Powerful New AI Models Create Higher IT Security Risk In

Powerful new AI models create higher IT security risk. Protect your SME with a robust business continuity plan & resilient workflows for 2026.

·16 min read
Powerful New AI Models Create Higher IT Security Risk In

Most small businesses still think AI risk is about staff using ChatGPT badly. That's already a problem, but it's no longer the main story. The bigger issue is that the newest generation of AI can help attackers find weaknesses and act on them far faster than most firms can detect, approve, and fix anything.

That gap is now dangerous. Powerful new AI models create higher IT security risk because they compress the time between discovery and attack, lower the skill barrier for criminals, and turn ordinary operational delays into business continuity failures. For SMEs in New Zealand and Australia, this isn't a research topic. It's an operating condition.

The Urgent New Reality of AI-Driven Cyber Threats

Frontier AI capabilities can now weaponise IT weaknesses in “a matter of minutes or hours,” the European Systemic Risk Board warned this week when it raised the status of systemic cyber risk to “severe.” This warning aligns with other recent regulatory announcements, including a joint statement last month by the Five Eyes cybersecurity agencies that AI is accelerating the speed, scale and sophistication of cyber threats and may transform offensive and defensive capabilities in a matter of months, not years.

Cutting-edge artificial intelligence technology is poised to supercharge offensive hacking capabilities and urgent action is needed to face up to the threat, U.S., British, Canadian, Australian and New Zealand officials said on Monday. The intelligence alliance commonly known as the "Five Eyes" said in a three-page statement that, "Frontier AI models are anticipated to exceed current industry expectations, transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months."

That warning isn't abstract. In a joint statement dated June 22, 2026, the Five Eyes cybersecurity agencies, including New Zealand's NCSC, warned that frontier AI models capable of transforming offensive cyber capabilities are “mere months away,” not years, significantly changing the threat environment for critical national infrastructure, as reported by Singularity Kiwi's coverage of the Five Eyes AI warning.

Why SMEs are exposed first

Large enterprises at least have layers of review, dedicated security teams, and specialist tooling. Smaller firms usually have none of that. They have lean IT teams, outsourced support, mixed device fleets, and cloud apps adopted department by department.

That combination creates a practical problem. If attackers can move in hours, but your business still relies on manual patch review, ad hoc approvals, and a spreadsheet for incident contacts, you're already behind.

Cyber resilience now depends less on whether an attack happens and more on whether the business can keep operating when it does.

Yesterday's playbook doesn't work

The old approach treated cybersecurity as prevention. Build a perimeter, block obvious threats, run periodic updates, and hope for the best. That model is too slow for AI-assisted attacks.

A modern response has to start with business continuity. Not as a compliance document. Not as a disaster recovery binder nobody opens. It has to be the operating system for decision-making under pressure.

For SMEs, that means three things:

  • Assume speed: incidents will escalate faster than your normal approval cycle.
  • Protect operations: identify what must stay running even during an attack.
  • Pre-decide actions: your team can't invent roles, messages, and recovery steps in the middle of a breach.

How AI Supercharges Malicious Cyber Attacks

AI has changed the economics of cybercrime. It lets attackers run faster, target more precisely, and produce work that used to require several skilled people.

For SMEs in New Zealand and Australia, that is the core problem. The warning from agencies such as the NCSC and the wider Five Eyes community is not abstract. It shows up in ordinary business processes. A fake supplier email lands at the right moment. A missed software update turns into an outage. A small IT team loses hours verifying what is real and what is not.

A diagram illustrating how artificial intelligence is used to conduct modern and sophisticated cyber attacks.

Vulnerability discovery at machine speed

New Zealand's National Cyber Security Centre has warned that frontier AI models can identify software vulnerabilities at much greater speed and scale than human analysts, including flaws in commercial software products, as summarised by Dig.Watch's coverage of the NCSC frontier AI cyber threat guidance.

That shortens the gap between exposure and exploitation. Attackers can use AI to review code, spot weak patterns, test attack paths, and adapt existing exploit techniques faster than many SMEs can assess a patch or schedule maintenance.

