On May 20, 2026, Verizon published the 2026 Data Breach Investigations Report with a dedicated AI section built on original research conducted with Anthropic. The study examined 793 threat actors and found the median actor used AI across 15 MITRE ATT&CK techniques. AI assisted text in phishing emails doubled year over year. The report highlighted VoidLink, a malware framework an AI agent assembled in six days, and PromptLock, described as the first AI powered ransomware to dynamically generate cross platform encryption scripts through local large language models. Verizon framed these developments as a point of no return for automated threat development.
The same report documents a parallel crisis on the defensive perimeter of the enterprise. Sixty seven percent of employees access AI from non corporate accounts on corporate devices. Source code is the number one data type uploaded to unauthorized AI services. Regular AI users tripled from 15 percent to 45 percent in a single year. Shadow AI now ranks as the third most common non malicious insider action in DLP datasets, with detections up fourfold.
Attackers are operationalizing AI at scale. Employees are exporting sensitive data into AI platforms at scale. This post will walk through that dual failure, explain why both sides share the same root cause, and make the case that AI governance should be treated like ordinary access control rather than a novel category requiring novel frameworks.
The AI Governance Gap
The structural pattern is straightforward. AI is integrated into offensive campaigns faster than most security programs can detect or respond to AI augmented tradecraft. At the same time, employees are creating new data loss paths through ungoverned AI usage that most organizations cannot even inventory. Both failures trace to the same gap. Organizations have not extended their existing governance structures to cover AI as an enablement technology.
On the offensive side, the DBIR data shows AI accelerating known techniques rather than inventing a new attack taxonomy. Less than 2.5 percent of AI assisted techniques involved rare or novel methods. Exploitation accounted for 32 percent of AI assisted activity. Phishing accounted for 44 percent. The median threat actor spread AI assistance across 15 ATT&CK techniques. That is operational integration, not experimentation at the margins.
On the internal side, the risk profile is different but equally concrete. Shadow AI is structurally worse than the shadow IT wave of a decade ago. Shadow IT brought unapproved systems into the environment. Data mostly stayed inside those systems until an integration or misconfiguration exposed it. Shadow AI sends data out by design. Every prompt that includes source code, customer records, or internal research documentation is a potential data loss event routed to an external platform the security team may never have approved.
At this point one is likely wondering why organizations keep treating AI governance as a special case. The answer is habit and headline anxiety. AI feels unprecedented, so boards ask for AI specific task forces, novel policy templates, and moratoriums that security teams cannot enforce. The result is either a ban that employees route around, or no policy at all while usage explodes. Neither outcome produces governance.
The practical position is simpler. AI governance should look like access control for any other high impact enablement technology. Start with an inventory of who uses which AI platforms, for what purposes, and with what data. Apply least privilege based on role and need. Enshrine boundaries in an acceptable use policy. Monitor for anomalies the same way organizations monitor privileged database access or SaaS exfiltration. Treat AI like just another enablement technology, because that is what it is in governance terms.
It is important to consider that restriction without structure fails on both sides of the gap. Organizations that block security teams from frontier AI capabilities do not eliminate the offensive use case. They forfeit the defensive one. Attackers face no compliance review, no procurement cycle, and no internal debate about whether to adopt AI assisted phishing, exploitation, or malware development. Defenders who voluntarily stay on manual timelines widen a gap that the DBIR now measures in median technique counts and doubled phishing quality.
Governance is the right answer. Governance for AI looks exactly like governance for production databases, code repositories, and privileged SaaS integrations. Inventory, least privilege, policy, monitoring. The organizations overcomplicating this problem are waiting for a novel framework while their data leaves through chat windows that their DLP stack was never configured to watch.
The Dual AI Governance Failure
| Dimension | Offensive Side (AI in attacks) | Internal Side (Shadow AI) |
| Scale | Median 15 techniques per actor | 67% using non corporate AI accounts |
| Growth | AI phishing text doubled | Regular AI users 3x (15% to 45%) |
| Data type | Exploitation (32%) and phishing (44%) | Source code (#1), technical docs (3.2%) |
| Novelty | <2.5% novel techniques | 4x increase in DLP detections |
| Governance status | Limited detection for AI augmented TTPs | Limited visibility into AI tool usage |
The Evidence Beyond the Headlines
The DBIR is the anchor for May 2026. It is not the only proof that the gap is already costing organizations money and time.
