Leaders in the field of cybersecurity are aware that the attack surface has been expanding over time. The recent State of Information Security Report 2025 by IO highlights the rapid convergence of new risks. Based on feedback from over 3,000 security experts in the US and UK, the report identifies three key areas influencing high-level discussions this year: AI, compliance, and supply chain security.

AI is now integrated into security operations and business workflows. Nearly 80% of respondents reported that their organizations implemented AI or machine learning in the past year. However, many are facing challenges in handling it responsibly. The report highlights shadow AI as a significant problem, with 37% of employees using generative tools without proper authorization. This behavior exposes organizations to risks such as inadvertent data disclosures and violations of GDPR regulations.

Threat actors are taking advantage of AI as well. Tactics like data poisoning, deepfake impersonation, and AI-generated phishing attacks are becoming common methods of exploitation. Survey participants expressed concerns about AI-powered misinformation and disinformation being the primary threat over the next year. Despite this, most organizations are looking to invest in AI-driven defenses for detection, validation, and governance tools. While AI expands vulnerabilities, it also plays a crucial role in strengthening resilience efforts.

AI has always been a two-sided tool: offering great potential while evolving risks at a rapid pace alongside technology advancements. Many organizations rushed into adopting AI and are now facing consequences. Incorporating shadow AI into the equation underscores the urgent need for robust governance to safeguard both businesses and the general public, as highlighted by Chris Newton-Smith, CEO of IO.

The report reveals that 71% of companies faced fines in the previous year due to data breaches or compliance breaches, with nearly one-third paying penalties exceeding £250,000. Consequently, many firms now view compliance frameworks like ISO 27001 and SOC 2 not only as mechanisms to avoid penalties but also as tools for instilling trust, enhancing decision-making processes, and exploring new markets.

However, compliance remains a challenging task. Two-thirds of respondents admitted to struggling with managing requirements internally, with smaller enterprises feeling the pressure more intensely. The recurring complaint revolves around the speed and complexity of regulatory changes, urging for more alignment across different jurisdictions. Despite these obstacles, nearly all organizations emphasize achieving or maintaining certifications as a top priority.

Supply chains remain vulnerable to exploitation by cyber attackers; 61% of respondents reported their companies experiencing incidents involving third parties in the past year. These incidents often resulted in data breaches affecting customers or employees, financial losses, and damage to reputation.

Regulatory attention is increasingly focusing on this area. New mandates under NIS2, DORA, and the UK’s Cyber Security and Resilience Bill are compelling firms to enhance oversight of their suppliers. According to the report, 64% of organizations plan to boost spending on third-party risk management this year, with 80% having already reinforced their programs. Nevertheless, smaller suppliers pose a concern due to their limited investment in risk mitigation controls compared to larger counterparts.