catalogue of known exploited vulnerabilities.

We anticipate that two new developments will make the coming

year even more challenging. The two riskiest categories in this

chapter, the agentic supply chain and AI infrastructure, are also the

ones organizations currently have the least visibility into. And this

entire attack surface is about to become the default, as AI agents

move from being an app someone chooses to install into being a

built-in part of the operating system and the hardware itself. At

Build 2026, Microsoft has announced plans to build AI agents

directly into Windows, pairing with OpenClaw, with a full rollout

planned for late 2026. Around the same time, Nvidia unveiled the

RTX Spark superchip for on-device agents, integrated into Windows

laptops and desktops from Dell, HP, Lenovo, Asus, MSI, and

Microsoft starting in autumn 2026. The same OpenClaw ecosystem

that's already been abused through malicious skills and exposed

control panels is about to ship on a huge share of the world's

computers, so every weakness described here is about to matter

to a lot more people.

The biggest single event was the Shai-Hulud worm in November

2025, which compromised hundreds of widely used code packages and

tens of thousands of code repositories, stealing cloud and

developer login credentials as it spread automatically through companies' build pipelines. After the worm's code was made

public in May 2026, a copycat campaign, called Megalodon, hit more

than 5,500 code repositories in a single afternoon and planted

reboot-surviving persistence inside Claude Code and other AI coding tools. The behind-the-scenes software that routes traffic

between different AI providers is its own weak point too: a compromise of one the LiteLLM gateway exposed all the login

credentials it was handling for its customers.

The agent-skill store is the newest channel, marketplaces where

people download pre-built skiills for their AI agents. Check Point

AI Security Research looked at 221 of these skills for the OpenClaw agent and found 70% over-requested credentials, and 43%

carried command-injection patterns. One campaign, ClawHavoc,

slipped 44 malicious skills into the store; they were downloaded

over 12,500 times and quietly installed credential infostealer on

each download. The same pattern showed up elsewhere: Trojanized AI coding extensions harvested code from an

estimated 1.5 million developers, a model on Hugging Face

disguised as an "OpenAI privacy filter" was downloaded 244,000

times before researchers caught it installing malware, and an actively exploited Langflow flaw entered CISA's catalogue of known exploited vulnerabilities.

We anticipate that two new developments will make the coming

year even more challenging. The two riskiest categories in this

chapter, the agentic supply chain and AI infrastructure, are also

the ones organizations currently have the least visibility into. And this entire attack surface is about to become the default, as

AI agents move from being an app someone chooses to install into

being a built-in part of the operating system and the hardware

itself. At Build 2026, Microsoft has announced plans to build

AI agents directly into Windows, pairing with OpenClaw, with a

full rollout planned for late 2026. Around the same time, Nvidia

unveiled the RTX Spark superchip for on-device agents, integrated

into Windows laptops and desktops from Dell, HP, Lenovo,

Asus, MSI, and Microsoft starting in autumn 2026. The same OpenClaw

ecosystem that's already been abused through malicious skills and

exposed control panels is about to ship on a huge share of the

world's computers, so every weakness described here is about to

matter to a lot more people.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

25 AI Security Report 2026

https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack https://labs.cloudsecurityalliance.org/research/csa-research-note-shai-hulud-megalodon-supply-chain-cascade/ https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html https://www.lakera.ai/blog/the-agent-skill-ecosystem-when-ai-extensions-become-a-malware-delivery-channel https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter https://www.cisa.gov/news-events/alerts/2026/03/25/cisa-adds-one-known-exploited-vulnerability-catalog https://blogs.windows.com/windowsdeveloper/2026/06/02/windows-platform-security-for-ai-agents/ https://nvidianews.nvidia.com/news/nvidia-microsoft-windows-pcs-agents-rtx-spark https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack https://labs.cloudsecurityalliance.org/research/csa-research-note-shai-hulud-megalodon-supply-chain-cascade/ https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html https://www.lakera.ai/blog/the-agent-skill-ecosystem-when-ai-extensions-become-a-malware-delivery-channel https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter https://www.cisa.gov/news-events/alerts/2026/03/25/cisa-adds-one-known-exploited-vulnerability-catalog https://blogs.windows.com/windowsdeveloper/2026/06/02/windows-platform-security-for-ai-agents/ https://nvidianews.nvidia.com/news/nvidia-microsoft-windows-pcs-agents-rtx-spark

Digital Identity
 Under Siege

Digital Identity Under Siege

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

27 AI Security Report 2026

Digital Identity Under Siege

In previous chapters, we discussed AI as both a weapon and a

target. This one turns to what AI does to trust between people due

to its ability to forge a convincing human identity at scale.

Historically, a familiar voice, a face on a video call, a government ID,

or a live conversation served as reasonable proof that a person was

who they claimed to be. Generative AI removes that assumption.

Voice, face, documents, and real-time interaction can now be

synthesized cheaply and convincingly. Over the past year, AI fakes

have progressed to routinely be included in criminal activity. The

conclusion is inescapable: the signals used to recognize a person at

a distance (a voice, a face, a document, a live video) can no longer

be trusted as proof of identity.

The signals used to recognize a person at a

distance, a voice, a face, a document, or a

live video, can no longer be trusted as proof

of identity.

The 2025 AI Security Report mapped generative identity threats on

two planes: the type of media (text, audio, video) used, and how its

generation had matured from offline (pre-recorded) to real-time to

fully autonomous. We found that almost every combination was no

longer only theoretical, as each one had already appeared in an

actual incident or was sold as a tool in criminal markets. The one

exception which has not yet been seen is fully autonomous,

interactive video.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

27 AI Security Report 2026

The 2025 AI Security Report mapped generative identity threats on

two planes: the type of media (text, audio, video) used, and how

its generation had matured from offline (pre-recorded) to real-time

to fully autonomous. We found that almost every combination was no

longer only theoretical, as each one had already appeared in an actual incident or was sold as a tool in criminal markets. The one

exception which has not yet been seen is fully autonomous, interactive video.

Digital Identity Under Siege In previous

chapters, we discussed AI as both a weapon and a target. This

one turns to what AI does to trust between people due to its ability to forge a convincing human identity at scale. Historically, a familiar voice, a face on a video call, a government

ID, or a live conversation served as reasonable proof that a person

was who they claimed to be. Generative AI removes that assumption. Voice, face, documents, and real-time interaction

can now be synthesized cheaply and convincingly. Over the past

year, AI fakes have progressed to routinely be included in criminal activity. The conclusion is inescapable: the signals used to

recognize a person at a distance (a voice, a face, a document, a

live video) can no longer be trusted as proof of identity.

The signals used to recognize a person at a

distance, a voice, a face, a document, or a

live video, can no longer be trusted as proof

of identity.

https://research.checkpoint.com/2025/sate-of-ai-in-cyber-security/ https://research.checkpoint.com/2025/sate-of-ai-in-cyber-security/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

28 AI Security Report 2026

Media 
 Type

Offline Generation

Text Pre-rendered
 scripts or emails

Audio Pre-recorded

impersonations

Video Pre-created

deepfake videos

Realtime Generation

Real-time

generated

responses

Real-time voice

manipulation

Live face-swapping

or video alteration

Fully Autonomous

AI-generated,

fully interactive

conversations

Fully AI-driven

conversational audio

Completely automated,

AI-generated

interactive video

Figure 3.1 — Generative identity threats by media type and maturity (Check Point Research, 2025).

Over the past 12 months several of these capabilities have moved from “available” to “prevalent.” The cases below, all from public reporting,

show how each media type is now used to falsify identity.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

28 AI Security Report 2026

Media Type

Offline Generation Realtime Generation Fully Autonomous

Text Pre-rendered

scripts or emails

Real-time

generated responses

AI-generated, fully interactive conversations

Audio Pre-recorded

impersonations

Real-time voice

manipulation Fully AI-driven conversational audio

Video Pre-created

deepfake videos Live face-swapping or video alteration

Completely automated, AI-generated interactive video

Figure 3.1 — Generative identity threats by media type and maturity (Check Point Research, 2025).

Over the past 12 months several of these capabilities have moved from “available” to “prevalent.” The cases below, all from public reporting,

show how each media type is now used to falsify identity.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

29 AI Security Report 2026

Voice

Voice was the first identity channel to be commoditized. Cloning a

target's voice from a short sample is now something anyone can do,

no expertise required, and over the past year it’s been used against

named targets. In a clear sign of maturity,  voice fraud is now sold

as a ready-made service. Researchers documented ATHR, a

platform whose AI voice agents walk a targeted user through a

scripted account-recovery call to extract their one-time passcode,

allowing a single operator to run multiple credential-theft

conversations simultaneously. ATHR runs these campaigns

at customers of major brands like Google, Microsoft, and Coinbase,

with no human caller involved at all.

