Securing AI vs. Using AI for Security: Two Problems Your Organization Is Probably Confusing

There are two distinct AI security problems that most organizations are conflating. They require different skills, different tools, and different governance frameworks.

This article is grounded in current advisory work, not retrospective analysis. Mark Lynd is a 5x CIO/CISO with Thinkers360 Top 10 global rankings across five disciplines simultaneously (currently #3 Data Center, #4 Cloud, #4 Security, #5 Cybersecurity, #7 Artificial Intelligence) and was ranked #1 globally in Cybersecurity in 2023. He is currently Head of Executive Advisory and Strategy at Netsync, advising enterprise C-Suites and boards on the AI and cybersecurity questions moving fastest in 2026. The frameworks and patterns referenced here are from active engagements this quarter.

The AI-enabled threat picture changed materially in 2025 and 2026. The attack categories that dominated security awareness training (poor-grammar phishing, generic spear-phishing, technical malware delivery) have been displaced by attack categories most enterprise security programs are not designed to defend against. AI-generated phishing that has no grammatical indicators. Deepfake voice fraud targeting executive authorization. Synthetic identity attacks against contractor and customer onboarding. Multi-channel pretexting that adapts in real time to the target's responses. The defender side is behind.

The Four AI-Enabled Attack Patterns

Pattern one is hyper-personalized spear phishing at scale. An attacker can now feed an AI system with a target organization's public communications, LinkedIn data for every named employee, press releases, and earnings calls, and generate thousands of individually tailored phishing emails in under an hour. Each email references real projects, real colleagues, real terminology. The click-through rate on AI-generated spear phishing is significantly higher than on templated phishing.

Pattern two is deepfake voice for executive fraud. The attacker clones the voice of a senior executive using publicly available audio from earnings calls, conference presentations, or media appearances. They call a finance or operations employee with an urgent request that bypasses normal approval chains. The voice sounds exactly like the executive because it is exactly like the executive, generated from real audio.

Pattern three is synthetic identity for insider access. The attacker creates a convincing professional identity with a LinkedIn profile, references from real companies, and AI-generated credentials, then uses that identity to apply for a contract or consulting role inside the target organization. Once inside, the synthetic insider has legitimate access.

Pattern four is AI-powered multi-channel pretexting. The attacker runs multiple channels simultaneously and adapts the pretext in real time based on the target's responses. Email, phone call, calendar invite, synthetic voice for verification, each reinforcing the others.

The Defenses That Actually Work

The defenses that actually work in 2026 are different from the defenses designed for 2022 attacks. Security awareness training, email filtering, and multi-factor authentication are necessary but no longer sufficient. The four controls that change the effectiveness equation: out-of-band verification for high-value actions through pre-established channels; behavioral pattern monitoring that flags deviations from baseline rather than scanning content for indicators; red team exercises that use AI-generated phishing, voice clones, and multi-channel pretexting; and process controls that require two-person authorization for the highest-stakes actions so that no single social engineering vector can complete the attack.

Agentic AI and the New Attack Surface

Agentic AI introduces a new attack surface most enterprise security programs have not addressed. Agents that take actions autonomously can be redirected by prompt injection through external data the agent processes (customer emails, web pages, database records). The Agentic AI Security Framework covers five layers: Agent Identity and Least Privilege, Tool and API Authorization, Data Boundary Controls, Adversarial Input Defense, and Human Override and Incident Response. All five are required for any agentic system in production.

What the Executive Team Needs to Know

Three things executives outside the security function need to know. First, executives are the highest-value targets. The CEO's voice is the most likely to be cloned. The CFO's authorization is the most valuable to forge. The CISO's credentials are the most damaging if obtained through targeted pretext. Second, the company's public communications are training data for voice clones. Every earnings call and recorded keynote improves the model. This does not mean executives should stop speaking publicly. It means the organization needs out-of-band verification for any action that could be initiated by a clone of an executive's voice. Third, cyber insurance policies increasingly have conditions on social engineering coverage. A transfer authorized by a manipulated request may not be covered if the policy requires verification procedures that were not followed.

What Boards and Executives Should Do Now

The pattern across engagements where the conversation translates to action: leadership treats this as a quarterly governance cycle rather than an annual policy review. The CISO and CIO bring a shared scoring view (the Enterprise AI Trust Score or the Cyber Insurance Readiness Score). The board asks specific questions rather than receiving a status update. The audit committee documents the decisions for the disclosure file. The result is governance that produces decisions instead of awareness.

Key Takeaways

• AI has collapsed the cost and improved the quality of social engineering attacks. The defenses designed for 2022 attacks are not sufficient for 2026 attacks. The gap is widening every quarter.
• The four documented AI-enabled attack patterns: hyper-personalized spear phishing at scale, deepfake voice for executive fraud, synthetic identity for insider access, and AI-powered multi-channel pretexting.
• Traditional defenses (awareness training, email filtering, MFA) address the wrong threat model. The four controls that actually work: out-of-band verification, behavioral pattern monitoring, AI-generation red team exercises, and mandatory process controls.
• Executives are the highest-value targets. The CEO's voice is the most likely to be cloned. The CFO's authorization is the most valuable to forge. The CISO's credentials are the most damaging if obtained.
• Agentic AI introduces a new attack surface. Prompt injection is OWASP LLM01:2025 and is the top attack vector against agentic systems. The Agentic AI Security Framework covers the five layers required for autonomous AI deployments.

Where This Came From

This analysis is grounded in direct advisory work, 150-plus facilitated executive tabletop exercises, and current operating responsibility as a 5x CIO/CISO. It is not a research report or a vendor white paper. It is the operator perspective on the topic, calibrated for the 2026 environment and the executive audiences that need decision-grade content.

Next Steps

Mark Lynd speaks on these topics at enterprise conferences, executive offsites, and board retreats. Sessions are tailored to the audience through a pre-event discovery call with the host or program chair. The named frameworks travel; the vocabulary, examples, and depth match the room.

Book Mark for your next event or explore all speaking topics.