Over the last 12 months, security teams continued to walk a tightrope between moving fast to adopt new technologies and facing escalating threats fuelled mostly by the rise of AI. As the year comes to a close, CISOs reflect on some of the takeaways that have shaped the security landscape in 2025.
1. AI gave defenders more muscle power
If 2024 was the year AI crept into cybersecurity, 2025 was the year it took over, with Smartsheet CISO Ravi Soin describing the technology as being “transformational”.
“There isn’t a single company or single user across the globe that hasn’t really faced the effects of [AI] in one shape or another,” he says.
AI has reduced manual work and tightened controls over large attack surfaces. It helped mapping controls to the data evidence in a faster way, Soin tells. “Before we were manually collecting evidence, we were making sure our systems were going through it. But now we can pull this together in a very efficient manner.”
AI gave security teams – and businesses more broadly – a huge productivity boost, reducing their reliance on external consulting and research firms, according to Calendly CISO Yassir Abousselham. “We’re able to do a lot more. It’s like having the entire human knowledge in our pockets.”
2. AI forced companies to rethink their security strategies
At the same time, Abousselham notes how the rapid rollout of AI forced companies to shift their resources to keep pace with the change, while maintaining safe product releases. He calls 2025 the “chaotic introduction of agentic AI”.
“I don’t think the industry was ready or expected the rapid developments of this technology, and how every single organization is trying their best to be a first mover and essentially moved all – or a good chunk – of their investment in just deploying and developing products and features around artificial intelligence. That trend impacted security … and forced us to refocus our investments, and in some cases, replan a lot of the priorities that we had already in place.”
3. AI supercharged attackers
The same technology powering defenses allowed adversaries to move faster, target more precisely, and scale campaigns that used to require human effort. The contrast between attack styles has become increasingly stark. While some campaigns remain undetected for months and quietly move through networks to expand access and exfiltrate data, there are others that are executed in minutes, and attackers complete their objectives before alerts are triggered.
“Swifter attacks are being fueled by artificial intelligence. Threat actors are leveraging AI to automate reconnaissance, craft highly personalized lures, and generate audio and visual deepfakes that exploit human trust at scale,” Mandy Andress, CISO of Elastic, says. “The result is a growing convergence of technical and psychological attack surfaces that target the human link or use AI to rapidly bypass traditional signature-based detection and rule-based systems.”
That convergence is already showing up in the most common entry points. Soin sees this happening directly in phishing and social engineering. “You used to detect a phishing email by spotting grammatical errors in an email or because a logo didn’t look right. Now you have perfectly crafted emails. You have deepfakes. You have systems that can be compromised no matter how sophisticated they are. It’s truly uncharted territory.”
The same trend has been playing out in tooling, according to Amit Jain, global head of cybersecurity and GRC services at HCLTech. Attackers are upgrading the sophistication of their code. “AI-led adversaries were the biggest emerging threat this year, using generative AI for generating evasive self-modifying malicious code, deep fakes, precision phishing, and automated exploit development.”
4. The threat actor is now a machine
The rise of AI-driven adversaries has fundamentally changed what a “threat actor” looks like. What used to be a human sitting behind a keyboard is now an automated system that never tires, never slows down, and constantly learns.
“As AI gets smarter and smarter, they’re learning about the defenses you have in place, coming up with counterattacks that can defeat your defenses, going back in time for the last 10 years of vulnerabilities that may still be exposed, and using them in creative ways to get at it,” Soin says.
This has pushed the threat landscape into entirely new territory. “We’re in very uncharted territory from a cyber perspective, where the notion of AI has made it easier for threat actors to become smarter in how they attack you.”
5. Non-human identities exploded
As organisations raced to deploy AI agents, automation pipelines, and machine-to-machine workflows, Abousselham believes it also led to the explosion of non-human identities. He explains how every AI agent, whether it’s an autonomous workflow tool, an API-driven integration, or an MCP client, now requires its own identity with permissions, access levels, and lifecycle management, and the pace is accelerating faster than most security teams are prepared for.
This rise in machine identities has already driven significant investment, not just in human bandwidth, but in new solutions and technologies capable of managing identity operations at scale.
“There is a need for an acceleration in how we onboard, maintain, and manage these identities … we must ensure these agents are governed, managed, properly authenticated and authorized, and that we can deprecate them at the end of their cycle,” Abousselham says.
And this shift isn’t limited to AI agents alone. Andress says the industry has doubled down on fundamentals as identity sprawl grows, particularly around the configurations and controls that underpin both human and non-human access. “This includes protecting non-human identities, such as API keys, tokens, and service accounts, which have become common entry points for attackers,” she says.
6. Third-party risk took centre stage
Third-party attacks surged in relevance throughout 2025 as organizations expanded their technology stacks and adopted more SaaS platforms, AI tools, and automated integrations.
Pointing to recent breaches involving major service providers like Salesforce, Soin says high-profile incidents are a reminder that an organization’s risk surface extends far beyond its own perimeter. “When companies depend on third-party software, it becomes even more important for us to think through the stack of what that looks like and ensuring that enterprises are depending on technologies that have security at the forefront in what they do,” he says.
Jain observes that 2025 marked a turning point in how organizations approached governance and vendor oversight, noting there was stronger alignment between compliance, governance, and resilience, supported by automation, advanced analytics, and continuous third-party assurance. “In essence, 2025 was the year when cybersecurity pushed itself to become a shared business responsibility rather than a siloed security function.”
While stronger governance and automated oversight provide the framework, Jain emphasizes that security ultimately depends on the daily decisions of everyone in the organization. “True security comes from habit, behavior, and culture. Every click, every decision, every configuration, every third-party integration now carries weight.”
7. Regulatory pressures hit the board
Government oversight grew stricter in 2025. Regulations demanded faster reporting, tighter controls, and accountability at the senior leadership level, according to Jain. “Boards are no longer satisfied with compliance checklists. They expect measurable resilience, ROI in terms of risk optimization, demonstrated preparedness, and continuous reporting. This has made cybersecurity a strategic lever, influencing M&A decisions, supply chain partnerships, and even go-to-market business strategies.”
Meanwhile, international frameworks like IRAP, ISO, and NIST are being enforced more rigorously, says Soin. “Standards may not have changed as much as we think they have. But the enforcement of those standards is getting stricter. We’re seeing a lot more, as an example, customer contracts or regulations on expectations from customers, and for the right reasons.”
No Responses