Adoption of AI agents and automated workflows create new categories of non-human identities that can inadvertently amplify the impact of a cyber attack
Meanwhile, cybercriminals are using AI to create personalized attacks and identify and exploit most damaging secret corporate information
The number of businesses paying ransoms has increased for the first time in two years, with industrials and manufacturing companies paying more ransoms, likely due to the operational disruption caused by ransomware attacks
A new report from global cyber security and corporate intelligence firm S-RM and global stakeholder strategy firm FGS Global predicts the wide-spread adoption of AI by global corporates could pose new cyber vulnerabilities if implemented too quickly and without appropriate guardrails.
As organizations deploy more AI agents, automated workflows, and API-driven integrations to drive efficiency and performance, they create new categories of non-human identities with sometimes broad-ranging privileges. These privileges could, inadvertently, give attackers even greater access to a company’s systems and make it harder for organizations to understand what data has been accessed and what has been done with it. Compromised automation systems may interact with dozens of services, process thousands of transactions autonomously, and behave in unpredictable ways which will require security teams to develop new approaches to monitor these non-human identities, as well as frameworks for containing and investigating incidents involving compromised AI systems.
At the same time, cybercriminals are using AI to help them find and exploit the information that would be most damaging to an organization if it was exfiltrated or unavailable. Cybercriminals are learning which data types generate the most pressure for payment – including customer information, intellectual property, regulatory violations and material that could trigger additional legal liabilities – and are using AI to quickly review and categorize data.
Other key predictions for 2026 identified in the report include:
Established ransomware groups will continue to dominate: A handful of prolific, well-established threat actor groups will continue to dominate headlines and victim counts, including the likes of Akira, Qilin and Scattered Spider/ShinyHunters, while smaller newcomers emerge with regularity.
Ransomware attacks will get faster: Ransomware operators have become increasingly sophisticated in their automation, organization, and execution. What once took weeks now takes days, and what took days, now takes hours.
Increasing emergence of the “speed paradox”: As attacks become faster, organizations will have dramatically less time to respond before trust begins to erode. Businesses will therefore increasingly face a "speed paradox": communicating quickly to maintain trust, but often with incomplete data, or waiting for certainty, which can signal organizational paralysis.
In today’s hyper-connected world, managing reputation during a cyber incident has become more critical than ever. Companies need to contend with the continued acceleration of the professionalization and sophistication of cybercriminals’ engagement and communications with victim organizations. While AI has ensured written communications are more polished and verbal communications more realistic, threat actors have become more aggressive in their briefing of the media as a way to exert pressure on companies, as well as calling out what they deem to be misleading communications in the media – leaving companies red-faced about some of their early communications which attempted to size and scale the problem before they had all the facts.
At the same time, the steady emergence of smaller, relatively unknown groups – both genuine newcomers and rebrands of disrupted operations – will create growing unpredictability for companies trying to control their stakeholder communications in a ransomware attack.
Jamie Smith, Global Managing Director, Cyber Security at S-RM commented:
“We are moving into uncharted territory where the speed and sophistication of cyber attacks are out maneuvering traditional defenses. What once took weeks now takes days, and what took days, now takes hours. Attackers are no longer just encrypting systems; they are using AI to find the most sensitive information that could cause maximum damage to an organization and using this as leverage. The result is more targeted extortion that goes beyond generic threats of data publication. Threats are becoming specific and more personalized, designed to maximize the victim’s fear and willingness to pay."
“As more companies embed AI agents in their workflows, the risk rises exponentially. AI agents should be treated as untrusted identities, with least-privilege access to systems, continuous monitoring and explicit segmentation from sensitive systems or AI adoption risks creating privileged, opaque intermediaries that threat actors can manipulate for maximum harm."
“Meanwhile, while we expect some disruption to the operations of certain well-established threat actor groups in 2026, it is important to not get complacent. The knowledge, relationships, and capabilities that made a group successful don’t disappear when a brand is disrupted. This resilience means that while individual group names may come and go, the overall threat level will remain relatively constant, with experienced operators continuing their activities under new identities.”
Jenny Davey, Global Co-Head of FGS Global’s Crisis & Issues Management Practice, added:
“Ransomware incidents are highly feared by Boards and leadership teams, and for good reason. As recent high-profile attacks have shown, they can have crippling consequences on a business’s operations, financial situation and reputation – and the knock-on effects can be significant and far-reaching.
“As Boards consider the implementation of AI agents and automated workflows across their business, they must be mindful that it can be a double-edged sword: while AI can drive efficiency and performance across the business, it can also open up new attack vectors for cybercriminals to exploit and therefore present new reputational risks. Boards must also remain mindful of how AI is enabling cybercriminals to be more sophisticated in communications and engagement with victim organizations, and how it is driving and sharpening threats that are cyber-adjacent, such as deepfakes, synthetic media and misinformation campaigns. These can be particularly reputationally damaging if not handled swiftly and with care.
“In today’s complex and rapidly evolving environment, organizations who treat security posture, operational resilience and stakeholder engagement as one, with a holistic, agile and tested approach, will fare better and maintain trust when they’re hit with the inevitable.”
The full report is available here.
About S-RM
S-RM is a cyber security and corporate intelligence consultancy. We provide intelligence, resilience and response solutions to organizations worldwide. Founded in 2005, we have 400+ experts across nine international offices, serving clients across all regions and major sectors.
About FGS Global
FGS Global is the world’s leading stakeholder strategy firm, with over 1,500 professionals around the world, advising clients in navigating critical issues and reputational challenges.
FGS offers seamless and integrated support with offices in the following locations: Abu Dhabi, Amsterdam, Beijing, Berlin, Boston, Brussels, Calgary, Chicago, Dubai, Dublin, Düsseldorf, Frankfurt, Hong Kong, Houston, Kingston, London, Los Angeles, Munich, Paris, Riyadh, San Francisco, Shanghai, Singapore, South Florida, The Hague, Tokyo, Toronto, Vancouver, Washington, D.C. and Zurich. The firm is headquartered in New York. FGS is consistently ranked as a Band 1 PR firm for Crisis & Risk Management and for Litigation Support by Chambers and Partners. For the fourth consecutive year, FGS was ranked #1 Global M&A PR firm by Deal Value and Deal Count in 2025 by Mergermarket.
For more information, please contact: Crisis-UK@fgsglobal.com