Video

Pre-recorded deepfakes were a major concern in 2025. The past

year saw real-time face-swap on live video calls, used by

both nation state actors and industrialized fraud

operations. A North Korean-linked group UNC1069 reportedly used

AI-generated deepfake video calls and hijacked Telegram accounts

to socially engineer cryptocurrency targets into handing over their

credentials.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

29 AI Security Report 2026

Voice

Voice was the first identity channel to be commoditized. Cloning a

target's voice from a short sample is now something anyone can do,

no expertise required, and over the past year it’s been used against named targets. In a clear sign of maturity, voice fraud is

now sold as a ready-made service. Researchers documented

ATHR, a platform whose AI voice agents walk a targeted user

through a scripted account-recovery call to extract their one-time

passcode, allowing a single operator to run multiple credential-theft conversations simultaneously. ATHR runs

these campaigns at customers of major brands like Google, Microsoft,

and Coinbase, with no human caller involved at all.

Video

Pre-recorded deepfakes were a major concern in 2025. The past

year saw real-time face-swap on live video calls, used by both nation state actors and industrialized

fraud operations. A North Korean-linked group UNC1069 reportedly

used AI-generated deepfake video calls and hijacked Telegram

accounts to socially engineer cryptocurrency targets into handing over their credentials.

https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

30 AI Security Report 2026

The same technique has now spread further down the criminal

supply chain, to Southeast Asian scam compounds that hire "AI

models" to operate real-time face-swapping software

during romance and investment scam calls, blending an AI-

generated face with a real human operator behind it. The scale is

large enough to draw coordinated law enforcement activity:

European police dismantled one network that used deepfake videos

of celebrities and news outlets to lure victims into fake investment

schemes on social media and laundered over €700 million. Beyond

the faces, the rest of the scam is now automated as well:

researchers tracked more than 23,000 domains funneling victims

into chat groups where AI chatbots impersonate financial advisers

and sustain a drawn-out investment scam with minimal human

involvement.

Synthetic identity and KYC bypass

When the way a bank or app verifies someone's identity relies on a

photo, a scanned ID, or a quick selfie video to prove a real person is

present, AI-generated fakes can now easily get past it. The identity

checks that banks and crypto exchanges depend on are routinely

being bypassed. The OnlyFake service reinforced this point when its

operator pleaded guilty to selling more than 10,000 AI-generated

fake IDs across the US and approximately 56 other countries, that

enabled customers worldwide to pass KYC checks at banks and

cryptocurrency exchanges. The World Economic Forum's

Cybercrime Atlas have catalogued tools built specifically to defeat

these remote identity checks by swapping in a fake face or feeding a

fake video feed straight into the verification camera; one piece of

malware specifically harvested victims' facial biometrics to use in

fooling bank face-verification systems; and bank, fintech, and crypto

accounts that have already passed verification using a fake AI

identity are now sold openly on Telegram.

Synthetic personas for access

The most consequential identity threat of the year isn’t one

impersonation, it’s an entire hiring fraud operation. North Korea

has scaled up an operation that uses AI-fabricated identities, resumes,

and personas to get its own operatives hired into Western companies

as remote IT workers, turning a forged identity into real, legitimate

access inside the company.

One North Korean-linked group, tracked as Jasper

Sleet, uses generative AI to scan job postings, face-swap stolen

identity documents, and tailor fake personas convincing enough to

pass HR screening and reach cloud environments and internal

systems. The scale and government-backing here are now formally

recognized: in 2024, the US Treasury sanctioned six individuals and

two entities behind a North Korean-linked DPRK IT-worker network

that used fabricated personas to get hired at US

companies, generating close to $800 million for the regime's

weapons programs. The money trail surfaced by accident, when one

of the operators accidentally infected his own machine with

infostealer malware, leaking records of a scheme showing roughly

$1 million a month flowing back to the regime.

The same technique has now spread further down the criminal

supply chain, to Southeast Asian scam compounds that hire "AI

models" to operate real-time face-swapping software

during romance and investment scam calls, blending an

AI-generated face with a real human operator behind it. The scale is large enough to draw coordinated law enforcement

activity: European police dismantled one network that used deepfake videos of celebrities and news outlets to lure victims

into fake investment schemes on social media and laundered over €700 million. Beyond the faces, the rest of the scam is

now automated as well: researchers tracked more than 23,000

domains funneling victims into chat groups where AI chatbots impersonate financial advisers and sustain a drawn-out

investment scam with minimal human involvement.

Synthetic identity and KYC bypass

When the way a bank or app verifies someone's identity relies on a

photo, a scanned ID, or a quick selfie video to prove a real person

is present, AI-generated fakes can now easily get past it. The identity checks that banks and crypto exchanges depend on are

routinely being bypassed. The OnlyFake service reinforced this

point when its operator pleaded guilty to selling more than 10,000 AI-generated fake IDs across the US and approximately 56

other countries, that enabled customers worldwide to pass KYC

checks at banks and cryptocurrency exchanges. The World

Economic Forum's Cybercrime Atlas have catalogued tools built

specifically to defeat these remote identity checks by swapping in a fake face or feeding a

fake video feed straight into the verification camera; one piece of

malware specifically harvested victims' facial biometrics to use in

fooling bank face-verification systems; and bank, fintech, and crypto

accounts that have already passed verification using a fake AI

identity are now sold openly on Telegram.

Synthetic personas for access

The most consequential identity threat of the year isn’t one

impersonation, it’s an entire hiring fraud operation. North Korea

has scaled up an operation that uses AI-fabricated identities, resumes, and personas to get its own operatives hired into Western

companies as remote IT workers, turning a forged identity into real,

legitimate access inside the company.

One North Korean-linked group, tracked as Jasper

Sleet, uses generative AI to scan job postings, face-swap stolen identity documents, and tailor fake personas convincing

enough to pass HR screening and reach cloud environments and

internal systems. The scale and government-backing here are now

formally recognized: in 2024, the US Treasury sanctioned six individuals and two entities behind a North Korean-linked DPRK

IT-worker network that used fabricated personas

to get hired at US companies, generating close to $800 million for the regime's weapons programs. The money trail surfaced

by accident, when one of the operators accidentally infected his own machine with infostealer malware, leaking records

of a scheme showing roughly $1 million a month flowing back to the regime.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

30 AI Security Report 2026

https://www.malwarebytes.com/blog/news/2026/03/scam-compounds-hiring-ai-models-to-seal-deal-in-deepfake-video-calls https://www.europol.europa.eu/media-press/newsroom/news/international-takedown-of-cryptocurrency-fraud-network-laundering-over-eur-700-million https://www.infoblox.com/blog/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/ https://www.justice.gov/usao-sdny/pr/creator-onlyfake-charged-and-pleads-guilty-selling-more-10000-digital-fake https://reports.weforum.org/docs/WEF_Unmasking_Cybercrime_Strengthening_Digital_Identity_Verification_against_Deepfakes_2026.pdf https://specopssoft.com/blog/top-password-credential-stealing-malware https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/ https://home.treasury.gov/news/press-releases/sb0230 https://cybernews.com/security/north-korean-hacker-detonates-malware-on-own-pc-exposing-1m-a-month-it-worker-scam/ https://www.malwarebytes.com/blog/news/2026/03/scam-compounds-hiring-ai-models-to-seal-deal-in-deepfake-video-calls https://www.europol.europa.eu/media-press/newsroom/news/international-takedown-of-cryptocurrency-fraud-network-laundering-over-eur-700-million https://www.infoblox.com/blog/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/ https://www.justice.gov/usao-sdny/pr/creator-onlyfake-charged-and-pleads-guilty-selling-more-10000-digital-fake https://reports.weforum.org/docs/WEF_Unmasking_Cybercrime_Strengthening_Digital_Identity_Verification_against_Deepfakes_2026.pdf https://specopssoft.com/blog/top-password-credential-stealing-malware https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/ https://home.treasury.gov/news/press-releases/sb0230 https://cybernews.com/security/north-korean-hacker-detonates-malware-on-own-pc-exposing-1m-a-month-it-worker-scam/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

31 AI Security Report 2026

Identity as a broken trust anchor

Proving someone’s identity remotely has become more difficult. A

voice, a face, a document, even a live interaction can all now be

faked convincingly, so none of them can stand alone as proof

anymore. In a controlled study, even people trained to spot fake

faces correctly identified only about 41% of AI-generated faces

as AI-generated. Ordinary viewers only caught only about 30%. In

practice, this means identity verification needs to

shift toward areas that are harder for AI to fake: confirming through

a separate, trusted channel, secure digital credentials, and

stronger live-verification checks that are harder to spoof.

Trained super- recognizers

correctly flagged only 41% of AI- generated faces as fake. Ordinary viewers caught

just 30%.

Trained super-recognizers

correctly flagged only 41% of AI-generated faces as fake. Ordinary

viewers caught just 30%.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

31 AI Security Report 2026

Identity as a broken trust anchor

Proving someone’s identity remotely has become more difficult. A

voice, a face, a document, even a live interaction can all now be

faked convincingly, so none of them can stand alone as proof

anymore. In a controlled study, even people trained to spot fake

faces correctly identified only about 41% of AI-generated faces

as AI-generated. Ordinary viewers only caught only about 30%. In

practice, this means identity verification needs

to shift toward areas that are harder for AI to fake: confirming through a separate, trusted channel, secure digital credentials, and stronger live-verification checks that are harder to spoof.

https://bpspsychub.onlinelibrary.wiley.com/doi/10.1111/bjop.70063 https://bpspsychub.onlinelibrary.wiley.com/doi/10.1111/bjop.70063

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

32 AI Security Report 2026

Case study:
 the "Truman Show" scam, an AI-generated reality

Check Point Research documented an investment-fraud operation (tracked as OPCOPRO) that doesn’t just impersonate a person but

fabricates an entire fake world around the victim. Targets are lured from SMS and ads into WhatsApp or Telegram groups of roughly 90

members, almost all fake: AI-generated personas posing as financial "experts" and fellow investors, using profile photos with no

online history and messages whose timing and wording reveal machine generation. The groups showcase fake daily "winning trades"

with fabricated charts, while companion mobile apps—available on Google Play and the App Store at the time—are empty shells with

no real trading function. A remote server fabricates every balance and result, meaning nothing the victim sees is real.