AI offensive capability was already proven
OpenAI classified GPT-5.3-Codex as high cyber capability under its Preparedness Framework when the model shipped in February 2026. Anthropic had already classified unreleased frontier models on the same axis before the Mythos leak compressed public attention. Capability at the model layer was documented by vendors themselves before Verizon quantified how threat actors operationalize it.
Google Threat Intelligence Group confirmed in May 2026 what many researchers had been tracking as a theoretical risk. Threat actors used AI to help develop a zero day exploit that bypassed two factor authentication through a semantic logic flaw in a widely deployed administration tool. That is a finished offensive outcome beyond what lab benchmarks alone would imply.
Amazon Threat Intelligence documented a single financially motivated actor with low to medium baseline skill using commercial AI services to compromise more than 600 FortiGate devices across 55 countries in 38 days, as published on the AWS Security Blog in February 2026. The actor used AI across planning, tooling, and lateral movement. The volume of custom tooling would typically imply a well resourced development team. The DBIR median of 15 AI assisted techniques per actor rhymes with that campaign at scale.
DARPA's AI Cyber Challenge produced Cyber Reasoning Systems whose agents found 18 real vulnerabilities in production software during the 2025 final competition, including six zero days, at an average cost of $152 per finding. Anthropic's Frontier Red Team reported in February 2026 that Claude Opus 4.6 discovered more than 500 high severity zero days in production open source codebases using out of the box capabilities. The UK AI Security Institute and Palo Alto Networks published benchmarks in May 2026 showing frontier models approaching autonomous enterprise intrusion capability in controlled testing, including multi stage paths through credential theft, privilege escalation, lateral movement, and persistence.
That pattern matches the DBIR's novelty statistic. AI compresses time to execute known tradecraft. It does not require a new MITRE category to damage an organization that still cannot see AI assisted phishing or AI generated malware frameworks arriving on the same calendar quarter.
VoidLink and PromptLock belong in that same bucket as escalation signals. A malware framework built by an AI agent in six days. Ransomware that generates cross platform encryption logic locally. Both are warnings that automated threat development has crossed from proof of concept to production tempo. Verizon's framing of a point of no return for automated threat development is consistent with what independent offensive research already demonstrated in 2025 and early 2026.
Shadow AI as a data loss vector
The internal statistics in the 2026 DBIR read like an adoption curve security teams have seen before, with worse data flow physics.
Forty five percent of users are now regular AI users, up from 15 percent in the prior year. Sixty seven percent access AI from non corporate accounts on corporate devices. Shadow AI ranks third among non malicious insider actions in DLP datasets and detections rose fourfold. Source code leads uploaded data types. Research and technical documentation accounted for 3.2 percent of DLP violations involving external AI. Fifteen percent of users run unauthorized AI browser extensions that collect browsing context.
The historical parallel to shadow IT is useful for executives who lived through the SaaS sprawl decade. Shadow IT was a governance gap where teams adopted tools without approval. Shadow AI is the same governance gap with outbound data gravity. The deeper risk is that proprietary logic leaves the trust boundary in a paste buffer every time an employee submits a prompt containing work product.
Shadow AI Data Exposure Model
The DBIR provides the percentages. It does not model what those percentages mean for a specific organization. We did.
For a representative organization with 1,000 employees, the DBIR figures produce the following exposure model.
| Step | Calculation | Result |
| Total employees | Baseline | 1,000 |
| Regular AI users (45%) | 1,000 x 0.45 | 450 |
| Using non corporate accounts (67%) | 450 x 0.67 | ~302 |
| Daily AI prompts per user (industry midpoint) | 302 x 7 | ~2,114 |
| Prompts containing sensitive work data (~30%) | 2,114 x 0.30 | ~634 per day |
| Monthly (22 working days) | 634 x 22 | ~13,950 |
| Annual (250 working days) | 634 x 250 | ~158,500 |
*Assumptions: 45% regular AI users and 67% non corporate account usage from Verizon 2026 DBIR. Seven prompts per day is a conservative industry midpoint for regular AI users (enterprise AI usage surveys consistently report knowledge workers averaging 5 to 15 AI interactions per working day). Thirty percent sensitive data rate is a conservative estimate based on DLP research showing roughly a third of AI prompts in enterprise settings contain proprietary or work sensitive content.
