Are AI-augmented attacks already happening, or is this theoretical?

Already happening. The Arup deepfake fraud in 2024 was an early high-profile example. Reports from cybersecurity vendors, national CERTs, and the Irish Data Protection Commission show steady year-on-year growth in AI-enabled attacks targeting Irish and UK organisations. Treating this as a future risk rather than a current one is a mistake.

Does this mean security awareness training is broken?

Not broken, but overdue for a refresh. Training built around 'spot the typo' or 'look for awkward video' is now actively misleading. Updated training should focus on verification through separate channels, scepticism about urgency, and recognising that voice and video alone are no longer reliable authentication.

What is the single biggest defensive shift for an organisation right now?

For most organisations, it is requiring out-of-band verification for any high-trust transaction. If a payment request arrives by email, confirm by phone to a known number. If a request arrives by phone, confirm in writing. The pattern is to break the attack's reliance on any single channel.

Do existing security controls still work?

Yes. MFA, endpoint protection, network segmentation, patching, and least privilege still do what they always did. AI raises the polish and volume of attacks but does not change which controls deny which attacks. The mistake would be to assume existing controls are sufficient against a more capable attacker population without revisiting risk ratings.

AI and the collapsed barrier to entry for cybercrime

Q: How does this affect our ISO 27001 risk register?

The likelihood and severity ratings on social engineering, business email compromise, and identity-related entries should be reviewed and almost certainly increased. Threat actor categories should explicitly include AI-augmented organised crime. The awareness training and identity management controls in Annex A should be reviewed against current AI capabilities rather than 2020-vintage threat models.

A decade ago, building a credible phishing email aimed at an Irish business meant either fluent English with familiarity with local business culture, or accepting poor-quality bait. Building a working exploit meant real depth on specific platforms, often years of practice. Impersonating a CEO on a video call meant access to a body double, costly editing kit, or both.

Today, all three are commodity tasks. The skills you used to need to become a credible threat actor have largely been automated by generative AI. The result is not just better attacks. It is a much wider population of people who can mount them.

This piece looks at what changed, what it means for the threat model your organisation is implicitly running on, and what the practical implications are for security awareness, identity verification, and the controls your management system relies on.

Key takeaways

The barrier to entry for credible cybercrime has fallen sharply because generative AI automates the most expensive parts of the attack lifecycle: language quality, recon, code, voice, and video impersonation.
The traditional trade-off between attack volume and attack quality has broken down. Both can now be high at the same time.
Security awareness training built around “spotting bad English” or “looking for awkward video” is now actively misleading.
The population of credible threat actors has expanded at every tier. Less-skilled actors can now produce output that used to require organised crime capability.
For defenders, the work is not new. It is just more urgent: update risk registers, revisit awareness training, harden verification for high-trust transactions.

What used to be hard

To mount a serious attack on a typical organisation five years ago, an actor needed a combination of skills that were genuinely uncommon.

Language quality. A phishing email that would slip past a competent reader required fluent, idiomatic writing in the target’s language. For non-native speakers, this was a serious bottleneck. Detection advice for two decades told users to look for awkward phrasing, odd word choices, and grammatical errors. These were reliable signals.

Recon at scale. Building a credible profile of a target organisation, identifying decision-makers and their reporting lines, mapping likely email patterns, and identifying technical exposure took hours of manual work per target. This bounded the number of organisations any one actor could meaningfully target.

Exploit development. Turning a known vulnerability into a working exploit, particularly for unusual or less-documented systems, required real technical depth and often years of experience.

Impersonation. Voice impersonation required either a strong vocal mimic or substantial post-production. Video impersonation required either physical resemblance or significant editing skill.

Adaptation. Reusing a successful attack pattern against a different industry or target archetype usually meant substantial re-engineering.

These bottlenecks did not stop sophisticated actors. They did filter out everyone else. The credible threat landscape was smaller than it could have been.

What AI now enables

Each of those bottlenecks has, in the last three years, been substantially automated.

Phishing at scale, in quality. Generative AI produces fluent, idiomatic, context-aware phishing emails in any major language. Personalisation is now cheap. An attacker can generate one thousand uniquely-worded emails targeted to specific roles in specific industries in minutes. Detection by linguistic signal is finished as a primary defence.

Voice cloning. Commercial voice synthesis tools, originally built for accessibility, audiobook narration, and dubbing, can produce a convincing clone of a target’s voice from less than a minute of sample audio. Sources of sample audio are abundant: conference talks, podcast interviews, board meeting recordings, even voicemail greetings.

Video deepfakes. Live deepfake video, formerly the preserve of well-resourced research groups, is now achievable with commodity hardware and open-source models. The fidelity is sufficient for casual video calls. A target who has been told to expect a video call from their CEO will not necessarily detect a deepfake in a low-stakes meeting. The Arup deepfake fraud showed this at the high end. The same techniques are now available to less sophisticated actors.

Code generation. General-purpose coding assistants, whether jailbroken or accessed through purpose-built criminal alternatives such as WormGPT and FraudGPT, generate functional malware, web shells, credential-stealing scripts, and exploit code. Quality is uneven, but the floor is rising. Attacks that previously required real engineering skill can now be assembled from generated components.

