AI in Cybersecurity: Benefits, Risks, and Strategy
Key Takeaways
- AI-generated phishing emails are now flawless and contextually convincing — identifying attacks by spelling errors is no longer a reliable strategy
- CEO Fraud 2.0 uses AI-synthesised voices to instruct urgent wire transfers by phone — a four-eyes principle and verified callback process are essential countermeasures
- On the defensive side, AI in SIEM systems like Microsoft Sentinel detects behavioural deviations that would be nearly impossible to identify manually at scale
- DMARC, SPF, and DKIM for your email domains are technically straightforward measures with direct impact against AI-powered phishing campaigns
- AI changes the rules but does not make existing security concepts obsolete — awareness training and approval processes must be updated urgently
Artificial intelligence has fundamentally changed cybersecurity in 2026. Attackers use AI to automate phishing campaigns, imitate voices, and find vulnerabilities faster. At the same time, security teams deploy AI to detect anomalies and process incidents more quickly. For businesses, it is important to assess both sides soberly.
How attackers use AI
AI-generated phishing emails are virtually indistinguishable from genuine messages. Language models produce error-free, contextually appropriate emails in any language. The days when phishing emails could be identified by poor grammar are over.
Particularly relevant for businesses is the use of deepfake voices and videos. Attackers can synthetically replicate a CEO’s voice and instruct an urgent transfer by phone. These attacks are referred to as CEO Fraud 2.0 and specifically target employees in accounting or finance departments.
Additionally, attackers use AI tools to automatically identify vulnerabilities in networks and applications. What previously required hours of manual work can now be accomplished in minutes with AI assistance.
Where AI helps with defence
On the defence side, AI provides value primarily in two areas: anomaly detection and accelerating incident response.
SIEM systems such as Microsoft Sentinel use machine learning to detect deviations from normal user behaviour. If a user account suddenly logs in at unusual times, accesses atypical resources, or transfers large volumes of data, the system can automatically trigger an alert.
During incident response, AI supports security analysts through automated summaries, event correlation, and recommended actions. This does not replace expertise but significantly accelerates response time.
What businesses should adjust now
Update awareness training. Employees need to know that phishing emails are now flawless and contextually convincing. Training should use current examples and no longer rely primarily on spelling errors as an identification criterion.
Harden approval processes. No financial transfer, change of bank details, or release of sensitive data should occur solely on the basis of a phone call or email. Implement a four-eyes principle and a defined callback process using verified contact details.
Strengthen technical controls. DMARC, SPF, and DKIM should be configured for your email domains to make email spoofing more difficult. These measures are technically straightforward but are not fully implemented in many organisations.
Recommendation
AI changes the rules of the game but does not make existing security concepts obsolete. Review whether your awareness training is current, whether your approval processes withstand social engineering, and whether your email security is correctly configured. These three measures address the most immediate AI-powered threats.
Frequently Asked Questions
How do we identify AI-generated phishing emails if they contain no errors?
Rather than looking for language mistakes, employees should focus on context: Does this request fit normal workflow? Does the sender match the content? Does the exact sender address check out? Most importantly: unusual urgency, requests for confidential information, or payment instructions should always be verified through a separate, verified callback channel — never by replying to the original message.
What is CEO Fraud 2.0 and how is it different from classic CEO fraud?
Classic CEO fraud uses emails made to appear they come from a senior executive. CEO Fraud 2.0 uses AI-synthesised voices or videos that simulate real-time phone calls convincingly. The barrier to this attack has dropped dramatically — a few seconds of publicly available audio is enough for a convincing voice clone. The financial exposure is typically higher because phone calls feel more urgent and harder to second-guess in the moment.
Which technical measures specifically counter AI-powered email phishing?
DMARC (Domain-based Message Authentication, Reporting and Conformance), SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) make it significantly harder for attackers to spoof your email domain. When all three are correctly configured, an attacker cannot easily send emails that appear to come from your domain. These are among the most impactful low-effort measures available.
Does AI replace security analysts in a SOC?
No — but it changes their work substantially. AI in SIEM systems handles initial anomaly detection and event correlation. Analysts are relieved of repetitive triage and can focus on complex incidents requiring judgement. Professional expertise, environmental context knowledge, and decision-making capability remain distinctly human strengths that AI supports rather than replaces.