The business implication is straightforward. If your organisation still relies on manual triage, inbox-based approvals, and undocumented patch decisions, AI-assisted attackers are operating on a shorter cycle than your internal process.

Social engineering gets harder to spot

Generative AI has made phishing, impersonation, and extortion far more convincing. Messages now read like they were written by someone who knows your industry, your suppliers, and your current projects. Voice cloning and synthetic video add another layer of pressure, especially for finance teams and frontline managers asked to act quickly.

Old awareness advice no longer holds up. Spelling mistakes, strange phrasing, and clumsy formatting were once useful warning signs. Now the email can be polished, relevant, and timed to a real invoice run or procurement request.

A short explainer is worth watching if your leadership team still thinks this is a technical-only issue.

The barrier to entry has collapsed

Attackers no longer need deep technical skill to run effective campaigns. AI tools can help them write lures, gather public information, adjust malware, and refine tactics after each failed attempt. That gives lower-skill operators access to higher-quality attack methods.

SMEs feel this first because they usually expose more operational clues online and have fewer checkpoints in day-to-day workflows.

Attack type What AI improves Why it matters to SMEs
Phishing Personalisation and language quality Staff are more likely to trust it
Reconnaissance Faster collection of public and internal clues Small firms are easier to profile
Malware adaptation Quicker variation and rewriting Signature-only tools struggle
Exploit assistance Faster identification of weak points Delayed patching becomes more dangerous

Practical rule: If your controls depend on attackers making obvious mistakes, replace those controls now.

The right response is operational discipline. Set tighter approval paths for payments and supplier changes. Reduce patch delays. Document who can shut down access, switch to manual workarounds, and notify customers when systems are under attack. That is how SMEs turn broad AI threat warnings into actions the business can execute under pressure.

Business Continuity The Essential Defence Strategy

Most firms still separate cybersecurity from business continuity. That's a mistake. In the AI era, they're part of the same discipline.

If a threat actor can identify and exploit vulnerabilities at “unprecedented speed and scale,” and the NCSC says organisations need to “patch frequently” and adopt a “patch every day” mentality for internet-exposed systems, as set out in NCSC guidance on cyber readiness in the frontier AI era, then continuity planning isn't optional. It's the structure that lets the business function while security teams contain and recover.

A diagram illustrating the four key components of business continuity planning for resilient organizational infrastructure.

What business continuity means now

A modern business continuity plan, or BCP, answers a blunt question. If a cyber incident hits at the worst possible time, how does the organisation keep serving customers, paying people, accessing critical systems, and making decisions?

That requires more than backups. It requires an agreed model for triage, authority, communications, workarounds, and recovery priorities.

The four pillars that matter

  • Business impact analysis: identify the functions that can't stop without immediate operational or financial damage.
  • Risk assessment: map where AI-assisted attacks are most likely to cause disruption, including vendors, cloud systems, identity tools, and user behaviour.
  • Incident response integration: define exactly who decides what, in what order, when systems are degraded or unavailable.
  • Recovery protocols: document how to restore systems safely without reintroducing the same compromise.

Why BCP works better than ad hoc reaction

Ad hoc response creates confusion. Security wants containment. Operations wants uptime. Finance wants clarity on exposure. Leadership wants customer messaging. Without a pre-built plan, those groups pull in different directions.

A good BCP removes that friction. It tells people which systems come first, who signs off on shutdowns, what fallback process is acceptable, and when external specialists are engaged.

Your BCP is a decision framework under stress. If it doesn't speed up decisions, it isn't finished.

Assessing Your Organisation's AI Security Risks

The first job isn't buying more tools. It's understanding where your organisation is easiest to disrupt.

That starts with people. According to Kordia's 2026 New Zealand Business Cyber Security Report, 24% of medium-to-large New Zealand businesses rank improper employee AI use among their top cyber challenges, as reported by Insurance Business on staff AI misuse as a key cyber risk. That should change how every business owner thinks about internal risk. Staff can expose data, bypass approved workflows, or feed sensitive material into unvetted tools without bad intent.

