






















For years, the cyber security industry tracked AI as a force multiplier: something that made existing attack techniques faster, cheaper, and more accessible. That framing was accurate. But the annual AI Security Report 2026 from Check Point Research documents a transition that goes further. AI has crossed from assistant to operator. Where it once helped attackers prepare, it now runs the operation. What follows is a structured review of the report’s key findings, grounded in original incidents and case studies from the past twelve months.
AI now participates directly at every stage of the attack chain, from writing malware to executing commands inside live networks with minimal human direction between steps. The clearest example from the past year was the breach of nine Mexican government agencies [1] between late 2025 and early 2026. A single operator ran Claude Code and GPT-4.1 in parallel, one handling live exploitation across 34 sessions, the other analyzing stolen data and automatically tasking follow-on activity. The human set the architecture in motion. The AI ran the operation, producing more than 5,000 executed commands and exposing roughly 400 million records.
AI has also industrialized the criminal tooling market. Phishing-as-a-service platforms [2] now embed language models directly into the attack workflow, automatically scanning stolen accounts, mimicking the victim’s writing style, and generating convincing follow-on scam emails. Voice fraud platforms [3] run fully automated AI agents that walk targets through scripted account-recovery calls to steal one-time passcodes, with no human caller involved. The jailbreak is built into the product, so a buyer needs no AI skill at all to run a sophisticated, multi-step attack.
AI is now capable enough at reasoning about code that it speeds up both sides of the race simultaneously. Google’s Threat Intelligence Group reported the first AI-assisted zero-day built for mass exploitation, while other research showed frontier models producing working zero-day exploits at scale. The practical effect is compression: a vulnerability disclosure that once gave defenders days to respond now gives them hours. US Government CISA responded by requiring agencies to remediate the highest-risk vulnerabilities within three days. India’s CERT-In went further, advising organizations to patch critical systems within 12 hours.
As organizations embedded AI into email, documents, code, and core business workflows, the AI stack became a target in its own right. Indirect prompt injection where malicious instructions are hidden inside content an AI reads as part of its normal work, has moved from proof-of-concept to operational threat. Check Point AI Security recorded a roughly fivefold increase in detections of large malicious prompt-injection payloads between March and May 2026, consistent with indirect injection becoming a routine attack path rather than a theoretical one.

Figure 1: Malicious prompt detection rate by payload size
AI infrastructure has also become a target through conventional means. A critical flaw in Ollama [4] left roughly 300,000 internet-facing model servers leaking prompts, keys, and environment variables. GreyNoise [5] recorded around 91,000 attack sessions probing LLM deployments in a single quarter. The AI software supply chain has proven equally exposed: the Shai-Hulud worm in November 2025 compromised hundreds of widely used code packages and tens of thousands of repositories, stealing developer credentials as it spread automatically through build pipelines.
Voice, face, documents, and real-time video can all now be convincingly synthesized, meaning none of them can stand alone as proof of identity. Over the past year [6], real-time face-swap moved from nation-state operations into industrialized fraud. Document forgery commoditized to the point where one service sold more than 10,000 AI-generated fake IDs capable of passing bank KYC checks across 56 countries. A North Korean-linked group took this furthest, using AI-fabricated personas to get operatives hired inside Western companies as legitimate remote employees, generating close to 800 million dollars for the regime’s weapons programs.

Figure 2: Generative identity threats by media type and maturity (Check Point Research, 2025)
High-risk GenAI prompts doubled from 2 percent to 4 percent over the past year. The average organization runs 10 AI applications per month, many without formal approval. Business Services had the highest rate of any industry, nearly one in every 17 AI interactions carried a real risk of sensitive data exposure, by May 2026, this climbed to 1 in 14 AI interactions. Most of this exposure comes not from attacks but from ordinary approved use, where employees share more context than they realize to get a useful answer.

Figure 3: High-risk prompts by region
The risks in this report fall into three categories, and each one calls for a different kind of defense: protecting AI itself, matching the speed of AI powered attacks, and governing how AI actually gets used across the workforce.
Most security teams cannot see the riskiest part of their own AI attack surface, so protection starts with visibility and extends into how agents behave once they are live.
Intrusions now span dozens of targets at once, with AI handling the operational work between check ins. Security teams working at human speed simply cannot keep that pace, which is why the defense has to run on AI too.
Much of the exposure in this report never came from an attack at all. It came from ordinary, approved use, where employees shared more than they realized just to get a useful answer.
To read the full findings, access the AI Security Report 2026 from Check Point Research here
[1] Gambit Security, “A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report” https://gambit.security/blog-posts/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report
[2] Sekoia, “New Widespread EvilTokens Kit: Device Code Phishing-as-a-Service” https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1
[3] Abnormal Security, “ATHR: AI Voice Phishing and TOAD Attacks” https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attack
[4] Cyera, “Bleeding Llama: Critical Unauthenticated Memory Leak in Ollama” https://www.cyera.com/research/bleeding-llama-critical-unauthenticated-memory-leak-in-ollama
[5] GreyNoise, “Threat Actors Actively Targeting LLMs” https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
[6] Malwarebytes, “Scam Compounds Hiring AI Models to Seal Deal in Deepfake Video Calls” https://www.malwarebytes.com/blog/news/2026/03/scam-compounds-hiring-ai-models-to-seal-deal-in-deepfake-video-calls
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。