The operation ran at least five branded websites registered between August and December 2025 and operated fluently in multiple

languages. What makes this scam significant is that it uses no conventional malware: the apps behave like legitimate software, and

the attack relies entirely on manufactured trust rather than technical compromise. As the cost of creating convincing identities,

content, and software continues to fall, these scams increasingly resemble legitimate digital businesses.

Social engineering has gone multi-channel

These identity attacks do not occur in isolation but fuel a broader shift

in social engineering. Check Point's 2026 Cyber Security Report finds

social engineering to be the dominant attack vector of 2025, expanding

beyond email into coordinated campaigns spanning phone calls,

messaging apps, workplace tools such as Microsoft Teams and Slack,

fake websites, and live impersonation. Once considered a niche

technique, multi-channel social engineering is now standard practice

and was central to some of the year's most damaging breaches,

including the Scattered

Spider attacks on Marks & Spencer and Jaguar Land Rover, and the

ShinyHunters phone-based campaign targeting Salesforce

customers. The FBI attributes more than $250 million in losses to

voice-enabled fraud alone.

Generative AI makes these attacks far more effective by removing

the barriers of quality, language, and scale. A cloned voice,

deepfake video, forged document, and fabricated identity can now

be combined into a seamless attack that gains a victim's trust from

the very first interaction.

Case study: the "Truman Show" scam, an AI-generated reality

Check Point Research documented an investment-fraud operation (tracked as OPCOPRO) that doesn’t just impersonate a person but

fabricates an entire fake world around the victim. Targets are lured from SMS and ads into WhatsApp or Telegram groups of roughly 90

members, almost all fake: AI-generated personas posing as financial "experts" and fellow investors, using profile photos with

no online history and messages whose timing and wording reveal machine generation. The groups showcase fake daily "winning trades"

with fabricated charts, while companion mobile apps—available on Google Play and the App Store at the time—are empty shells with

no real trading function. A remote server fabricates every balance and result, meaning nothing the victim sees is real.

The operation ran at least five branded websites registered between August and December 2025 and operated fluently in multiple

languages. What makes this scam significant is that it uses no conventional malware: the apps behave like legitimate software, and

the attack relies entirely on manufactured trust rather than technical compromise. As the cost of creating convincing identities, content, and software continues to fall, these scams increasingly resemble legitimate digital businesses.

Social engineering has gone multi-channel

These identity attacks do not occur in isolation but fuel a broader

shift in social engineering. Check Point's 2026 Cyber Security Report

finds social engineering to be the dominant attack vector of 2025,

expanding beyond email into coordinated campaigns spanning phone

calls, messaging apps, workplace tools such as Microsoft Teams and

Slack, fake websites, and live impersonation. Once considered a

niche technique, multi-channel social engineering is now standard

practice and was central to some of the year's most damaging

breaches, including the Scattered

Spider attacks on Marks & Spencer and Jaguar Land Rover, and the

ShinyHunters phone-based campaign targeting Salesforce customers. The FBI attributes more than $250 million in losses to voice-enabled fraud alone.

Generative AI makes these attacks far more effective by removing

the barriers of quality, language, and scale. A cloned voice, deepfake video, forged document, and fabricated identity can

now be combined into a seamless attack that gains a victim's trust

from the very first interaction.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

32 AI Security Report 2026

https://blog.checkpoint.com/mobile/the-truman-show-scam-trapped-in-an-ai-generated-reality/ https://research.checkpoint.com/2026/cyber-security-report-2026/ https://blog.checkpoint.com/mobile/the-truman-show-scam-trapped-in-an-ai-generated-reality/ https://research.checkpoint.com/2026/cyber-security-report-2026/

Data Leakage & Enterprise AI Exposure

Data Leakage & Enterprise AI Exposure

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

34 AI Security Report 2026

Data Leakage & Enterprise AI Exposure

Earlier chapters covered AI as a weapon, a target, and a tool for

impersonation. This chapter turns inward, to the data companies

feed into AI tools every day, and what that's costing them in

exposure.

The numbers: adoption and exposure

Between October 2025 and May 2026, enterprise use of generative

AI showed clear signs of maturity. Employees consistently incorporated

multiple GenAI tools into their daily workflows, with organizations

using an average of 10 different AI applications each month. Check

Point data reveals that at the individual level, the average number of

prompts per user grew from 56 in December 2025 to 70 in May 2026,

which represents a 25% increase over that period. GenAI has evolved

from a novelty emerging technology into an integral part of

organizational productivity embedded across multiple business

functions.

From a security perspective, the effects of this growth are

significant and ongoing. Between 87% and 93% of organizations

had at least one high-risk GenAI interaction each month, meaning

the risk of sensitive data leaking isn’t limited to a small number of

organizations. It's become a near-universal part of using AI at work.

87–93% Of organizations experienced at least one high-risk GenAI

interaction every month.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

34 AI Security Report 2026

Data Leakage & Enterprise AI Exposure

Earlier chapters covered AI as a weapon, a target,

and a tool for impersonation. This chapter turns inward, to the data companies feed into AI tools every day, and what that's costing them in exposure. The numbers: adoption and exposure

Between October 2025 and May 2026, enterprise

use of generative AI showed clear signs of maturity. Employees

consistently incorporated multiple GenAI tools into their daily workflows, with organizations using an average of 10 different AI applications each month. Check Point data reveals

that at the individual level, the average number of prompts per user grew from 56 in December 2025 to 70 in May 2026, which

represents a 25% increase over that period. GenAI has evolved

from a novelty emerging technology into an integral part

of organizational productivity embedded across multiple business functions.

From a security perspective, the effects of this growth

are significant and ongoing. Between 87% and 93% of organizations

had at least one high-risk GenAI interaction each month, meaning

the risk of sensitive data leaking isn’t limited to a small number

of organizations. It's become a near-universal part of using AI at work.

87–93% Of organizations experienced at least one high-risk GenAI

interaction every month.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

35 AI Security Report 2026

The share of high-risk prompts, meaning ones that

include sensitive corporate, personal, or regulated data shared with

external AI services, rose from 2% at the start of the period to 4%

by the end, effectively doubling the baseline risk of leaking sensitive

information through everyday GenAI use. In plain terms, that is a

shift from roughly one high-risk prompt out of every 50 interactions

to one out of every 25. The rate stabilized during the later months,

but the data suggests organizations have reached a new, higher

baseline of AI-related data-leakage risk.

High-risk GenAI prompts doubled

from 2% to 4%
 in a year, while

organizations now run an average of

10 different 
 AI applications

a month.

The share of high-risk prompts, meaning ones that

include sensitive corporate, personal, or regulated data shared with

external AI services, rose from 2% at the start of the period to 4%

by the end, effectively doubling the baseline risk of leaking sensitive information through everyday GenAI use. In plain terms,

that is a shift from roughly one high-risk prompt out of every 50

interactions to one out of every 25. The rate stabilized during the

later months, but the data suggests organizations have reached a

new, higher baseline of AI-related data-leakage risk.

High-risk GenAI prompts doubled

from 2% to 4%

in a year, while organizations now run an average of

10 different

AI applications a month.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

35 AI Security Report 2026

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

36 AI Security Report 2026

Regional analysis reveals meaningful differences in enterprise

GenAI risk exposure. Europe and Latin America recorded rates of

high-risk GenAI prompts above the global average of 3.45%,

suggesting that organizations in these regions face a heightened

likelihood of sensitive data being shared with AI services:

Europe: 3.95% of prompts, approximately one in every 25

interactions, classified as high risk, the highest of any region.

Latin America: 3.76%, or one in every 27 prompts.

North America: 3.33%, or one in every 30 prompts, lower but still

significant.

High-Risk Prompts by Region (Jan-May 2026)
 (1 in every N prompts was high risk)

Europe 3.95% [1 in 25]

Latin America 3.76% [1 in 27]

North America 3.33% [1 in 30]

APAC 2.88% [1 in 35]

Figure 5.1 — High-Risk Prompts by Region (Jan-May 2026).

The gap between regions is fairly modest, which actually makes the

bigger point: AI-related data exposure is a global problem, not one

confined to a few markets. The fact that every region shows

elevated rates suggests that risky AI behavior shows up wherever

GenAI tools get woven into everyday work, regardless of country. As

companies lean on AI more for productivity, employees everywhere

keep running into the same basic tension: give the AI enough

context to get a genuinely useful answer, or hold back to protect

sensitive company information.