Approximately 634 prompts containing sensitive work data leave the trust boundary every working day through ungoverned AI channels in a 1,000 person organization. Over a year, that approaches 158,500. Those prompts are routed to platforms the security team may not have approved, may not monitor, and may not even know exist.
Source code is the number one data type according to the DBIR. For a software company or any organization with significant development activity, a meaningful share of those 158,500 annual prompts contain proprietary logic, internal architecture details, or unreleased product code. The data loss is silent because no file was downloaded, no USB drive was inserted, and no email was sent to a personal address. The data left through a chat window.
This model scales linearly. A 5,000 person organization faces approximately 3,170 sensitive prompts per day through ungoverned channels. A 10,000 person organization faces approximately 6,340. The exposure is proportional and it compounds every day that governance is absent.
AI Offensive Capability Timeline
No single publication has assembled the complete progression from lab demonstration to operational deployment of AI offensive capabilities. The milestones are scattered across vendor reports, government publications, and threat intelligence disclosures. The pace is worth tracing.
| When | Milestone | Source |
| Q3 2024 | DARPA AIxCC semifinal: AI agents find vulns at 37% success rate | DARPA |
| Q1 2025 | AIxCC final: 18 real vulns, 6 zero days, $152/finding, 77% rate | DARPA |
| Q1 2025 | Claude Opus 4.6 finds 500+ high severity zero days in production OSS | Anthropic Frontier Red Team |
| Q1 2025 | GPT-5.3-Codex classified as "High Cyber Capability" | OpenAI Preparedness Framework |
| Q1 2025 | Single actor compromises 600+ FortiGate devices across 55 countries in 38 days using AI | Amazon Threat Intelligence |
| Q2 2025 | First confirmed AI developed zero day exploit (2FA bypass) | Google GTIG |
| Q2 2025 | DBIR measures median AI usage across 793 threat actors (15 techniques) | Verizon / Anthropic |
| Q3 2025 | VoidLink: malware framework built by AI agent in 6 days | Verizon DBIR |
| Q4 2025 | PromptLock: first AI powered ransomware using local LLMs | Verizon DBIR |
The progression from controlled lab environment to confirmed field deployment spans approximately 12 months. Every milestone was confirmed by a different independent source. DARPA documented the competition results. Amazon documented the FortiGate campaign. Google GTIG confirmed the zero day. Anthropic documented both the defensive capability and the offensive misuse. The DBIR synthesized 793 actors with Anthropic. The convergence of independent sources on the same finding, that AI is operationally integrated into attack campaigns, is what makes the case structural rather than anecdotal.
AI as a defensive force multiplier
The offensive numbers are only half of the budget conversation. IBM's 2025 Cost of a Data Breach Report found organizations with extensive AI in security operations saved $1.9 million per breach on average. AI enabled organizations identified breaches in 148 days and contained them in 42 days. Organizations without that capability averaged 168 days to identify and 64 days to contain. That gap is dwell time translated directly into cost.
The SANS 2025 Threat Hunting Survey found 61 percent of organizations cite skilled staffing shortages as the primary barrier to threat hunting. AI assisted correlation, hypothesis generation, and triage automation are how smaller teams approximate the pace the DBIR documents on the offensive side. Restriction without governance removes that path while leaving attacker access untouched.
What Organizations Should Do Now
The following recommendations mirror the same sequence security teams already use for SaaS, privileged access, and data exfiltration controls. AI is another surface. The controls are not mysterious.
Build an AI usage inventory. Catalog which employees use which AI platforms, for what purposes, and with what categories of data. The same asset management discipline applied to SaaS subscriptions and code repository access applies here. You cannot scope least privilege for a surface you cannot see.
Apply least privilege to AI access. Not every employee needs frontier model access. Not every use case requires uploading source code or customer data. Scope platform choice, model tier, and data submission rights by role the same way organizations scope access to production databases and CI/CD secrets.
