Fear has loomed large for some time now, as in the wrong hands, AI could be a lethal weapon in the cybersecurity threat landscape. The evidence shows that the threat has come into fruition.
Verizon’s 2026 Data Breach Investigations Report (DBIR) reveals how effective adversaries have become in using AI to capitalise on enterprise weaknesses. Exploiting software vulnerabilities was the initiating factor in 31% of all breaches, notable because this is the first time in almost 20 years that it has overtaken compromised credentials as the most frequent entry point for an attack.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The 2026 DBIR, which examines 31,000 enterprise security incidents in 145 countries–22,000 of which are confirmed data breaches – highlighted how adversaries are both employing AI as an offensive weapon and leveraging security gaps in AI-driven applications to gain access to organisational resources. One finding is that staff are increasingly using unsanctioned AI tools to conduct business. These shadow AI tools are the third most frequent issue cited in data leakage, a quadruple increase over 2025. In just one year, the percentage of employees using shadow AI jumped from 15% to 45%. Of these users, 67% are connecting to shadow AI from non-corporate accounts running on their corporate devices.
Most frequently, employees are uploading source code to unauthorised GenAI models. Alarmingly, some (3%) employees are submitting research and technical documentation to shadow AI systems – in other words, intellectual property.
Social engineering remains a popular criminal tactic as part of 16% of all breaches. Mobile-centric social engineering that targets text and voice messaging is a particularly effective technique with a click-rate 40% higher than email. Pretexting, in which an adversary creates a fictional situation to get a target to give out sensitive information, credentials, or funds, is represented in 6% of breaches.
The percentage of breaches (48%) that are part of ransomware climbed again – up 4% over last year. But organisations are paying less frequently, with only 31% submitting to the ransom demand. And they are paying less: the median ransom paid was $139,875 – down more than $10,000 from the prior year.
The interconnected nature of business opens up points of exposure along the supply chain. Third-party affiliated breaches shot up 60% from last year, accounting for nearly half (48%) of all breaches. With respect to third-party cloud exposure, these breaches are remedied at a snail’s pace, with only 50% saying complete remediation of missing or under-secured multifactor authentication (MFA) within a month.
“Through a substantial dataset, this year’s DBIR demonstrates how critical it is for organisations to understand how threat actors are capitalising on points of weakness with AI as a critical weapon in their arsenals,” says Amy DeCarlo, principal analyst, GlobalData, adding: “Enterprises need to tap into both AI and automation themselves to find and fix vulnerabilities and accelerate remediation in the event of a breach.”