Europe's position at the top of the ranking is particularly noteworthy

given the region's historically strong focus on data protection and

privacy regulation. This suggests that regulatory frameworks alone

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

36 AI Security Report 2026

Regional analysis reveals meaningful differences in enterprise

GenAI risk exposure. Europe and Latin America recorded rates of

high-risk GenAI prompts above the global average of 3.45%,

suggesting that organizations in these regions face a heightened

likelihood of sensitive data being shared with AI services:

Europe: 3.95% of prompts, approximately one in every 25

interactions, classified as high risk, the highest of any region.

Latin America: 3.76%, or one in every 27 prompts.

North America: 3.33%, or one in every 30 prompts, lower but still

significant.

High-Risk Prompts by Region (Jan-May 2026) (1 in every N prompts was high risk)

Europe 3.95% [1 in 25]

Latin America 3.76% [1 in 27]

North America 3.33% [1 in 30]

APAC 2.88% [1 in 35]

Figure 5.1 — High-Risk Prompts by Region (Jan-May 2026).

The gap between regions is fairly modest, which actually makes the

bigger point: AI-related data exposure is a global problem, not

one confined to a few markets. The fact that every region

shows elevated rates suggests that risky AI behavior shows up

wherever GenAI tools get woven into everyday work, regardless of

country. As companies lean on AI more for productivity, employees everywhere

keep running into the same basic tension: give the AI enough

context to get a genuinely useful answer, or hold back to protect sensitive company information.

Europe's position at the top of the ranking is particularly noteworthy

given the region's historically strong focus on data protection and

privacy regulation. This suggests that regulatory frameworks alone

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

37 AI Security Report 2026

are insufficient to prevent risky AI interactions at scale

and reinforces the importance of technical controls, user awareness,

and continuous monitoring. More broadly, this tells organizations

everywhere to expect AI-related data leakage risk to

come hand in hand with AI adoption, and to plan their governance

accordingly rather than as an afterthought. Latin America is also worth

watching: its share of risky prompts rose from 3.68% in January to

4.15% in May, a 13% increase in just five months.

Latin America Region High-Risk Prompts by month - 2026
 (1 in every N prompts was high risk)

4.15% (1 in 24)4.2%

4.0%

3.8% 3.68% (1 in 27)

3.6%

3.4%

3.2%

3.0%

3.6% (1 in 28) 3.7% (1 in 27)

3.47% (1 in 29)

Jan Feb Mar Apr May

Figure 5.2 — Latin America Upward Trend of High-Risk Prompts.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

37 AI Security Report 2026

are insufficient to prevent risky AI interactions at

scale and reinforces the importance of technical controls, user

awareness, and continuous monitoring. More broadly, this tells

organizations everywhere to expect AI-related data leakage risk to

come hand in hand with AI adoption, and to plan their governance

accordingly rather than as an afterthought. Latin America is also worth

watching: its share of risky prompts rose from 3.68% in January to

4.15% in May, a 13% increase in just five months.

Latin America Region High-Risk Prompts by month - 2026

(1 in every N prompts was high risk)

4.2%

4.0%

3.8%

3.6%

3.4%

3.2%

3.0%

Jan Feb Mar Apr May

3.68% (1 in 27) 3.6% (1 in 28)

3.7% (1 in 27)

4.15% (1 in 24)

3.47% (1 in 29)

Figure 5.2 — Latin America Upward Trend of High-Risk Prompts.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

38 AI Security Report 2026

Looking at this by industry instead of region shows the risk is even

less evenly spread. Between January and May 2026, Business

Services, Wholesale & Distribution, Telecommunications, and

Software all ran above the global average risk rate of 3.45%,

meaning companies in these industries are more likely than most to

have sensitive information end up shared with an outside AI

service.

Business Services had the highest rate of any industry, nearly one in

every 17 AI interactions carried a real risk of sensitive data

exposure:

Among all industries, Business Services deserves particular attention

not only because it recorded the highest overall rate of high-risk

prompts, but because that rate kept climbing throughout the period:

from 5.50% in January to 6.98% in May, a 27% increase in just five

months. By May - nearly one in every 14 prompts submitted by people

in this industry posed a high risk of sensitive data leakage.

Business Services: 5.91%, or roughly one in

every 17 prompts, the highest of any sector.

Wholesale & Distribution: 5.47%, or one in

every 18 prompts.

Telecommunications: 4.06%, or one in every 25

prompts.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

38 AI Security Report 2026

Looking at this by industry instead of region shows the risk is even less evenly spread. Between January and May 2026, Business Services, Wholesale & Distribution,

Telecommunications, and Software all ran above the global

average risk rate of 3.45%, meaning companies in these industries

are more likely than most to have sensitive information end up shared with an outside AI service.

Business Services had the highest rate of any industry, nearly one in

every 17 AI interactions carried a real risk of sensitive

data exposure:

Business Services: 5.91%, or roughly one in

every 17 prompts, the highest of any sector.

Wholesale & Distribution: 5.47%, or one in

every 18 prompts.

Telecommunications: 4.06%, or one in every 25

prompts.

Among all industries, Business Services deserves particular attention

not only because it recorded the highest overall rate of high-risk prompts, but because that rate kept climbing throughout the

period: from 5.50% in January to 6.98% in May, a 27% increase in

just five months. By May - nearly one in every 14 prompts submitted by

people in this industry posed a high risk of sensitive data leakage.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

39 AI Security Report 2026

HIGH-RISK PROMPTS BY INDUSTRY (JAN-MAY 2026)
 (1 in every N prompts was high risk)

Business Services 5.91% [1 in 17]

Wholesale & Distribution 5.47% [1 in 18]

Telecommunications 4.06% [1 in 25]

Software 3.52% [1 in 28]

Industrial Manufacturing 3.07% [1 in 33]

Government 3.01% [1 in 33]

Financial Services 2.72% [1 in 37]

Consumer Goods & Services 2.26% [1 in 44]

Energy & Utilities 1.91% [1 in 52]

Information Technology 0.65% [1 in 153]

Figure 5.3 — High-Risk Prompts by Industry (Jan-May 2026).

The trend suggests Business Services organizations are moving

past experimentation and weaving AI deeper into core operations,

having employees lean on it to analyze documents, draft

communications, and handle customer interactions, which means

sharing more business context and sensitive information to get

useful answers. That deeper use drives real productivity gains, but

also raises the odds that confidential client information, contracts,

or regulated content ends up sitting on an outside AI platform,

especially in sectors that focus on information handling and

customer relationships.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

39 AI Security Report 2026

HIGH-RISK PROMPTS BY INDUSTRY (JAN-MAY 2026)

(1 in every N prompts was high risk)

Business Services 5.91% [1 in 17]

Wholesale & Distribution 5.47% [1 in 18]

Telecommunications 4.06% [1 in 25]

Software 3.52% [1 in 28]

Industrial Manufacturing 3.07% [1 in 33]

Government 3.01% [1 in 33]

Financial Services 2.72% [1 in 37]

Consumer Goods & Services 2.26% [1 in 44]

Energy & Utilities 1.91% [1 in 52]

Information Technology 0.65% [1 in 153]

Figure 5.3 — High-Risk Prompts by Industry (Jan-May 2026).

The trend suggests Business Services organizations are moving

past experimentation and weaving AI deeper into core operations,

having employees lean on it to analyze documents, draft communications, and handle customer interactions, which means

sharing more business context and sensitive information to get

useful answers. That deeper use drives real productivity gains, but also raises the odds that confidential client information,

contracts, or regulated content ends up sitting on an outside AI

platform, especially in sectors that focus on information handling and customer relationships.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

40 AI Security Report 2026

The bigger picture: AI adoption is outpacing the governance built

to manage it. Familiarity with these tools hasn't translated into

more caution, risky sharing behavior hasn't declined even as

usage matures. That leaves organizations facing both a higher

baseline risk and a larger volume of exposure, a problem that's

likely to persist rather than resolve on its own.

What leaks, and how

The numbers above measure how much sensitive data reaches

AI. How it actually gets there matters just as much, and the key

point is that the biggest leaks aren't the work of attackers at

all, they're a side effect of completely normal, approved everyday

use:

Too much access granted by default: researchers showed that a

legitimate, company-approved connection between ChatGPT and

Google Drive could pull more than 400 sensitive internal files in

under a second from a single ordinary question, far more than the

person asking could ever have found on their own.

Employees using their own personal AI accounts for work instead of

the company's approved tools, otherwise known as Shadow AI:

one study found roughly one in five organizations had company data

exposed this way, separate from any leakage through officially

sanctioned AI tools. Simple copy-pasting, filling in a form field, or

uploading a file directly in the browser all slip right past the

security tools companies normally use to catch data leaving the

network.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

40 AI Security Report 2026

The bigger picture: AI adoption is outpacing the governance

built to manage it. Familiarity with these tools hasn't translated into more caution, risky sharing behavior hasn't declined even as usage matures. That leaves organizations facing both a higher baseline risk and a larger volume of exposure, a problem that's

likely to persist rather than resolve on its own.

What leaks, and how

The numbers above measure how much sensitive data reaches AI. How it actually gets

there matters just as much, and the key point is that the biggest leaks aren't

the work of attackers at all, they're a side effect of completely normal, approved

everyday use:

Too much access granted by default: researchers showed that a

legitimate, company-approved connection between ChatGPT and

Google Drive could pull more than 400 sensitive internal files

in under a second from a single ordinary question, far more than

the person asking could ever have found on their own.