Establish an AI acceptable use policy. Enshrine approved platforms, permitted data types, and review requirements in policy. Structured enablement replaces shadow usage with governed usage and explicit boundaries security can monitor. Employees are already using AI. Policy gives security teams something enforceable.
Deploy DLP for AI platforms. Monitor what data flows to AI services the same way organizations monitor uploads to personal cloud storage or unknown SaaS tenants. Source code and internal documentation leaving the organization through an AI prompt is a data loss event even when the employee had good intentions.
Enable security teams with frontier AI capabilities. The offensive side is not waiting for procurement approval. Invest in AI assisted threat hunting, detection engineering, and incident response workflows with audit trails and tool boundaries. Organizations that restrict defenders while attackers operationalize AI across 15 techniques are choosing the worst asymmetry available.
Extend zero trust principles to AI agents. As tools gain autonomy, each agent interaction should be scoped, audited, and revocable. Treat agent credentials like privileged access requests with time bounds and default deny postures. Authorization layers provide the actual control boundary. Prompt level instructions alone do not.
The Gap Closes Through Ordinary Governance
The 2026 DBIR will be remembered for exploitation overtaking credentials as the top initial access vector. The AI chapter deserves equal weight. Median threat actors already spread AI across 15 techniques. Phishing quality doubled. Malware frameworks compress from weeks to days. Inside the same enterprises, nearly half the workforce uses AI regularly and two thirds route it through non corporate accounts on managed devices.
The organizations that move fastest will treat AI governance as an extension of access control they already operate. They will inventory usage, scope privilege, write policy, monitor exfiltration, and arm defenders with the same class of tools attackers already treat as routine. The organizations that ban AI without structure will discover their source code on an unauthorized platform. The organizations that ignore AI governance entirely will discover the same outcome without ever having written a policy.
Sources
-
Verizon, "2026 Data Breach Investigations Report," May 20, 2026, https://www.verizon.com/business/resources/reports/dbir/
-
SecurityWeek, "Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector," May 20, 2026, https://www.securityweek.com/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft-as-top-breach-vector/
-
Anthropic and Verizon DBIR collaboration (AI threat actor research, 793 actor sample), as reported in the 2026 DBIR
-
OpenAI, "GPT-5.3-Codex System Card," February 5, 2026, https://openai.com/index/gpt-5-3-codex-system-card/
-
Anthropic, "Claude Code Security" and Frontier Red Team research, February 2026, https://www.anthropic.com/research/claude-code-security
-
Amazon Web Services Security Blog, "AI-Augmented Threat Actor Accesses FortiGate Devices at Scale," February 2026, https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/
-
DARPA, "AI Cyber Challenge Marks Pivotal Inflection Point for Cyber Defense," 2025, https://www.darpa.mil/news/2025/aixcc-results
-
Google Threat Intelligence Group, "AI Vulnerability Exploitation and Initial Access," May 2026, https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access
-
UK AI Security Institute, "How Fast Is Autonomous AI Cyber Capability Advancing," May 2026, https://www.aisi.gov.uk/blog/how-fast-is-autonomous-ai-cyber-capability-advancing
-
Palo Alto Networks, "Defenders Guide: Frontier AI Impact on Cybersecurity," May 2026 update, https://www.paloaltonetworks.com/blog/2026/05/defenders-guide-frontier-ai-impact-cybersecurity-may-2026-update/
-
IBM, "2025 Cost of a Data Breach Report," 2025, https://www.ibm.com/reports/data-breach
-
SANS Institute, "2025 Threat Hunting Survey: Advancements in Threat Hunting Amid AI and Cloud Challenges," 2025, https://www.sans.org/white-papers/sans-2025-threat-hunting-survey-advancements-threat-hunting-amid-ai-cloud-challenges
-
Suzu Labs, "Claude Mythos and the Cybersecurity Risk That Was Already Here," March 27, 2026, https://suzulabs.com/suzu-labs-blog/claude-mythos-and-the-cybersecurity-risk-that-was-already-here
-1.png)
.png)
.png)
.png)
