Companies aren’t prepared for how AI is accelerating impersonation attacks

Businesses generally aren’t taking a proactive enough approach to blocking schemes that spoof their leaders’ identities, according to a new report.

AI’s ability to generate convincing fake media has opened “a second front” in businesses’ war against impersonation schemes , Outtake said in its report, which was based on a survey of more than 1,100 cybersecurity and risk-management leaders.

Nearly half (47%) of companies “have already encountered confirmed or suspected synthetic-media impersonation of an executive or brand representative,” according to the report. Additionally, companies identify AI-generated attacks as the biggest visibility gap in their impersonation-prevention strategy.

“People are the most exposed and least protected attack surface,” Outtake said. According to the report, only 43% of companies conduct identity-spoofing simulations involving their executives to identify the biggest potential impersonation risks.

Companies’ preparedness for AI threats isn’t much better when it comes to agentic technologies, the report found. Businesses are largely failing to oversee and protect these agents, according to Outtake, which magnifies the risk of agent-hijacking attacks that could damage businesses’ reputations or finances. Only 4% of businesses said they were fully monitoring and controlling their AI agents.

The report offered an example of an AI agent in the accounting department receiving a seemingly innocuous payment-inquiry email that contains hidden code overriding the agent’s programming and forcing it to share information with an untrusted third party.

“The agent now stands on a new trust boundary: one foot in the untrusted outside world, one in the trusted internal system,” Outtake said. “A planted instruction crosses the boundary between them.”

Governance fragmentation is another major weakness across enterprises, the report found. At 21% of companies, there is no one team responsible for assessing and managing digital trust risk to the organization. Security operations centers handle the responsibility at 18% of companies; fraud and safety teams handle it at 13%; and threat intelligence teams handle it at 11%. More than 60% of businesses described their digital trust risk management activities as fragmented and siloed.