Employees using their own personal AI accounts for work instead of

the company's approved tools, otherwise known as Shadow AI: one

study found roughly one in five organizations had company data

exposed this way, separate from any leakage through officially

sanctioned AI tools. Simple copy-pasting, filling in a form field,

or uploading a file directly in the browser all slip right past the security tools companies normally use to catch data leaving the network.

https://sola.security/blog/shadow-ai-exposure-oauth-approval/ https://research.eye.security/blocking-shadow-ai-how-to-prevent-data-leakage-from-chatgpt-and-other-llms/ https://sola.security/blog/shadow-ai-exposure-oauth-approval/ https://research.eye.security/blocking-shadow-ai-how-to-prevent-data-leakage-from-chatgpt-and-other-llms/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

41 AI Security Report 2026

Provider and app-side exposure

Even an organization with strict rules about how its own employees

use AI still depends on outside AI providers and apps, and those

providers can be a way in for attackers too. The moment a

company's data is shared with an outside AI tool, that data's safety

depends entirely on how secure that outside company is, not on

anything the original company does.

The pattern recurred across the stack over the past year:

01

02

03

04

A consumer AI chat app called “Chat & Ask AI” exposed

about 300 million messages from more than 25 million

users.

An AI customer-support chatbot used by Sears Home

Services left 3.7 million records exposed, including

phone call recordings and transcripts containing

personal information.

AI vendors themselves got hit too: Anthropic suffered a leak

of its own source code, and the AI staffing company Mercor

was breached through a flaw in the LiteLLM gateway (the

same agentic-supply-chain weakness described earlier),

exposing a large amount of internal data.

An authorization flaw in the Lovable AI app-

builder allowed any free tier user to read the source

code and stored credentials from thousands of other

customers' projects.

stolen login credentials elevate the risk even further: a single stolen

Google Gemini API key ran up about $82,000 in charges in just two days

and was used to reach stored account data before anyone caught it,

letting an attacker operate freely inside someone else's legitimate AI

account, the same pattern described earlier in this report.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

41 AI Security Report 2026

Provider and app-side exposure

Even an organization with strict rules about how its own employees

use AI still depends on outside AI providers and apps, and those

providers can be a way in for attackers too. The moment a

company's data is shared with an outside AI tool, that data's safety depends entirely on how secure that outside company is,

not on anything the original company does.

The pattern recurred across the stack over the past year:

01 A consumer AI chat app called “Chat & Ask AI” exposed

about 300 million messages from more than 25 million users.

02 An AI customer-support chatbot used by Sears Home

Services left 3.7 million records exposed, including phone call recordings and transcripts

containing personal information.

03 AI vendors themselves got hit too: Anthropic suffered a

leak of its own source code, and the AI staffing company

Mercor was breached through a flaw in the LiteLLM gateway

(the same agentic-supply-chain weakness described

earlier), exposing a large amount of internal data.

04 An authorization flaw in the Lovable AI

app-builder allowed any free tier user to read the source code and stored credentials from thousands of

other customers' projects.

stolen login credentials elevate the risk even further: a single

stolen Google Gemini API key ran up about $82,000 in charges in just two

days and was used to reach stored account data before anyone caught

it, letting an attacker operate freely inside someone else's legitimate AI account, the same pattern described earlier in this report.

https://www.404media.co/massive-ai-chat-app-leaked-millions-of-users-private-conversations/ https://cybernews.com/ai-news/ai-chatbot-data-leak-sears/ https://www.axios.com/2026/03/31/anthropic-leaked-source-code-ai https://docs.litellm.ai/blog/security-update-march-2026 https://lovable.dev/blog/our-response-to-the-april-2026-incident https://cybersecuritynews.com/stolen-gemini-api-key-turned-180-bill-to-82000/ https://www.404media.co/massive-ai-chat-app-leaked-millions-of-users-private-conversations/ https://cybernews.com/ai-news/ai-chatbot-data-leak-sears/ https://www.axios.com/2026/03/31/anthropic-leaked-source-code-ai https://docs.litellm.ai/blog/security-update-march-2026 https://lovable.dev/blog/our-response-to-the-april-2026-incident https://cybersecuritynews.com/stolen-gemini-api-key-turned-180-bill-to-82000/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

42 AI Security Report 2026

Case study:
 ChatGPT data leakage through a hidden outbound channel

Check Point Research showed that the AI platform itself

can become the leak path, not just the apps connected to it.

ChatGPT's secure code-execution sandbox blocks normal

outbound internet access as a safety measure, but still

allows DNS lookups, an oversight most people would never

think to check. By encoding data into DNS

subdomain queries, a malicious instruction planted earlier

in a conversation could quietly send a user's messages and

file contents to an attacker's server, with none of the usual

warning prompts a user would normally see before an app

shares their data. A proof-of-concept “personal doctor” AI

assistant used this exfiltrate patient details and medical

assessments from uploaded lab results. The issue was

reported to OpenAI and fixed on 20 February 2026, with no

sign of exploitation in the wild.

Once an organization’s data is shared with an external AI model,

they can't fully control where it ends up. As AI assistants are

increasingly involved in real execution environments, every new

capability adds another path data could leave through that needs to

be secured, including parts of the system an ordinary user never

even sees.

Governance implications

AI-related data exposure should be treated as an ongoing risk that

comes with AI usage, not a one-time hurdle to clear during

adoption. Managing it well requires constantly monitoring how AI

is actually being used, enforcing clear policies, training employees,

and using real-time controls that can catch and stop sensitive

information before it reaches an outside AI service.

The companies that get the most out of AI will be the ones that keep

their oversight growing right alongside their AI use, rather than

treating security as something to revisit only once a year. That

balance is what protects a company's intellectual property,

confidential business information, and regulated data while still

letting it benefit from everything AI can do.

Case study: ChatGPT data leakage through a hidden outbound channel

Check Point Research showed that the AI platform itself

can become the leak path, not just the apps connected to it. ChatGPT's secure code-execution sandbox blocks normal

outbound internet access as a safety measure, but still

allows DNS lookups, an oversight most people would never

think to check. By encoding data into DNS

subdomain queries, a malicious instruction planted earlier

in a conversation could quietly send a user's messages and file contents to an attacker's server, with none of the

usual warning prompts a user would normally see before an

app shares their data. A proof-of-concept “personal doctor” AI assistant used this exfiltrate patient details and medical assessments from uploaded lab

results. The issue was reported to OpenAI and fixed on 20

February 2026, with no sign of exploitation in the wild.

Once an organization’s data is shared with an external AI model,

they can't fully control where it ends up. As AI assistants

are increasingly involved in real execution environments, every

new capability adds another path data could leave through that needs

to be secured, including parts of the system an ordinary user never even sees.

Governance implications

AI-related data exposure should be treated as an ongoing risk that

comes with AI usage, not a one-time hurdle to clear during

adoption. Managing it well requires constantly monitoring how AI

is actually being used, enforcing clear policies, training employees, and using real-time controls that can catch and stop sensitive information before it reaches an outside AI service.

The companies that get the most out of AI will be the ones that keep

their oversight growing right alongside their AI use, rather than

treating security as something to revisit only once a year. That

balance is what protects a company's intellectual property,

confidential business information, and regulated data while still

letting it benefit from everything AI can do.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

42 AI Security Report 2026

https://research.checkpoint.com/2026/chatgpt-data-leakage-via-a-hidden-outbound-channel-in-the-code-execution-runtime/ https://research.checkpoint.com/2026/chatgpt-data-leakage-via-a-hidden-outbound-channel-in-the-code-execution-runtime/

Security for AI. Security by AI.
 Security with AI.

Security for AI. Security by AI. Security with AI.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

44 AI Security Report 2026

Security for AI

AI agents and applications are targets as much as they are tools.

They can be manipulated through hidden instructions in the content

they process, compromised through the tools they connect to, and

turned against the organization through configuration files they

automatically trust. For organizations building their own AI

infrastructure, whether dedicated LLM environments, AI factories,

or NVIDIA-based hardware deployments, the attack surface extends

further still, spanning infrastructure, hardware, workloads,

containers, inference APIs, and LLM endpoints.

The riskiest part of the AI attack surface is often the part

organizations can't see. Exposed model servers, reachable agent

control panels, and unsecured inference endpoints are being

actively probed, and most security teams have no

visibility into them. You cannot defend what you don't know is facing

the internet.

Check Point AI Agent Security

Governs how enterprise AI agents interact with prompts,

tools, data, and actions in real time.

Govern AI agent behavior across every interaction with

prompts, tools, and data

Prevent manipulation through prompt injection,

poisoned configurations, and unsafe tool use

Check Point AI Red Teaming

Tests whether AI applications and agents can be tricked

into exposing sensitive data, bypassing policies, or

producing unsafe outputs, before attackers get the chance.

