Skip to main content
Contact
Submit RFP

      Governments are beginning to scrutinise the release of powerful AI models from a security perspective. This stems from a new assessment: AI is evolving into a critical infrastructure – comparable to energy, cloud computing or payment systems.

      For businesses, this means two things: AI accelerates and automates attacks, lowers barriers to entry and thereby shifts the balance of power in cyberspace. At the same time, new dependencies are emerging on models, platforms and data that are often beyond their own control.

      This also changes the role of cyber security. When AI systems control key processes, attacks or failures can become directly business-critical – not just for individual applications, but for entire value chains.

      Five areas of focus for managers

      • Managing risks in the context of AI in a systemic manner

        Existing security models implicitly assume that there is a time lag between the discovery and exploitation of a vulnerability – allowing time for patches, detection and response. AI drastically reduces this time window.

        Cyber resilience must therefore no longer be primarily based on known threat scenarios. The crucial question is what systemic knock-on effects arise when AI scales, automates and adapts attacks.

      • Building cyber resilience rather than focusing solely on prevention

        The assumption that attacks can be completely prevented is becoming less tenable, as AI increases the frequency and variety of potential attack scenarios. This shifts the focus: it is not just protective measures that matter, but the ability to stabilise the situation in the event of an emergency. Cyber security is thus becoming an integral part of resilience and operational control.

        Key questions include:

        • How quickly and in a controlled manner can our processes continue to run in the event of a cyber attack?
        • How quickly can our digital infrastructure and digital products be isolated and restored?
        • How can management remain capable of making decisions under the time pressure of an AI-based attack?
      • Making AI dependencies and new vulnerabilities transparent

        The use of AI brings with it new dependencies that often lie outside the organisation itself. Models, training data, cloud infrastructures and interfaces are becoming an integral part of business processes – without these dependencies always being consciously managed.

        This is precisely where the risk lies. When core processes rely on external components, potential vulnerabilities arise that are beyond direct control. Companies therefore face the task of making it clear where AI is used in a business-critical manner and which external structures play a role in this

      • Embedding cyber security as a management priority

        As the importance of AI grows, so too is the role of cybersecurity within organisations. Security issues no longer concern IT alone, but have a direct impact on business models, regulatory frameworks and market confidence.

        Furthermore, government bodies are increasingly viewing AI as part of critical infrastructure. Cyber security and resilience therefore belong at board level – with clear decision-making and escalation processes. Not as a supervisory body, but as a strategic enabler of trust, stability and marketability.

      • Actively shaping resilience within the ecosystem

        Companies no longer operate in isolation, but within complex digital ecosystems. Supply chains, platforms and shared infrastructure link organisations closely together – thereby creating new vulnerabilities.

        Internationally, it is evident that even state actors are increasingly relying on cooperation to address these risks. For companies, this means that resilience cannot be built up exclusively internally. It arises through collaboration with partners, service providers and relevant institutions. 

      Ready to talk? Contact us

      What this means in practical terms for decision-makers

      Cyber resilience should be seen as a strategic capability – not merely a protective function.

      This includes:

      Integrating AI risks into enterprise risk and resilience models

      Actively testing decision-making ability under cyber stress

      Proactively managing dependencies on AI providers and platforms

      strengthen the collaboration between cyber security, business and senior management

      Our experts will help you identify AI-related risks, develop resilience strategies for critical processes, and realign governance and decision-making structures. 

      Interested in our services? Contact us

      FAQ

      Why is AI increasingly regarded as critical infrastructure?

      AI systems are increasingly being used to manage core business processes and are deeply embedded within value chains. As a result, any failures or tampering do not remain isolated incidents, but can quickly have company-wide or systemic repercussions.

      What distinguishes AI-driven cyber risks from traditional cyber threats?

      AI accelerates and automates attacks, significantly reducing the time between the detection and exploitation of vulnerabilities. This increases not only the speed and number of potential attacks, but also their sophistication.

      Why is traditional prevention no longer enough in the age of AI?

      The idea of completely preventing attacks is becoming increasingly unrealistic. What will be crucial is the ability to maintain critical processes even under cyber stress, to respond quickly and to stabilise the situation in a controlled manner. Resilience is therefore becoming a key performance indicator.

      What role do external AI dependencies play in cyber resilience?

      Models, training data and cloud infrastructures are often beyond an organisation’s control, yet at the same time they are becoming an integral part of business-critical processes. These dependencies create new vulnerabilities and require targeted transparency and control.

      Why is AI increasingly regarded as critical infrastructure?

      AI systems are increasingly being used to manage core business processes and are deeply embedded within value chains. As a result, any failures or tampering do not remain isolated incidents, but can quickly have company-wide or systemic repercussions.

      What distinguishes AI-driven cyber risks from traditional cyber threats?

      AI accelerates and automates attacks, significantly reducing the time between the detection and exploitation of vulnerabilities. This increases not only the speed and number of potential attacks, but also their sophistication.

      Why is traditional prevention no longer enough in the age of AI?

      The idea of completely preventing attacks is becoming increasingly unrealistic. What will be crucial is the ability to maintain critical processes even under cyber stress, to respond quickly and to stabilise the situation in a controlled manner. Resilience is therefore becoming a key performance indicator.

      What role do external AI dependencies play in cyber resilience?

      Models, training data and cloud infrastructures are often beyond an organisation’s control, yet at the same time they are becoming an integral part of business-critical processes. These dependencies create new vulnerabilities and require targeted transparency and control.

      Your contact

      Marko Vogel
      Marko Vogel

      Partner, Consulting – Cyber Security & Resilience, Head of Cyber Security & Resilience

      KPMG AG Wirtschaftsprüfungsgesellschaft