“The introduction of security initiatives by frontier AI companies creates significant noise to an already noisy threat landscape,” said John Watts, VP Analyst for Gartner at the Gartner Security & Risk Management Summit in National Harbor, Maryland, USA, recently. “Cyber security leaders must be able to find the threat signal in all the noise in order to respond to shifts in the threat landscape.” At the event, John Watts took to the stage to present the company's 2026-2027 Threatscape.

AI application compromise

AI application compromise is in the critical threat section as attackers target the growing number of production-ready public-facing and internal enterprise AI tools. The attack surface has grown to include custom-built agents, third-party integrations and employee-only applications, often exposing sensitive data or credentials when controls are weak.

“Cyber security teams need to expand their programs beyond traditional software protections by mapping new attack surfaces introduced by GenAI models or agentic tools,” said Watts. “Using Gartner's trust and risk in security management (TRiSM) framework allows cybersecurity teams to know where to embed AI-specific threat mitigations directly into the AI application development process.”

Securing an AI application does not always mean starting from scratch. There are many AI security startups that offer broader and deeper capabilities as organizations mature and need more security around their use of AI. To address this threat, CISOs should apply secure development life cycle and threat modeling best practices to AI applications. They should also strengthen data security by improving data classification, adopt purpose-based access control (PBAC) and implement runtime monitoring.

Identity impersonation using deepfakes

The advent of Gen AI has dramatically increased the volume, fidelity and accessibility of deepfake creation across voice, video, and images, both as pre-recorded artifacts or generated in real-time. This has expanded the opportunity for attackers to impersonate identities across a range of attack surfaces. Deepfakes can be used to attack biometric authentication processes, can be combined with social engineering in real-time attacks on employees and can be used to subvert recruitment processes.

“Attacker use of deepfakes continues to advance and is now commonplace to make fraud and phishing scams difficult to detect,” said Watts. “There is no one cyber security control that will protect you. Instead organisations should use a combination of strengthening business processes, improving awareness, and deploying available deepfake detection technologies where possible.”

As a result, cyber security teams must look beyond deepfake detection and strengthen controls to protect the integrity of real‑time communications, as well as biometric authentication and verification processes by considering the following:

• Build a robust mitigation strategy by recognising that deepfake detection alone is not sufficient to detect and prevent deepfake identity impersonation attacks. Instead focus on layers of controls that will vary by use case.
• Protect biometric identity verification by focusing on presentation and injection attack detection in addition to contextual signals.
• Secure online meetings by implementing conditional access policies to enforce strong authentication for call participants and analysis of call metadata.

Software supply chain threats

“The evolution of Gen AI offerings will only accelerate the trend of software supply chain attacks through vulnerabilities in open source software,” said Watts. “Organisations must work towards trusted component registries, hardening their CI/CD pipelines and building strong operational anomaly detection and response capabilities.”

Cyber security teams should build comprehensive inventories of software assets while integrating strong controls at every stage of development. These measures help defend against emerging threats that target both traditional applications and modern AI-powered pipelines. With this in mind, CISOs should:

• Require SBOMs (and AIBOMs) from all vendors; assess every component for risk using tools with up-to-date threat intelligence before deployment.
• Use curated repositories for third-party code, container images and AI models; enforce branch protection on code repositories.
• Sign artifacts during builds; implement least-privilege access controls on build systems; continuously monitor runtime activity by agentic tools.

Prompt injection

Prompt injection is a cyber security threat targeting AI systems, especially those using large language models (LLMs). Attackers manipulate prompts to alter the model’s behaviour, causing it to leak sensitive information, perform unauthorised actions, or bypass controls. As organisations increasingly adopt Gen AI, the risk of prompt injection expands, making it a critical issue for cyber security teams.

To effectively counter prompt injection threats, cyber security teams should implement a layered mitigation strategy. This involves AI security testing to proactively identify vulnerabilities, establishing strong system prompts to guide AI behaviour, and deploying AI runtime guardrails that monitor for and block suspicious activity. Key actions for CISOs include:

• Implement input validation and sanitisation to filter out potentially malicious prompts.
• Establish monitoring and alerting for abnormal AI behaviour that may indicate successful prompt injection.
• Integrate prompt injection testing into the AI system development lifecycle.
• Leverage the outcomes of the testing to improve runtime controls.