Test for jailbreaks, data leakage risks, and excessive

permissions before deployment

Validate security after every significant change to

models, prompts, tools, or permissions

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

44 AI Security Report 2026

Security for AI

AI agents and applications are targets as much as they are tools. They can be manipulated through hidden instructions in the content they process, compromised through the tools they

connect to, and turned against the organization through configuration files they automatically trust. For organizations building their own AI infrastructure, whether dedicated LLM environments, AI factories, or NVIDIA-based hardware deployments, the attack surface extends further still, spanning infrastructure,

hardware, workloads, containers, inference APIs, and LLM endpoints.

The riskiest part of the AI attack surface is often the part organizations can't

see. Exposed model servers, reachable agent control panels, and unsecured

inference endpoints are being actively probed, and most

security teams have no visibility into them. You cannot defend what you don't know

is facing the internet.

Check Point AI Agent Security

Governs how enterprise AI agents interact with prompts,

tools, data, and actions in real time.

Govern AI agent behavior across every interaction with

prompts, tools, and data

Prevent manipulation through prompt injection,

poisoned configurations, and unsafe tool use

Check Point AI Red Teaming

Tests whether AI applications and agents can be tricked

into exposing sensitive data, bypassing policies,

or producing unsafe outputs, before attackers get the chance.

Test for jailbreaks, data leakage risks, and excessive permissions before deployment

Validate security after every significant change to

models, prompts, tools, or permissions

https://www.checkpoint.com/ai-security/ai-agent-security/ https://www.checkpoint.com/ai-security/ai-red-teaming/ https://www.checkpoint.com/ai-security/ai-agent-security/ https://www.checkpoint.com/ai-security/ai-red-teaming/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

45 AI Security Report 2026

Check Point WAF

Powered by a dual-layer ML engine, blocks prompt

injections and unsafe content at the perimeter without

requiring signatures or causing downtime.

Block prompt injections and unsafe content before they

reach users or systems

Intercept attacks in real time without the patching

overhead traditional approaches demand

Check Point AI Factory Security

Delivers a complete end-to-end security blueprint for

organizations building and running their own AI infrastructure,

taking a layered defense-in-depth approach that spans

application security, infrastructure security, and safe AI use

across the entire stack.

Secure AI infrastructure end to end: hardware, workloads,

containers, inference APIs, LLM endpoints, and perimeters

Check Point Exposure Management

Check Point Exposure Management, through external attack surface management, cyber asset attack surface management, and Supply Chain

Intelligence, makes the full AI attack surface visible before attackers map it.

Discover every internet-facing asset, including model servers, inference endpoints, and agent control panels

Detect newly exposed AI infrastructure as soon as it appears using technology detection and watchlists

Continuously monitor third-party AI providers, so their exposure becomes visible before it becomes your incident

The riskiest part of the AI attack surface is the part you can't see. Protecting AI means governing how it behaves, securing the infrastructure it

runs on, and making the full surface visible before an attacker maps it first.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

45 AI Security Report 2026

Check Point WAF

Powered by a dual-layer ML engine, blocks prompt

injections and unsafe content at the perimeter without requiring signatures or causing downtime.

Block prompt injections and unsafe content before they

reach users or systems

Intercept attacks in real time without the patching overhead traditional approaches demand

Check Point Exposure Management

Check Point Exposure Management, through external attack surface management, cyber asset attack surface management, and Supply Chain

Intelligence, makes the full AI attack surface visible before attackers map it.

Discover every internet-facing asset, including model servers, inference endpoints, and agent control panels

Detect newly exposed AI infrastructure as soon as it appears using technology detection and watchlists

Continuously monitor third-party AI providers, so their exposure becomes visible before it becomes your incident

Check Point AI Factory Security

Delivers a complete end-to-end security blueprint for

organizations building and running their own AI infrastructure,

taking a layered defense-in-depth approach that spans

application security, infrastructure security, and safe AI use across the entire stack.

Secure AI infrastructure end to end: hardware, workloads,

containers, inference APIs, LLM endpoints, and perimeters

The riskiest part of the AI attack surface is the part you can't see. Protecting AI means governing how it behaves, securing the infrastructure it

runs on, and making the full surface visible before an attacker maps it first.

https://www.checkpoint.com/cloudguard/waf/ https://engage.checkpoint.com/ai-data-center-ai-factory-security-blueprint?_gl=1*1cd79r8*_gcl_aw*R0NMLjE3Nzg2ODI4MTguQ2p3S0NBand3cERRQmhBdUVpd0FhLTRXbzlzaWZoQjJwb0JZeVQxZEpPQk5MMkdhcFJYU1EtWEM2YWZIQzRCcE5XN1JfZUp6d2xhcEd4b0MwSzBRQXZEX0J3RQ..*_gcl_au*MjU3ODA3NjU2LjE3NzY2MTAxNjEuNzU5MDQ0NjU2LjE3NzgwNzUxNjYuMTc3ODA3NTIwOQ.. https://www.checkpoint.com/cloudguard/waf/ https://engage.checkpoint.com/ai-data-center-ai-factory-security-blueprint?_gl=1*1cd79r8*_gcl_aw*R0NMLjE3Nzg2ODI4MTguQ2p3S0NBand3cERRQmhBdUVpd0FhLTRXbzlzaWZoQjJwb0JZeVQxZEpPQk5MMkdhcFJYU1EtWEM2YWZIQzRCcE5XN1JfZUp6d2xhcEd4b0MwSzBRQXZEX0J3RQ..*_gcl_au*MjU3ODA3NjU2LjE3NzY2MTAxNjEuNzU5MDQ0NjU2LjE3NzgwNzUxNjYuMTc3ODA3NTIwOQ..

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

46 AI Security Report 2026

Security by AI

The most significant shift this report documents is not a new

technique. It is pace. A vulnerability now becomes a working exploit

within hours of disclosure. Phishing campaigns run at a quality and

volume no human team could match. Intrusions span dozens of

targets simultaneously, with AI handling the operational work

between check-ins. Security teams working at human speed cannot

match that cadence. Protecting against AI-powered attacks requires

a frontier AI model-powered threat prevention engine.

Check Point ThreatCloud AI

Is the intelligence brain behind Check Point's threat

prevention, leveraging the latest AI technologies and the

industry's leading cyber researchers to prevent zero-day

attacks. Connected to all IT environments via Check Point's

Hybrid Mesh Network Security, Workspace Security,

Exposure Management, and AI Security product

lines, ThreatCloud AI covers networks, email, endpoints,

mobile, and cloud.

Prevent zero-day attacks powered by the latest AI

technologies and leading cyber research

Cover networks, email, endpoints, mobile, and cloud

through a single connected intelligence layer

Operate at two simultaneous speeds: continuous

background intelligence generation and real-time query

response to Check Point sensors around the world

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

46 AI Security Report 2026

Security by AI

The most significant shift this report documents is not a new technique. It is pace. A vulnerability now becomes a working

exploit within hours of disclosure. Phishing campaigns run at a

quality and volume no human team could match. Intrusions span

dozens of targets simultaneously, with AI handling the operational work between check-ins. Security teams working at human

speed cannot match that cadence. Protecting against AI-powered

attacks requires a frontier AI model-powered threat prevention engine.

Check Point ThreatCloud AI

Is the intelligence brain behind Check Point's threat prevention, leveraging the latest AI technologies

and the industry's leading cyber researchers to prevent zero-day attacks. Connected to all IT environments via Check

Point's Hybrid Mesh Network Security, Workspace

Security, Exposure Management, and AI Security

product lines, ThreatCloud AI covers networks, email, endpoints, mobile, and cloud.

Prevent zero-day attacks powered by the latest AI

technologies and leading cyber research

Cover networks, email, endpoints, mobile, and cloud

through a single connected intelligence layer

Operate at two simultaneous speeds: continuous

background intelligence generation and real-time query response to Check Point sensors around the world

https://www.checkpoint.com/ai/threatcloud/ https://www.checkpoint.com/ai/threatcloud/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

47 AI Security Report 2026

Check Point Frontier AI Models Readiness Program

Including BLAST, an internal model-agnostic technology, proactively uncovers vulnerabilities in frontier AI models and resolves them

before they can be weaponized.

Proactively uncover and resolve vulnerabilities in frontier AI models before attackers reach them

Stay ahead of threat actors by continuously testing and hardening the AI models that power Check Point's defenses

Attackers are running AI as an operator. ThreatCloud AI operates at the same speed on the other side, detecting and blocking without waiting

for a human in the loop.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

47 AI Security Report 2026

Check Point Frontier AI Models Readiness Program

Including BLAST, an internal model-agnostic technology, proactively uncovers vulnerabilities in frontier AI models and resolves them

before they can be weaponized.

Proactively uncover and resolve vulnerabilities in frontier AI models before attackers reach them

Stay ahead of threat actors by continuously testing and hardening the AI models that power Check Point's defenses

Attackers are running AI as an operator. ThreatCloud AI operates at the same speed on the other side, detecting and blocking without waiting

for a human in the loop.

https://blog.checkpoint.com/security/check-point-frontier-ai-models-readiness-program-security-update/ https://blog.checkpoint.com/security/check-point-frontier-ai-models-readiness-program-security-update/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

48 AI Security Report 2026

Security with AI

Every targeted attack in this report was made more precise by

information the attacker already had. Much of that information left

the organization through the AI tools employees use every day.

High-risk GenAI prompts doubled over the past year. The average

organization runs ten AI applications a month, many without formal

approval, and most security teams have limited visibility into what is

being shared, with which tools, and whether it should be.

