What is The AI Threat Readiness Score?

A five-dimension framework that scores whether your cybersecurity posture is ready for AI-powered threats. Dimensions: AI Threat Visibility, Identity Hardening, AI-Aware Detection & Response, Workforce Conditioning, and Adversarial AI Resilience. Each scored 0-100, with aggregate for the board and per-dimension for the operating list.

Who is the AI Threat Readiness Score for?

Boards, audit committees, CISOs, CIOs, Chief AI Officers, and Chief Risk Officers in organizations of any size that are deploying AI internally and being targeted by AI-augmented adversaries externally. It works as a board briefing tool and as an operating-model frame.

Why now? Why this score specifically?

AI-powered offensive tooling is now commodity-cheap. Tools like Mythos give threat actors capability that would have required nation-state-level investment two years ago. Enterprise defender capability has not caught up uniformly. Boards need a frame, a vocabulary, and a number to govern the gap.

How does this differ from a general cybersecurity maturity model?

General maturity models score classical cybersecurity controls. The AI Threat Readiness Score is purpose-built for AI-augmented adversary tradecraft and adversarial-AI defense. The five dimensions are calibrated to the specific gaps that AI-augmented attacks reveal, identity verification under deepfake conditions, SOC detection content for AI-augmented patterns, adversarial resilience on the AI you operate.

How long does it take to score an organization?

A half-day workshop with the right people in the room (CISO, CIO, Chief AI Officer or AI lead, SOC lead, identity lead, threat intelligence lead, head of awareness training) is enough to produce a defensible first score and a two-year closure plan.

What scoring buckets do you use?

0-39 (Unprepared, audit-committee escalation), 40-59 (Exposed, material gaps), 60-79 (Operating, basics running), 80-100 (Resilient, ahead of the threat picture). Most enterprises score between 35 and 60 in early 2026.

Which dimension are most enterprises weakest on?

Identity Hardening is consistently behind. The assumption that voice or video can verify identity is broken in the deepfake era, and most enterprises have not rebuilt identity around the new assumption. Workforce Conditioning and Adversarial AI Resilience are the next two consistently-behind dimensions.

Is the AI Threat Readiness Score related to The Enterprise AI Trust Score?

Yes. The Enterprise AI Trust Score covers governance of the AI you operate (Data Lineage, Model Provenance, Output Governance, Identity And Access For AI Agents, Adversarial Resilience). The AI Threat Readiness Score covers defense against AI-augmented adversaries plus adversarial defense of the AI you operate. The two are complementary, governance and defense.

The AI Threat Readiness Score

Here is the question most boards cannot answer in 2026: is our cybersecurity posture actually ready for AI-powered threats? Not the next CrowdStrike vendor pitch. Not the analyst summary from last year. The real question, with a real score the audit committee can act on.

That is what The AI Threat Readiness Score is built for. Five dimensions. One board-readable score. Drawn from advisory work with CISOs and CIOs every week, and from facilitating 150+ executive tabletop exercises, a growing share of them AI-inflected.

The frame the score is built on: every enterprise is now being attacked by adversaries who use AI to scale and personalize what they used to do by hand. Phishing at scale, deepfakes of executives, AI-augmented reconnaissance, prompt-injection-driven account takeover, adversarial attacks against your own AI models, AI-augmented social engineering that is far more convincing than the 2022 version. Tools like Mythos make a lot of this commodity-cheap. Defenders are catching up unevenly. Boards want to know where they stand.

The Five Dimensions

1. AI Threat Visibility

Do you have visibility into AI-powered threats targeting your organization? Not generic threat intelligence. AI-specific threat intelligence. Are you tracking the AI-augmented threat actor groups, the AI phishing kits, the deepfake generators, the AI reconnaissance tooling, the agent-based offensive tools that are now commodity-priced?

What to score against:

Threat intelligence coverage of AI-augmented adversary tradecraft, not just classical TTPs.
Industry-specific AI threat picture (the AI-augmented attack patterns hitting financial services in 2026 are not the same patterns hitting healthcare or manufacturing).
Visibility into executive impersonation campaigns (deepfake audio, deepfake video, AI-generated text targeting your C-Suite).
Coverage of AI-augmented insider-threat patterns.
Connection to the carrier and broker side, what AI-augmented loss patterns the carrier is actually seeing across the book.

2. Identity Hardening

AI-powered fraud has broken the old assumption that you can verify identity with a voice on the phone or a video call. Deepfake audio is good enough to fool family members. Deepfake video is good enough to fool board members. The Identity Hardening dimension scores whether you have rebuilt identity around the new assumption: voice and video are no longer trust signals on their own.

What to score against:

Callback protocols on any consequential request initiated by voice or video, with the callback going to a known number.
Code-word or challenge-phrase protocols for high-consequence executive instructions (wire transfers, vendor changes, M&A messaging).
MFA hardening across every critical system, with phishing-resistant authenticators (passkeys, hardware tokens) wherever possible.
AI-aware identity verification on the customer side (financial services and healthcare especially).
Helpdesk-targeting defenses (the AI-augmented vishing attack against a helpdesk is one of the fastest-growing patterns in the book).

3. AI-Aware Detection & Response

Most SOC tooling was sized for classical attack patterns. AI-augmented attacks generate different telemetry. The Detection & Response dimension scores whether your SOC can actually see, triage, and respond to AI-augmented incidents.

