According to the latest New Zealand Business Cyber Security report by Kordia, almost a quarter (24 per cent) of medium- to large-sized businesses rate staff AI misuse as one of their top security concerns.
One in four businesses mentioned improper AI use as one of the three largest obstacles they face regarding cyber security uplift, compared to 16 per cent the previous year.
AI, as a technology, is known to bring businesses potential productivity gains when implemented properly with human oversight, but it can also create new vulnerabilities and expand the threat landscape.
Kordia found that cyber attacks that exploited AI more than doubled from 2024 to 2025 (6 per cent to 14 per cent, respectively).
According to the general manager of Kordia-owned Aura Information Security, Patrick Sharp, this increase in AI-related cyber incidents is linked to how businesses are adopting AI.
“Insider threats, whether accidental or malicious, have always been a factor in cyber incidents and data breaches. But shadow AI – the unauthorised use of AI tools by employees – is growing into a massive problem,” he said.
“Individual staff members are copying confidential data into AI systems – information they would never put into Google – without understanding the risks and without guidance from their organisation.
“Business leaders are telling us it’s keeping them up at night. Nearly half (43 per cent) said employees accidentally exposing data or AI-driven processes is the biggest cyber risk to their business, making it the top concern by quite a margin. In addition, many New Zealand and international organisations are implementing sanctioned AI tools without sufficient security governance and practices.”
Threat actors are using the technology themselves to bolster cyber attacks. Speaking with Cyber Daily, Errol Weiss, chief security officer of information-sharing non-profit Health-ISAC, said AI is giving hackers tools to launch more sophisticated attacks.
“Generative AI has given attackers the ability to customise payloads and phishing campaigns at speed and at scale, quickly undercutting the value of signature-based tools and legacy email filters,” he said.
“Large language models let adversaries continuously tweak language, structure, and delivery, so threats no longer stay static long enough to be reliably detected. As deepfakes, synthetic identities, and highly localised lures become easier to produce, defenders can no longer fall back on obvious tells like poor grammar or reused code.”
What this adds up to, according to Weiss, is hackers capable of learning quicker than traditional cyber security controls were ever designed to keep pace with.
“When attacks are being generated and refined automatically, no single organisation can see enough, fast enough to stay ahead on its own. The only realistic counter is actionable intelligence sharing that turns one organisation’s near-miss into an early warning for everyone else,” Weiss said.
“Pairing that intelligence with human-layer threat modelling grounded in real workflows and clinical realities shows how generative attacks will actually be used against staff, not just how they appear in theory. Communities that openly exchange TTPs, playbooks, and real-time indicators give defenders a way to adapt collectively, at a pace no individual team could match.”