Using AI well means governing it across the workforce, at the point

of interaction, and across the external surface where credentials

and data are already leaking.

Check Point Workforce AI Security

Gives security teams visibility into how employees are using

AI across the organization, providing application discovery,

governance, and real-time data protection. It secures the

interactions themselves, managing GenAI prompts in real

time, assessing risk at the moment they happen, and

preventing data loss before it reaches an external service.

Discover sanctioned and unsanctioned AI applications in

use across the workforce

Prevent credentials, source code, PII, customer data,

and confidential documents from being exposed

through AI interactions

Apply real-time data loss prevention to GenAI prompts

before they leave your environment

Meet regulatory requirements with enterprise-grade

visibility and monitoring

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

48 AI Security Report 2026

Security with AI

Every targeted attack in this report was made more precise by information the attacker already had. Much of that information left the organization through the AI tools employees use every day. High-risk GenAI prompts doubled over the past year. The average organization runs ten AI applications a month, many without formal approval, and most security teams have limited visibility

into what is being shared, with which tools, and whether it should be.

Using AI well means governing it across the workforce, at the point of interaction, and across the external

surface where credentials and data are already leaking.

Check Point Workforce AI Security

Gives security teams visibility into how employees are using AI across the organization, providing application discovery, governance, and real-time data protection. It secures the interactions themselves, managing GenAI prompts in real time, assessing risk at the moment they happen,

and preventing data loss before it reaches an external service. Discover sanctioned and

unsanctioned AI applications in use across the workforce

Prevent credentials, source code, PII, customer data, and

confidential documents from being exposed through AI interactions

Apply real-time data loss prevention to GenAI prompts before they leave your environment

Meet regulatory requirements with enterprise-grade visibility and monitoring

https://www.checkpoint.com/ai-security/ai-workforce-security/ https://www.checkpoint.com/ai-security/ai-workforce-security/

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

49 AI Security Report 2026

Check Point Exposure Management

Gives teams the ability to find and act on what matters before an attacker does, ranking exposures by real risk, validating which are

genuinely reachable and exploitable, and enabling remediation without waiting on a vendor fix. Through its Brand Protection and

Threat Intelligence layers, it also covers the external surface where credentials, fake sites, and impersonation infrastructure are

already being used against your organization.

Rank exposures by what is actually exploitable, not by how many vulnerabilities a scanner returns

Validate exploitability continuously before an attacker tests the same path

Neutralize critical exposures through virtual patching when a vendor fix is not yet available

Find exposed configuration files, secrets, and API keys on your internet-facing surface before an attacker does

Detect phishing pages, typosquatted domains, and cloned sites and take them down before victims reach them

Monitor the deep and dark web for stolen and resold credentials, including AI service logins

Surface leaked corporate data and fraud signals that feed targeted impersonation campaigns

Before an attacker can use AI against you with precision, they need your data and they need your exposure to stay invisible. Workforce AI

Security, GenAI Protect, Infinity AI Copilot, and Exposure Management close both gaps.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 CISO Recommendations

49 AI Security Report 2026

Check Point Exposure Management

Gives teams the ability to find and act on what matters before an attacker does, ranking exposures by real risk, validating which are

genuinely reachable and exploitable, and enabling remediation without waiting on a vendor fix. Through its Brand Protection and

Threat Intelligence layers, it also covers the external surface where credentials, fake sites, and impersonation infrastructure

are already being used against your organization.

Rank exposures by what is actually exploitable, not by how many vulnerabilities a scanner returns

Validate exploitability continuously before an attacker tests the same path

Neutralize critical exposures through virtual patching when a vendor fix is not yet available

Find exposed configuration files, secrets, and API keys on your internet-facing surface before an attacker does

Detect phishing pages, typosquatted domains, and cloned sites and take them down before victims reach them

Monitor the deep and dark web for stolen and resold credentials, including AI service logins

Surface leaked corporate data and fraud signals that feed targeted impersonation campaigns

Before an attacker can use AI against you with precision, they need your data and they need your exposure to stay invisible. Workforce AI

Security, GenAI Protect, Infinity AI Copilot, and Exposure Management close both gaps.

https://www.checkpoint.com/exposure-management/ https://www.checkpoint.com/exposure-management/

2026 CISO
 Recommendations

2026 CISO Recommendations

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

51 AI Security Report 2026

2026 CISO
 Recommendations 
 By Fred Streefland,

Global Field CISO, Check Point Software Technologies

The question this chapter sets out to answer is a straightforward

one: “So, what does this all mean for CISOs and what can CISOs

learn from this report?

CISOs are expected to manage the (cyber)risks for the business, so

that the business can perform ‘its business’?” But, in today’s AI-

driven world, the CISO’s role is not only about preventing breaches

or ensuring compliance, although these remain critical. The CISO’s

role is more about enabling responsible AI adoption that balances

innovation with risk management, competitive advantage with

ethical responsibility, and technological capability with

organizational control.

This part of the report will address what the previous four chapters

mean for today’s CISOs. Each chapter will be summarized with a

conclusion (‘why it matters’), followed by some recommendations.

01 The first chapter describes the AI-Powered Cyber Attacks and

shows how attackers can access AI capabilities. They

can abuse commercial models, deploy self-hosted open-source

models, or buy access to purpose-built malicious services. This

chapter also describes that AI's role in malware development

moved from experimental to operational and that AI

can now be seen as a live attack operator. The most important

element of this chapter is AI in vulnerability research, which

resulted in a compressed patch window. AI is now capable of finding

security flaws before they are exploited and finding ways to exploit

them before they’re fixed.

Why it Matters.

Attackers are now capable of leveraging AI for their benefits at an

incredible speed. CISOs need to be aware of this development and

should perceive AI as a live attacker. This means that CISOs need to

revalidate their cyber security controls and check if their current

security posture is capable of handling these AI-powered cyber-

attacks. CISOs should also evaluate their current vulnerability

management processes, because the increased speed of AI models

finding and exploiting vulnerabilities significantly decreased the

time to remediate.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

51 AI Security Report 2026

2026 CISO Recommendations By Fred Streefland,

Global Field CISO, Check Point Software Technologies

The question this chapter sets out to answer is a straightforward one: “So, what does this all mean for CISOs and what can CISOs

learn from this report?

CISOs are expected to manage the (cyber)risks for the business, so that the business can perform ‘its business’?” But, in today’s AI-driven world, the CISO’s role is not only about preventing breaches or ensuring compliance, although these remain critical. The CISO’s role is more about enabling responsible AI adoption that balances innovation with risk management, competitive

advantage with ethical responsibility, and technological capability with organizational control.

This part of the report will address what the previous four chapters mean for today’s CISOs. Each

chapter will be summarized with a conclusion (‘why it matters’), followed by some recommendations.

01 The first chapter describes the AI-Powered Cyber Attacks and

shows how attackers can access AI capabilities. They

can abuse commercial models, deploy self-hosted open-source

models, or buy access to purpose-built malicious services. This

chapter also describes that AI's role in malware development

moved from experimental to operational and that AI

can now be seen as a live attack operator. The most important

element of this chapter is AI in vulnerability research, which resulted in a compressed patch window. AI is now capable of

finding security flaws before they are exploited and finding ways

to exploit them before they’re fixed.

Why it Matters.

Attackers are now capable of leveraging AI for their benefits at

an incredible speed. CISOs need to be aware of this development and

should perceive AI as a live attacker. This means that CISOs need to

revalidate their cyber security controls and check if their current security posture is capable of handling these AI-powered

cyber-attacks. CISOs should also evaluate their current vulnerability management processes, because the increased speed of

AI models finding and exploiting vulnerabilities significantly decreased the time to remediate.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

52 AI Security Report 2026

02 The second chapter examines attacks against AI, treating AI as an

attack surface. It identifies two main causes. The first is unique to

AI: language models can be manipulated through hidden

instructions (direct & indirect prompt injection), trusted

configuration files (configuration abuse), and corrupted memory

(runtime poisoning). The second is more familiar: AI tools are still

software and inherit the vulnerabilities of traditional applications.

These weaknesses are spreading faster because of rapid AI

adoption and are amplified by autonomous AI agents that hold

excessive privileges and install trusted components with little or no

human review. This is what drives attacks on AI infrastructure and

the AI software supply chain.

Why it Matters.

One of the core principles of the CISO role is visibility across IT/OT

infrastructure, workspaces, cloud environments, the supply chain,

and AI. Visibility is essential because CISOs cannot protect what

they cannot see. As AI becomes a new attack surface, security

strategies must evolve to address it. This requires understanding

AI-specific attacks, such as direct and indirect prompt injection,

while also gaining visibility into the AI ecosystem, agentic supply

chain, and AI infrastructure.

03 The third chapter describes the effects of AI on digital trust

and identities. In previous chapters, we discussed AI as both a

weapon and a target. This one turns to what AI does to trust

between people due to its ability to forge a convincing human

identity at scale. This chapter shows that attackers/criminals are

now capable using AI to generate fake identities in text, audio and

video. They can generate these fake

identities offline, online and mostly fully autonomous.

Why it Matters.

