EY Warns Frontier AI Is Exposing Enterprise Cybersecurity Blind Spots

EY Warns Frontier AI Is Exposing Enterprise Cybersecurity Blind Spots

By
Key Takeaways
  • 36% of Assets Fall Into the "Vulnerability Zone": EY found that more than one-third of enterprise assets have below-average visibility and cybersecurity coverage, creating potential entry points for AI-enabled attacks.
  • Frontier AI Is Redefining Cyber Resilience: The report argues that resilience must extend beyond incident recovery to include continuous visibility into emerging vulnerabilities, faster response capabilities and stronger governance across the enterprise.
  • Operational Technology, Third Parties and AI Systems Present the Greatest Exposure: OT and physical assets, third-party ecosystems, AI systems and network infrastructure were the asset categories most likely to fall into the vulnerability zone.
  • Cybersecurity Leaders Face a Growing Visibility Challenge: Respondents identified the pace of technological change as the greatest obstacle to maintaining accurate asset inventories, increasing the likelihood that unmanaged risks accumulate unnoticed.
  • More Mature Security Programs Show Greater Readiness: Organizations EY classifies as "Secure Creators" reported substantially fewer assets in the vulnerability zone than their less mature peers, reflecting broader integration of cybersecurity into enterprise resilience strategies.
Deep Dive

For years, cybersecurity has rested on a bargain that most organizations scarcely questioned. Not every asset could receive the same level of protection, so security leaders concentrated their attention where the consequences of failure would be greatest. The systems most critical to the business became the crown jewels. Everything else received what time, people and budgets allowed. It was an imperfect arrangement, but for a long time it was a practical one.

The latest 2026 EY Global Cybersecurity Leadership Insights Study argues that recent advances in frontier AI have altered the economics of cyberattacks in ways that expose the weaknesses of that long-standing approach. Organizations still need to protect their most valuable assets, but resilience increasingly depends on something less glamorous and, until recently, easier to overlook: the ability to understand what lies beyond the center of attention. The assets with the weakest visibility, the least consistent security coverage and the greatest accumulation of unmanaged dependencies are becoming attractive starting points for adversaries whose capabilities are expanding as quickly as the technologies they seek to exploit.

That conclusion emerges from a survey of more than 800 cybersecurity leaders and an analysis of 475 asset types. EY found that, on average, 36% of organizational assets occupy what it calls the "vulnerability zone," a segment where both visibility and cybersecurity coverage fall below average. The label is less important than what it describes. These are not necessarily the systems executives consider most valuable. They are the systems that become easier to lose sight of as organizations grow more connected, adopt new technologies and rely on increasingly complex digital ecosystems.

Recent demonstrations of frontier AI models capable of identifying and exploiting software vulnerabilities have given that problem greater urgency. Verifying vulnerabilities and deploying patches remain indispensable, but the report argues that those activities no longer define resilience on their own. Cybersecurity leaders must also understand where vulnerability is accumulating across the enterprise, determine which assets are essential to sustaining what EY describes as the "minimum viable enterprise," and respond quickly enough to keep pace with threats that are developing at machine speed rather than human speed.

That pace has changed markedly. Citing the 2026 CrowdStrike Global Threat Report, EY notes that the average eCrime breakout time has fallen to 29 minutes, shrinking the window between an initial compromise and an attacker's lateral movement through an environment. The significance of that figure is not simply that attacks are becoming faster. It is that assumptions which once seemed reasonable, about how quickly vulnerabilities can be found, exploited and contained, are becoming steadily less reliable.

The organizations best positioned for that reality are not necessarily those that invested most heavily after frontier AI emerged. EY identifies a group it calls "Secure Creators," organizations whose cybersecurity capabilities have consistently outperformed their peers. On average, only 30% of their assets fall within the vulnerability zone, compared with 42% among what the report classifies as "Prone Enterprises." Their advantage, according to the study, is not that they anticipated today's AI-driven threat landscape with unusual foresight. Cybersecurity had already been woven into broader organizational resilience strategies, allowing those organizations to adapt more readily as the threat environment changed around them.