Start with business-critical workflows

Forget generic risk registers for a moment. Ask which activities must continue if core systems are degraded for a day, or if staff lose access to a major platform.

Use this quick review:

  1. Which processes generate revenue or fulfil customer obligations?
  2. Which systems those processes depend on?
  3. Which staff or suppliers hold critical knowledge or access?
  4. Where is AI already being used informally, without approval or monitoring?

The answers usually reveal concentration risk fast. One finance platform. One identity provider. One cloud file repository. One operations manager who knows the workaround.

Examine the human-vulnerability gap

Government guidance in New Zealand stresses that security strategies must not focus only on technology and that staff need to understand AI fundamentals and limitations. The issue for most SMEs is that policy hasn't caught up with behaviour.

Review these areas first:

  • Unapproved GenAI use: staff pasting customer, legal, HR, or source-code content into public tools.
  • Prompt injection exposure: teams trusting AI outputs from connected systems without validating the source or instruction chain.
  • Shadow automation: departments linking AI tools to email, documents, CRM, or code repositories without IT review.
  • Over-trust in outputs: employees treating generated summaries, code, or recommendations as verified fact.

For a broader framework on governance and monitoring, this CISO's guide to AI security is a useful reference point. If you need a more practical review of controls across infrastructure, identity, and endpoint exposure, a structured cybersecurity services assessment helps turn vague concerns into an action list.

Ask harder vendor questions

Your business might have a decent internal policy and still inherit risk from suppliers. Ask vendors whether AI is used in support, software development, monitoring, document handling, or customer data workflows. Then ask what permissions those systems have.

The point isn't to ban AI. It's to know where it touches data, decisions, and operational dependencies.

Building Your Actionable Business Continuity Plan

A risk review without a working continuity plan leaves your business exposed. AI-driven attacks compress decision time, speed up exploitation, and punish hesitation. SMEs in New Zealand and Australia cannot treat business continuity as a compliance document. It has to be an operating playbook that leaders can activate fast.

A list graphic outlining seven essential elements for creating an effective and actionable business continuity plan.

Government warnings from the Five Eyes community matter because they point to a simple business reality. Attackers now work at machine speed. Your response model must be faster, clearer, and easier to run under pressure. That means translating broad threat advice into specific triggers, owners, fallback processes, and recovery conditions your team can use on the day something breaks.

What the plan must include

A usable BCP answers one question first. What exactly happens when a serious cyber incident hits at 4:45 p.m. on a Friday?

Start with the parts that remove confusion:

  • Activation criteria: define the exact events that trigger the plan, such as suspected account takeover, ransomware indicators, critical SaaS outage, supplier compromise, or loss of access to core data.
  • Response roles: name the incident lead, technical lead, operations owner, executive decision-maker, communications approver, and supplier contact.
  • Service priorities: rank systems by business impact. Start with payroll, customer service, sales operations, finance, identity, and any platform that keeps revenue or compliance work moving.
  • Containment decisions: set rules for isolating endpoints, disabling accounts, blocking integrations, forcing password resets, or taking exposed services offline.
  • Manual workarounds: document how staff keep serving customers, taking orders, processing payments, or delivering services if systems are unavailable.
  • Communications templates: prepare short messages for staff, customers, vendors, regulators, and directors. Approval paths must be clear.
  • Recovery checkpoints: define what evidence is required before reconnecting systems, restoring data, or returning users to normal access.

Keep it short enough to use.

Write for action, not for filing

Many continuity plans fail because they are written for auditors instead of managers. During an incident, nobody needs a page of policy language. They need a decision table, a contact list, a priority order, and approved actions.

Use a simple structure like this:

BCP section What it should answer
Incident trigger Are we activating the plan now?
Critical service list What must stay running first?
Contact roster Who needs to act immediately?
Technical actions What gets isolated, patched, restored, or monitored?
Business workaround How do teams keep operating meanwhile?
Communications Who says what to whom, and when?