Trust plays an essential role in cyber security, which plays

an essential role for CISOs. These impersonation developments, as

described in this chapter, can result in the fact that identity has

become a broken trust anchor. Proving someone’s identity remotely

has become more difficult than ever before and in combination with

the fact that social engineering has gone multi-channel, requires

CISOs to adapt and stop taking identity for granted.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

52 AI Security Report 2026

02 The second chapter examines attacks against AI, treating AI as an

attack surface. It identifies two main causes. The first is unique

to AI: language models can be manipulated through hidden

instructions (direct & indirect prompt injection), trusted configuration files (configuration abuse), and corrupted

memory (runtime poisoning). The second is more familiar: AI tools

are still software and inherit the vulnerabilities of traditional applications. These weaknesses are spreading faster because

of rapid AI adoption and are amplified by autonomous AI agents

that hold excessive privileges and install trusted components with little or no human review. This is what drives attacks on AI

infrastructure and the AI software supply chain.

Why it Matters.

One of the core principles of the CISO role is visibility across

IT/OT infrastructure, workspaces, cloud environments, the supply

chain, and AI. Visibility is essential because CISOs cannot protect what they cannot see. As AI becomes a new attack

surface, security strategies must evolve to address it. This requires understanding AI-specific attacks, such as direct and

indirect prompt injection, while also gaining visibility into the AI ecosystem, agentic supply chain, and AI infrastructure.

03 The third chapter describes the effects of AI on digital trust

and identities. In previous chapters, we discussed AI as both a

weapon and a target. This one turns to what AI does to trust

between people due to its ability to forge a convincing human

identity at scale. This chapter shows that attackers/criminals are

now capable using AI to generate fake identities in text, audio and

video. They can generate these fake

identities offline, online and mostly fully autonomous.

Why it Matters.

Trust plays an essential role in cyber security, which plays an essential role for CISOs. These impersonation developments,

as described in this chapter, can result in the fact that identity has become a broken trust anchor. Proving someone’s identity remotely has become more difficult than ever before and in

combination with the fact that social engineering has gone multi-channel, requires CISOs to adapt and stop taking identity for granted.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

53 AI Security Report 2026

04 The fourth chapter describes data leakage and enterprise AI

exposure. While the previous chapters covered AI as a weapon,

a target, and a tool for impersonation, this chapter showed the risks

of AI adoption by enterprises. Check Point Research

recorded significant growth in enterprise GenAI adoption. GenAI has

evolved from a novelty emerging technology into an integral part of

organizational productivity embedded across multiple business

functions.  Approx. 90% of organizations had at least one high-risk

GenAI interaction each month. Even if organizations have strict

rules about how its employees use AI, they still depend

on external AI providers and applications, which can also serve as

an entry point for threat actors. Check Point Research showed that

an AI platform itself, like ChatGPT, can become the leak path, not

just the apps connected to it. Once an organization’s data is shared

with an external AI model, they can't fully control where it ends up

Why it Matters.

Because AI adoption is outpacing the governance built to manage

it, today’s CISOs have a significant challenge. They should treat AI-

related data exposure as an ongoing, permanent part of doing

business with AI; not a one-time hurdle to clear during adoption.

CISOs need to manage it well, which requires constantly monitoring

how AI is actually being used, enforcing clear policies, training

employees, and using real-time controls that can catch and stop

sensitive information before it reaches an outside AI service. The

companies that get the most out of AI will be the ones that keep their

oversight growing right alongside their AI use, rather than treating

security as something to revisit only once a year.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

53 AI Security Report 2026

04 The fourth chapter describes data leakage and enterprise AI

exposure. While the previous chapters covered AI as a weapon, a

target, and a tool for impersonation, this chapter showed the risks

of AI adoption by enterprises. Check Point Research

recorded significant growth in enterprise GenAI adoption. GenAI has

evolved from a novelty emerging technology into an integral part of

organizational productivity embedded across multiple business

functions. Approx. 90% of organizations had at least one high-risk

GenAI interaction each month. Even if organizations have strict

rules about how its employees use AI, they still depend

on external AI providers and applications, which can also serve as

an entry point for threat actors. Check Point Research showed that

an AI platform itself, like ChatGPT, can become the leak path, not

just the apps connected to it. Once an organization’s data is shared

with an external AI model, they can't fully control where it ends up

Why it Matters.

Because AI adoption is outpacing the governance built to manage it,

today’s CISOs have a significant challenge. They should treat

AI-related data exposure as an ongoing, permanent part of doing

business with AI; not a one-time hurdle to clear during adoption.

CISOs need to manage it well, which requires constantly monitoring

how AI is actually being used, enforcing clear policies, training employees, and using real-time controls that can catch and stop sensitive information before it reaches an outside AI

service. The companies that get the most out of AI will be the ones

that keep their oversight growing right alongside their AI use,

rather than treating security as something to revisit only once a year.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

54 AI Security Report 2026

CISO Recommendations

AI is significantly changing the world at a pace that we’ve never

experienced before, and the same applies to AI security. We need to

adapt faster than the ‘bad guys’ and as the saying goes: “it’s not the

strongest nor most intelligent species that survive. It's the one that

is most adaptable to change”.

This report provides the information that you – as a CISO – need

to get the required adaptability to the fast-changing environment.

With the insights of this report and the suggested Check Point

products, you can become a successful CISO in protecting your

organization and enabling the business.

In the last year, AI changed the (security) world significantly and

brought more challenges for a CISO than ever before, but the basics

still stayed the same. A CISO still needs to manage the risks, so

that the business can do ‘its business’, which means a risk

assessment still forms the foundation for a security strategy

and roadmap. The fact that the CISO should also apply this risk

assessment to their organization's AI

ecosystem makes it perhaps more challenging, but not impossible.

CISO Recommendations

AI is significantly changing the world at a pace that we’ve never

experienced before, and the same applies to AI security. We need to

adapt faster than the ‘bad guys’ and as the saying goes: “it’s not the

strongest nor most intelligent species that survive. It's the one that is most adaptable to change”.

This report provides the information that you – as a CISO – need

to get the required adaptability to the fast-changing environment.

With the insights of this report and the suggested Check Point

products, you can become a successful CISO in protecting your

organization and enabling the business.

In the last year, AI changed the (security) world significantly

and brought more challenges for a CISO than ever before, but the

basics still stayed the same. A CISO still needs to manage the risks, so that the business can do ‘its business’, which

means a risk assessment still forms the foundation for a security strategy and roadmap. The fact that the CISO should

also apply this risk assessment to their organization's AI ecosystem makes it perhaps more challenging, but not impossible.

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

54 AI Security Report 2026

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

55 AI Security Report 2026

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) is a

leading protector of digital trust, utilizing AI-powered cyber security

solutions to safeguard over 100,000 organizations globally. Through

its Infinity Platform and an open garden ecosystem, Check Point’s

prevention-first approach delivers industry-leading security efficacy

while reducing risk. Employing a hybrid mesh network architecture

with SASE at its core, the Infinity Platform unifies the management

of on-premises, cloud, and workspace environments to offer

flexibility, simplicity and scale for enterprises and service providers.

Contact us

WORLDWIDE HEADQUARTERS

5 Shlomo Kaplan Street,

Tel Aviv 6789159, Israel

Tel: 972-3-753-4599

Email: info@checkpoint.com

U.S. HEADQUARTERS

100 Oracle Parkway, Suite 800,

Redwood City, CA 94065

Tel: 800-429-4391

UNDER ATTACK?

Contact our Incident Response Team:

emergency-response@checkpoint.com

CHECK POINT RESEARCH

To get our latest research and other

exclusive content, Visit us at

www.research.checkpoint.com

www.checkpoint.com

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) is a

leading protector of digital trust, utilizing AI-powered cyber security solutions to safeguard over 100,000 organizations globally.

Through its Infinity Platform and an open garden ecosystem, Check

Point’s prevention-first approach delivers industry-leading security

efficacy while reducing risk. Employing a hybrid mesh network architecture with SASE at its core, the Infinity Platform unifies the management of on-premises, cloud, and workspace environments to offer flexibility, simplicity and scale for enterprises and service providers.

Contact us

WORLDWIDE HEADQUARTERS

5 Shlomo Kaplan Street,

Tel Aviv 6789159, Israel

Tel: 972-3-753-4599

Email: info@checkpoint.com

U.S. HEADQUARTERS

100 Oracle Parkway, Suite 800,

Redwood City, CA 94065

Tel: 800-429-4391

UNDER ATTACK?

Contact our Incident Response Team:

emergency-response@checkpoint.com

CHECK POINT RESEARCH

To get our latest research and other

exclusive content, Visit us at

www.research.checkpoint.com

www.checkpoint.com

01 INTRODUCTION

02 AI Cyber Attacks

03 AI Attack Surface

04 Digital Identity

05 AI Data Exposure

06 AI Security Framework

07 2026 CISO Guide

55 AI Security Report 2026

http://www.checkpoint.com https://www.research.checkpoint.com http://www.checkpoint.com http://www.checkpoint.com https://www.research.checkpoint.com http://www.checkpoint.com

© 2026 Check Point Software Technologies Ltd. All rights reserved.© 2026 Check Point Software Technologies Ltd. All rights reserved.


Item Type: pdf