What to score against:

Detection content covering AI-augmented phishing, deepfake-driven fraud, AI-augmented account takeover, prompt-injection-driven incidents, agent-tool abuse.
Behavioral analytics that catch the velocity and scale signature of AI-augmented adversary activity (an AI-driven attacker moves at machine speed).
Response playbooks rehearsed for AI-augmented scenarios (the IR playbook from 2022 does not survive contact with an AI-augmented incident in 2026).
Detection coverage on the AI compute estate itself (model and weight integrity, training data integrity, agent identity and access).
SOC analyst training on AI-augmented adversary patterns, the analyst who has never seen a deepfake-driven fraud will misclassify the first one.

4. Workforce Conditioning

AI-augmented social engineering targets people. The Workforce Conditioning dimension scores whether your people are ready, not in the 30-minute annual compliance training sense, but in the muscle-memory sense.

What to score against:

Executive-targeting deepfake training (CFOs, CEOs, GCs, and assistants who route their messages).
AI-augmented phishing simulation, not the 2018 phishing kit, the 2026 AI-augmented one.
Helpdesk and customer-facing staff trained on AI-augmented vishing patterns.
Wire-transfer and vendor-change verification protocols rehearsed quarterly, not just documented.
Tabletop exercises with AI-inflected scenarios (deepfake-driven fraud, AI-augmented insider threat, AI-augmented executive impersonation).

5. Adversarial AI Resilience

You are deploying AI inside the enterprise. Adversaries know that. The Adversarial AI Resilience dimension scores whether the AI you operate can survive a deliberate adversarial attack. This is the dimension most enterprises have not yet seriously scored themselves on.

What to score against:

Prompt injection and indirect prompt injection coverage on every production LLM-backed application.
RAG poisoning controls (the training data and retrieval corpus are now an attack surface).
Model and weight protection (your fine-tuned models are intellectual property and an adversary target).
Identity and access controls for AI agents (the agent is now an identity that adversaries will impersonate, hijack, or abuse).
Agent observability and audit (an autonomous agent without observability is an audit-committee problem waiting to surface).
Adversarial resilience testing (red-teaming your own AI, regularly, by people who actually know how).

How the Score Works

Each dimension is scored 0 to 100, with a per-dimension breakdown that maps directly to where investment goes next. The aggregate score gives the board a single readable number. The per-dimension score gives the CISO and Chief AI Officer the actual operating list.

Scoring buckets we use in advisory work:

80-100 (Resilient). You are ahead of the threat picture. Maintain and rehearse.
60-79 (Operating). You are running the basics. The gaps are real but addressable in the next two budget cycles.
40-59 (Exposed). Material gaps. The next AI-augmented incident is going to land worse than it had to.
0-39 (Unprepared). Audit-committee escalation. The board needs to know the gap is this size before the next external event surfaces it for them.

Where Most Enterprises Actually Sit Today

Honestly? Most are between 35 and 60. The Identity Hardening dimension is the most consistently behind. Workforce Conditioning is the second most behind. Adversarial AI Resilience is the dimension almost no one has scored at all, because the security team and the AI team are still arguing about who owns it.

The Mythos point is real. Tools like Mythos make AI-augmented offensive tradecraft cheap, repeatable, and accessible to threat actors who would not have had this capability two years ago. The enterprise defender posture has not caught up. That is the gap the score is built to measure, and to close.

How to Use the Score in Your Organization

Three practical applications:

Annual board AI-cyber readiness review. Score against the five dimensions, present the result, and walk the board through the two-year closure plan. This is becoming a standing item on technology committee and audit committee agendas.
Pre-renewal cyber insurance conversation. Carriers are starting to ask AI-specific questions on renewal questionnaires. Walking in with a defensible score and a closure plan changes the conversation.
CIO + CISO + Chief AI Officer joint operating cadence. The five dimensions cleanly distribute ownership. Identity Hardening is mostly the CIO. Adversarial AI Resilience is mostly the CISO and Chief AI Officer jointly. Workforce Conditioning is the CISO with HR partnership. AI-Aware Detection & Response is the SOC. AI Threat Visibility is the threat intelligence function. The score creates a clean operating model on a topic that is currently fragmented in most enterprises.

The Bigger Point

The AI threat picture is changing faster than enterprise defender capability. Boards know it. CISOs know it. The conversation between them needs a frame, a vocabulary, and a number. The AI Threat Readiness Score is that frame.

You can score your organization against the five dimensions in a half-day with the right people in the room. The two-year closure plan that comes out of that conversation is one of the more useful artifacts you will produce in 2026. Try it.

The AI Threat Readiness Score: A Five-Dimension Framework for Boards and CISOs

The Five Dimensions

1. AI Threat Visibility

2. Identity Hardening

3. AI-Aware Detection & Response

4. Workforce Conditioning

5. Adversarial AI Resilience

How the Score Works

Where Most Enterprises Actually Sit Today

How to Use the Score in Your Organization

The Bigger Point

Mark Lynd

Get current-quarter AI & cybersecurity intelligence delivered to your inbox.

Frequently Asked Questions

Want Mark to deliver this as a keynote?

Who is Mark Lynd?

What does Mark Lynd speak about?

How do you book Mark Lynd?

What is Mark Lynd's speaking fee?

Where has Mark Lynd spoken?

What are Mark Lynd's rankings?

What has Mark Lynd written?

What is Mark Lynd's research?

Who has Mark Lynd partnered with?

What is Mark Lynd's background?

Does Mark Lynd advise schools?

Can you hire Mark Lynd virtually?