The democratization of AI makes for an exciting moment where rapid change feels possible, but it should also give security teams pause. By lowering barriers to entry and amplifying technological scale and speed, AI is not only empowering legitimate users but also enabling hackers—much like the rise of ready-baked “ransomware-as-a-service” tools, which fueled an explosion of ransomware attacks that organizations are still battling today. If history is any guide, the consequences of this new hacking accessibility will likely unfold for years to come.
AI tools, which introduce a litany of new factors for security teams to consider, are empowering attackers. The breadth of their potential applications makes AI hacking tools both potent and dangerous, exposing previously unseen gaps in cyber defenses.
Tried-and-true Zero Trust security architectures have long been the gold standard for keeping organizations safe, and they are uniquely suited to the current moment. AI-based threats can come from any source, and Zero Trust pillars like identity verification, re-authentication and granular controls will all be vital to countering them.
Threat actors are using AI to hack AI
Rapid advancement in AI is arming threat actors with a robust suite of tools that enable intelligent attacks against organizations’ AI deployments. Whereas past attack tactics focused on breaching systems through technical vulnerabilities or stolen access credentials, AI’s natural language format creates a new gap for organizations and new opportunities for tirelessly experimental threat actors, be they human, AI or both working together.
With the robust capabilities of LLMs and “vibe coding,” technical skills are no longer a prerequisite for cybercrime. Some AI companies like Anthropic are taking steps to build in guardrails against dangerous usage, but the harsh reality is that such guardrails are vulnerable to jailbreaking when hackers figure out how to bypass them, leaving organizations still woefully unprepared for these new threats.
According to IBM’s recent “Cost of a Data Breach Report,” 13% of organizations have reported an AI-driven breach, while another 8% cannot say for sure whether they’ve fallen victim to one. Perhaps most concerningly, 97% of those breached reported having no AI access controls in place. This is not just irresponsible, but negligent, especially with CrowdStrike finding that 79% of detections in its “2025 Global Threat Report” were malware-free, suggesting that hackers are turning to more hands-on methods presumably buoyed by AI.
Even job openings are a point of vulnerability. North Korea has made coordinated efforts to secure American IT jobs, with the goal of stealing sensitive company information using deepfakes and other AI-driven methods to gain privileged access. Gartner sees this trend gaining pace, estimating that one quarter of job applicants will be fake by 2028. Even traditionally low-risk business practices like hiring need to be put under the microscope in the new AI paradigm. Nothing is exempt.
Employees are using AI in unintentionally risky ways
Despite feeling pressures to integrate AI into their daily workflows, employees still feel uncertain about how to securely use it. A late 2024 report from CIO Dive found that 56% of organizations lacked AI governance policies. Separate research from engineering hiring platform Howdy found this uncertainty pervading day-to-day work, with a subset of employees either feeling pressured to use AI when they don’t feel comfortable or simply pretending to use it to meet company mandates.
All of this underscores the need for effective AI governance. And AI governance needs to be built around secure and user-friendly Zero Trust architectures that mitigate risks and ensure that only the right people can access privileged information, especially as executives admit they’d be willing to use AI in opposition to internal protocols if it made tasks easier.
These Zero Trust methods need to account for the risk of human error and enforce strict safeguards, removing the possibility for improper use and protecting sensitive information within the organization.
Why zero trust is the answer
There’s a reason why Zero Trust has remained the preeminent cyber defense even as threats are evolving at a breakneck pace. Zero Trust’s effectiveness is built on its underlying principles. When an organization makes the active assumption that it is always being threatened, genuine dangers are less likely to be overlooked and gaps are sealed.
It’s also cost-effective. A Gartner survey found that 78% of organizations that have adopted Zero Trust spend under 25% of their overall cybersecurity budgets on it, granting them leeway to add extra defenses on top of an already strong foundation.
Even the federal government has indicated that Zero Trust is the best way forward, with a Biden-era executive order leading to the creation of CISA’s Zero Trust Maturity Model and urging federal agencies to adopt Zero Trust principles.
AI-driven attacks against organizations’ AI deployments aim to exploit the nuance and need for interpretation inherent in AI, but Zero Trust brings security back to black-and-white enforcement. It stops ambitious hackers or overly cavalier employees in their tracks, requiring authentication and authorization for every action, and containing any damage in the case of a breach. It’s a well-defined, systematic framework that holds firm against adaptive, shapeshifting threats.
AI still presents useful opportunities, despite the new risks it introduces when it's in the hands of hackers. It’s a profoundly innovative technology that can unlock operational efficiency and deliver strong gains to businesses and government. Zero Trust principles are a tried-and-true way to mitigate the risks of AI-on-AI hacking. Zero Trust should be the bedrock of modern cybersecurity defenses, which organizations can then build on with adaptive risk-based protections that can react to novel threats in the moment.