Picture a routine video call. Your CFO is on screen. So are several colleagues you have worked with for years. They ask you to process a series of urgent, confidential transfers. You hesitate — the request came in a strange email — but the call reassures you. You see their faces. You hear their voices. You comply.
That is exactly what happened to a finance employee at the engineering firm Arup in Hong Kong. He made 15 transfers totaling roughly US$25 million after a video conference in which every single participant — the CFO included — was an AI-generated fake. Not one real human was on that call except the victim.
I have spent years building and securing technology organizations, and I keep coming back to that case because of what it broke: not a firewall, not an endpoint, but the most basic human verification ritual we have. "Let's jump on a call to confirm." That ritual is no longer proof of anything.
The Offense Has Been Industrialized
What was a spectacular one-off in 2024 is now an assembly line. AI-related attacks rose 340% in the first quarter of 2026 compared with 2025, and more than 80% of phishing emails — 82.6%, by recent measurement — are now written by AI. The economics explain why: AI-generated phishing achieves a roughly 54% success rate against about 12% for human-written attempts. That is a 4.5x improvement in conversion, delivered at near-zero marginal cost, in any language, personalized per target.
The deepfake numbers are just as stark. 85% of organizations experienced at least one deepfake incident in the past year, and voice cloning now succeeds more than 95% of the time with just 10 to 15 seconds of source audio. Ten seconds is a voicemail greeting. It is the introduction to a webinar your CEO gave last year.
Deepfake-driven fraud has cost $2.19 billion globally, with $1.65 billion of that in 2025 alone. Deepfake vishing — cloned voices on phone calls — surged more than 1,600% quarter-over-quarter in early 2025. Deloitte projects that GenAI-enabled fraud losses in the US alone will reach $40 billion annually by 2027, up from $12.3 billion. This is not a tail risk anymore. It is a line item.
The attacker no longer needs to breach your network. They only need to convincingly become someone your people already trust.
The New Attack Surface: Your Own AI Agents
Here is the part that worries me more than deepfakes, because most boards have not internalized it yet: the AI systems you deployed to gain productivity are themselves a fresh, poorly defended attack surface.
Indirect prompt injection — hiding malicious instructions inside content an AI will later read, like an email, a shared document, or a web page — has moved from research papers to live attacks against production systems, as documented by Google and Forcepoint researchers. Your AI assistant summarizes an inbound email; buried in that email is an instruction the assistant obeys. The user never sees it. By one industry measure, prompt injection appeared in 73% of production AI deployments tested in 2025.
The taxonomy of 2026
Security teams are now defending against a recognizable family of agent-native attacks: prompt injection, memory poisoning, tool misuse, supply-chain compromise of models and plugins, and data exfiltration through the agent's own outputs.
Memory poisoning deserves special attention because it is slow and patient. In one documented case, attackers spent three weeks gradually feeding a company's procurement agent false context until the agent "believed" it had authority to approve purchases under $500,000. It then approved roughly $5 million in fraudulent purchase orders. No malware. No exploit. Just persuasion, applied to a system that never gets tired, never gets suspicious, and never calls a colleague to ask if something feels off.
If you have given an AI agent the ability to act — send emails, approve workflows, move data, call APIs — you have created a new employee with broad access, infinite patience for social engineering, and no instinct for danger. Treat it accordingly.
The Defense: Rise of the Agentic SOC
The good news is that defense is industrializing too, and faster than many expected. The same agentic architecture that attackers abuse is being turned into autonomous defense.
CrowdStrike shipped its Falcon Agentic Security Platform in fall 2025, putting AI agents to work on triage, investigation, and response inside the SOC. Microsoft followed in April 2026 with its vision of "the agentic SOC" — security operations where fleets of specialized AI agents handle the volume no human team can: every alert investigated, every anomaly correlated, around the clock.
The early results are striking. Microsoft reported in May 2026 that Defender now disrupts ransomware attacks in an average of three minutes — a window in which a human analyst might not even have opened the ticket. Its "predictive shielding" capability goes further, restricting the attack paths an intruder is statistically likely to take next, while the intrusion is still unfolding. Security Copilot in Microsoft 365 E5 now ships with twelve autonomous agents covering phishing triage, vulnerability remediation, and identity protection.
