AI Security Paradox: Are Firms Overconfident On AI Threats?

New research from Accenture has uncovered a major chasm in enterprise cybersecurity as artificial intelligence threats continue to grow.

The findings suggest that while confidence in identifying cyber threats is high among employees, the reality of their training and behaviour tells a different story, creating a dangerous paradox for businesses.

According to the study, one in four British employees under the age of 35 would act on a suspicious message if they believed it was from a colleague or a senior leader.

This vulnerability is highlighted by data from Accenture’s 2025 State of Cybersecurity Resilience Report. The report shows that 90% of companies currently lack the capability to defend against AI-driven cybersecurity threats.

This is compounded by the fact that only 36% of leaders acknowledge that the pace of AI's evolution is outstripping their own security protocols.

The research also found that 15% of employees would share company data or authorise payments through messaging apps without verifying the sender’s identity if the request appeared to originate from a manager or peer.

AI-driven deception and workforce vulnerability

The confidence of the workforce may be misplaced. While four in five employees (81%) believe they can identify a phishing attempt, the data points to a serious overconfidence. This scenario presents a clear risk, especially when coupled with a lack of specific training against modern threats.

The growing sophistication of AI-powered social engineering is a key factor in this emerging threat landscape.

Kamran Ikram, Accenture’s Security Lead in the UK & Ireland, explains: “Cyber-attacks prove no organisation is untouchable, and these results show a growing threat from AI-driven social engineering where attackers target trust instead of technical flaws. With cyber criminals weaponising information from social media to deceive people with realistic messages or calls, employees must make faster judgment calls on what’s real and what’s not.”

“The workforce feels cyber confident – though it's uneven among men and women, there remains a serious skills and training gap across the board. Being overconfident yet undertrained is a dangerous position to be in.”

The AI training divide and security maturity

Accenture’s report categorises organisations into three zones based on their cyber capability and strategy: the reinvention-ready zone, the progressing zone, and the exposed zone. A concerning 63% of companies fall into the exposed zone, meaning they are the most vulnerable to attack.

In contrast, only 10% have reached the reinvention-ready zone, a status that makes an organisation 69% less likely to suffer a cyberattack compared to those in the exposed category.

A large part of this vulnerability stems from a lack of adequate training. The research reveals that more than a third of employees in the UK have not received any cybersecurity training at all.

Furthermore, with only 20% of staff trained to spot deepfakes and AI-generated phishing emails, many companies are left open to social engineering attacks that exploit this knowledge gap.

This issue is becoming more acute as businesses rapidly adopt AI tools, often without enterprise-wide guidance on how to use them securely.

Building a framework for AI security

To address these challenges, the report outlines four decisive actions for organisations aiming to become reinvention-ready and bolster their defences against AI-powered threats.

• First is the development of a security governance framework across the entire organisation that accounts for the new realities of an AI-disrupted world.
• Second, as companies integrate AI, they must design a digital core that is secure by default, embedding security into every layer of AI development, deployment, and operation.
• Third, businesses need to maintain resilient AI systems through proactive and AI-specific threat management, which is critical in an era of AI-based attacks like the Morris II worm.
• Fourth, leaders should promote enterprise efforts to reinvent cybersecurity using generative AI to help close the talent gap and improve the speed of threat detection.

“Organisations must look to be resilient in every area of their operations and supply chain, which means ongoing education on cyber threats,” Kamran says. “Businesses can’t rely on patchy preparedness when attackers are advancing by the day.”