Recon automation. Combining web scraping with language model inference produces detailed target profiles in minutes: organisational structure, decision-makers, technology stack, recent news, plausible attack pretexts. What was a one-organisation-per-day task is now a one-hundred-organisations-per-day task.

Translation and cultural adaptation. Foreign-language criminal groups can now mount attacks against Irish and UK organisations in fluent, idiomatic English. The footprint of attacks targeting your market just expanded.

Exploit adaptation. Code models can take a known exploit for one system and adapt it to a similar but different one. Long-tail systems that used to be too obscure to attack are now in scope.

The compounding effect

The individual capabilities are concerning. The real shift is when attackers chain them.

A worked example: an attacker builds a target profile from LinkedIn and public filings. They generate a phishing email referring to a real recent client engagement. The email asks the finance lead to confirm a payment by voice call. When called, the attacker plays a real-time cloned voice of the CFO. If the finance lead escalates to a video call, the attacker uses a live deepfake to participate as the CFO.

Each of those steps would have required a different skill set five years ago. Today, all three are achievable by a single moderately-skilled actor working from commercial and open-source tools. The result is an attack that, until recently, would have been classed as nation-state grade. It is now within reach of a substantially larger pool of attackers.

Volume and quality together

The classical attack landscape involved a trade-off. Mass-market attacks (generic phishing, credential stuffing, untargeted ransomware) were high-volume but low-quality. Targeted attacks (spear-phishing, business email compromise, advanced persistent threats) were high-quality but low-volume.

AI breaks this trade-off. High-volume targeted attacks are now possible. An attacker can spear-phish a thousand specific finance leads in a hundred different industries, with custom personalisation per target, in the time it used to take to do five.

For defenders, this matters because it changes the threat math. You used to be able to assume that if you were not a high-profile target, the well-crafted attacks would mostly pass you by. That assumption no longer holds.

What this changes for your ISMS

The implications fall into a handful of places across your ISMS.

Risk register. The likelihood and severity ratings on social engineering and business email compromise entries almost certainly need to be raised. Threat actor categories should explicitly include AI-augmented organised crime, which now has capabilities previously reserved for nation-state actors.

Awareness training (Annex A.6.3). Training content built around “spotting bad English”, “looking for video artefacts”, or “checking for awkward phrasing” is now actively misleading. Updated training should focus on out-of-band verification for high-trust transactions, scepticism about urgency, and recognition that voice and video can no longer be treated as authentication. The right framing is to expect the perfect phishing email rather than to identify the imperfect one.

Identity and access management (Annex A.5.16 and A.8.5). Voice and video should no longer be treated as authentication factors for sensitive operations such as payment authorisation, credential resets, or access changes. Hardware-based multi-factor authentication and out-of-band verification become more important, not less.

Supplier and third-party risk (Annex A.5.19). Suppliers handling your data are subject to the same threat landscape. Supplier assurance reviews should include questions about AI-augmented threat readiness.

Tabletop exercises. Incident response and business continuity tabletops should include AI-augmented scenarios: deepfake-led BEC, cloned-voice CEO fraud, AI-generated incident response confusion. The previous decade’s scenarios are now incomplete.

Process design. Approval workflows for high-value transactions should require verification through a channel different from the one in which the request originated. A request that arrived by email should be confirmed by phone to a known number. A request that arrived by phone should be confirmed in writing.

What this changes for regulated organisations

For organisations in NIS2 scope, Article 21 risk management measures should be updated to include AI-enabled threat modelling. Incident reports should flag AI involvement where known.

For organisations covered by GDPR, the threat to personal data has grown in two directions: data subjects are more easily impersonated through cloned voices and deepfaked video, and personal data is more easily extracted at scale through improved phishing and smarter credential attacks. DPIAs for new processing activities should consider AI-enabled attack vectors as part of the risk analysis.

For organisations operating an ISO 27001 ISMS, the changes above are not optional refinements. They reflect the actual threat landscape your management system is supposed to manage.

What is not different

Two important constants.

First, this does not mean traditional security controls have stopped working. MFA, endpoint protection, network segmentation, least privilege, patching, and incident response are still the right answers. AI raises the volume and polish of attacks. It does not change which controls deny which attacks.

Second, AI is not only an attacker capability. Detection, threat intelligence, anomaly identification, and security operations are also being augmented by AI. The contest is asymmetric in places and symmetric in others. There is no reason to predict that defenders lose this round. There is reason to predict that defenders who do not adapt to the new floor will lose against attackers who do.

Practical questions to ask now

When was your security awareness training last updated to reflect AI-generated phishing and deepfakes?
Do your approval workflows for high-value transactions require out-of-band verification?
Are voice and video still treated as authentication anywhere in your processes?
Does your risk register acknowledge AI-augmented threat actor categories?
When was your last incident response tabletop, and did it include AI-augmented scenarios?
For your suppliers handling sensitive data, are they subject to the same scrutiny?

If most of these answers are unclear, the next quarter is the right time to address them. The work is not expensive. The cost of catching up after an AI-augmented incident is.

If you would like support reviewing your security awareness programme, risk register, or threat model in light of AI-enabled attacks, get in touch. Our AI Governance, Risk and Governance, and ISO 27001 services cover the questions this article raises.