This is the real meaning of "AI vs. AI": machine-speed offense has made machine-speed defense mandatory. A SOC that escalates everything to a human queue is structurally too slow for 2026. But — and I say this as someone who has run operations, not just technology — an agentic SOC does not eliminate the human team. It changes their job from triaging alerts to supervising, tuning, and auditing the agents that do. If you cannot explain what your defensive agents did last night and why, you have not automated your SOC; you have abdicated it.
What This Means for the Gulf
For those of us working in Saudi Arabia and the wider Gulf, this picture has a regional sharpening. Saudi Arabia declared 2026 the Year of AI. HUMAIN is building national AI infrastructure at extraordinary scale; the UAE's Stargate project is doing the same next door. Government services, banking, energy, and logistics are adopting AI agents faster than almost anywhere on earth.
Rapid adoption is the right strategy — but every deployed agent, every new model endpoint, every AI-integrated workflow is also new attack surface, created at the same speed. Regions that adopt fastest will be probed hardest, because that is where the freshest, least-hardened deployments live. The organizations that will thrive here are the ones that treat AI security as a precondition of AI adoption, not a retrofit. Build the governance, identity controls, and monitoring for your agents in the same sprint you deploy them — not in the post-incident review.
The Human Layer Is Still the Target
Step back from the technology and notice what almost all of these attacks have in common. The Arup heist did not exploit code; it exploited an employee's deference to authority and his reluctance to challenge what his own eyes showed him. The procurement-agent fraud exploited an organization that gave a system authority without supervision. AI phishing works because it mirrors how we actually write to each other.
These are failures of trust calibration and organizational behavior, not failures of encryption. Which means the fix is partly managerial, not purely technical: who is allowed to verify what, who feels safe saying "I won't process this until I confirm out-of-band," and whether your culture punishes the person who slows down a fraudulent payment that looked urgent.
Most security failures I have investigated were visible to someone in the organization before they happened. The real question is why nobody felt able to act on what they saw.
This is the same blindness I wrote about in The Blind Manager: leaders who see dashboards but not behavior, controls but not incentives. Deepfakes simply weaponize that blindness. An organization where a junior employee can halt a CFO's "urgent" request without fear is harder to defraud than one with twice the security budget and a culture of silent compliance.
A Defensive Checklist for This Quarter
None of this requires a multi-year program to start. Here is what I would put in motion before the quarter ends:
- Kill voice and video as proof of identity. Mandate out-of-band verification — a callback to a known number, or a code word — for any payment, payroll change, or credential request, regardless of who appears to ask. Write it into the finance procedure, not just the awareness deck.
- Set dual approval thresholds for transfers so that no single person, however convinced, can complete a large payment alone. Arup's loss was 15 separate transfers; a second approver breaks that chain at transfer one.
- Inventory your AI agents and their permissions. List every AI system that can read your data or take actions, what tools it can call, and what it can approve. Most organizations cannot produce this list today. Produce it.
- Apply least privilege to agents like you would to admins. No standing approval authority, spending caps enforced outside the model, human sign-off on irreversible actions, and logging of every tool call.
- Test for prompt injection before attackers do. Red-team your deployed assistants with hostile content in emails, documents, and web pages they ingest. If 73% of production deployments are vulnerable, assume yours is until proven otherwise.
- Pilot agentic defense where volume hurts most. Start with phishing triage and alert correlation, measure time-to-containment, and keep humans reviewing the agents' decisions weekly.
- Run a deepfake-specific exercise. Simulate a cloned-voice call from "the CEO" to your finance team and see what actually happens. The result will tell you more than any policy document.
- Reward the challenge, loudly. When someone delays a transaction to verify it, recognize them publicly — even when the request turns out to be genuine. You are training the reflex that saves you.
The age of AI-versus-AI security is not coming; the Arup transfer cleared two years ago, and the tooling on both sides has only compounded since. The attackers have automated persuasion. Our answer has to be automated defense plus something machines still cannot fake: an organization where people are expected, and empowered, to verify.