This is the point where many SMEs get stuck. They understand the warning, but they have not translated it into workflow. A practical BCP closes that gap. It turns security advice into assigned tasks that operations, finance, service teams, and leadership can execute together.

If you want to test whether your documented response matches real-world exposure, penetration testing support helps identify the systems, access paths, and weaknesses that deserve explicit treatment in the plan. For organisations reviewing baseline controls and operational discipline across multiple sites, this guide to IT security for Australian businesses is a useful companion.

A good continuity plan should let a capable manager make the first hour of decisions without waiting for the one technical person who knows how everything fits together.

Implementing Your Plan with Wisely and monday.com

A written plan is necessary. It still won't work well if it sits in PDFs, email threads, and disconnected spreadsheets.

Execution needs a live operating layer. That's where a work management platform becomes useful, especially when the business has to coordinate security, IT, operations, finance, and leadership at the same time.

Screenshot from https://www.wiselyglobal.tech/monday-partner

A practical incident workflow

Take a common scenario. A critical SaaS tool shows suspicious account activity, a supplier alert suggests a newly disclosed vulnerability is being exploited, and staff report odd MFA prompts. The BCP has already defined the response team and activation criteria.

In a structured monday.com setup, the incident commander opens a prebuilt board. One group tracks containment actions such as account reviews, access revocations, and system isolation. Another group tracks business continuity tasks such as temporary workarounds, customer communication approvals, and vendor escalation. Leadership gets a dashboard view instead of a stream of fragmented updates.

Why workflow discipline matters

Under pressure, teams skip steps. They forget who approved what, duplicate work, or assume someone else informed the right people. A central workflow reduces that failure rate by making ownership visible.

A strong implementation typically includes:

  • Prebuilt incident templates: so the team doesn't create structure from scratch during a crisis.
  • Automated notifications: trigger alerts to the right role when a status changes.
  • Dependency tracking: show which business process is blocked by which technical issue.
  • Audit trail: preserve timestamps, decisions, and actions for post-incident review.
  • Executive visibility: surface status, blockers, and recovery progress without technical clutter.

The best continuity plans are operational. They live where teams already work, not in documents people remember after the damage is done.

If your organisation wants to turn a written plan into a managed workflow, a specialised monday.com consultancy partner can help design the boards, automations, permissions, and reporting needed for real incident coordination.

Maintaining Resilience in the Fast-Evolving AI Era

Resilience isn't a project with an end date. It's a management discipline.

The threat will keep changing because the models will keep changing. New tools will appear inside vendors, staff workflows, code pipelines, support systems, and customer platforms. If your continuity plan stays static, it will drift away from reality faster than most leaders expect.

What mature organisations do repeatedly

They review the plan when the business changes. They run tabletop exercises. They check whether contact lists, recovery priorities, fallback processes, and approval paths still reflect how work happens.

Keep the cadence practical:

  • Run incident drills: involve leadership, operations, and frontline system owners, not just IT.
  • Update after change: revise the plan after major software, process, supplier, or staffing changes.
  • Train staff on decisions: people need to know what to escalate, what to stop, and what not to upload into AI tools.
  • Review third-party exposure: ask suppliers how AI is affecting development, support, access, and data handling.

The right standard for leadership

Leadership shouldn't ask, “Are we secure?” That question is too vague to be useful. Ask, “Can we keep operating if a fast-moving cyber event disrupts our systems this week?”

That question gets you closer to reality. It forces discussion about fallback processes, customer obligations, cashflow continuity, and executive decision rights. It also reveals whether the business has confused cybersecurity spending with genuine operational readiness.

Powerful new AI models create higher IT security risk, but the firms that act now can still control the business impact. The winners won't be the ones with the most impressive policy deck. They'll be the ones with clear priorities, tested workflows, and a continuity plan people can use.


If your organisation needs help turning cybersecurity concerns into workable processes, Wisely can help connect business continuity planning, IT operations, and workflow automation so your team can respond faster and keep critical work moving when disruption hits.

Want to talk through any of this?

Our team is happy to discuss your specific situation. No sales pitch required.