The report argues that three developments are now reshaping enterprise risk simultaneously. Organizations continue to experiment rapidly with AI, expanding the attack surface almost as quickly as new capabilities are deployed. Third-party relationships and software supply chains have become more deeply embedded in day-to-day operations, introducing dependencies that often sit beyond an organization's direct control. At the same time, AI-enabled adversaries are becoming increasingly capable of exploiting weaknesses in underprotected assets before moving laterally toward more valuable systems. The vulnerability zone, EY argues, offers a way to understand where those pressures are converging instead of viewing the enterprise as a single, uniform attack surface.

The study also points toward another challenge that is easier to overlook because it develops gradually. Asked what most complicates maintaining accurate asset inventories, survey respondents did not identify budgets or staffing as their greatest obstacle. They pointed instead to the velocity of technological change. Assets evolve, migrate, connect and multiply faster than inventories, governance processes and security controls can keep pace. Visibility gaps are often created not by neglect but by movement.

Operational technology and physical assets represent the largest concentration within the vulnerability zone, with 57% falling below average for visibility and cybersecurity coverage. Historically, many of these systems existed outside the cybersecurity function's primary remit, often separated from corporate networks and managed by operational teams. EY argues that those assumptions no longer hold as physical AI becomes more prevalent and previously isolated systems become increasingly connected. Assets that once seemed comfortably distant from conventional cyber threats are now becoming part of the same attack surface.

The second-largest concentration appears in ecosystems and third parties, where 49% of assets fall into the vulnerability zone. Software vendors, cloud providers, logistics partners and outsourced service providers have become indispensable to modern operations, but that growing importance often requires privileged access to enterprise environments. EY suggests that agentic AI could deepen those relationships further if AI providers require broad access across multiple business functions or entire organizations to operate effectively.

Attackers have increasingly recognized the opportunity such relationships present. Third parties now frequently serve as initial access points before adversaries pivot into their intended targets, making foundational cybersecurity controls more consequential than ever. Yet the study found persistent shortcomings in precisely those areas. Nearly half of surveyed organizations (47%) reported failing to properly segment their environments, while 59% said they lack comprehensive asset telemetry, limiting visibility and delaying the detection of suspicious activity.

AI systems and tools form the third-largest share of the vulnerability zone, reflecting challenges that extend well beyond the technology itself. The rapid adoption of generative AI has encouraged shadow usage and untracked data flows as employees embrace new tools outside approved channels. Agentic AI introduces another layer of complexity through proliferating agents, identities, software connections and autonomous actions that are considerably more difficult to inventory and monitor consistently. Governance has struggled to keep pace with technologies that evolve continuously while connecting directly to sensitive data and business workflows.

Network infrastructure, where 38% of assets fall within the vulnerability zone, presents a different kind of concern. VPN gateways, firewalls, routers and edge devices remain attractive targets for sophisticated adversaries, particularly nation-state actors seeking reliable points of initial access. Many of these technologies depend on custom firmware or slower patch cycles than modern cloud platforms or endpoint software, characteristics that may become increasingly significant as frontier AI shortens the time between vulnerability discovery and exploitation.

The report's sector analysis reflects the same underlying pattern. Industries with greater dependence on operational technology, including infrastructure, mining and metals, power and utilities, oil and gas, and chemicals, generally reported larger vulnerability zones. By contrast, government and public sector organizations, banking and capital markets, insurance, and aerospace, defense and mobility tended to report smaller ones, a difference EY attributes in part to regulatory regimes that impose stricter cybersecurity requirements.

What emerges from the study is not an argument that organizations have been protecting the wrong assets. It is a recognition that resilience can no longer be measured solely by how well the most important systems are defended. Frontier AI has exposed the significance of the overlooked connections, the incomplete inventories, the third-party dependencies and the operational systems that rarely occupied the center of cybersecurity strategy until they became the path through which attackers reached it. The organizations that respond most effectively, EY suggests, will not simply harden their crown jewels. They will become far better at seeing the parts of the enterprise they once assumed could remain in the background.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong