ACCORDING to the Information Commissioner's Office (ICO), getting the basics right, understanding the threat and putting in place multi-layered defenses are key to protecting organisations from AI-powered cyber threats. The ICO released a five-step guide on 14 May 2026 to help organisations proactively prepare for emerging AI-driven attacks, urging cyber resilience and appropriate security measures to build public trust.
It points readers to the National Cyber Security Centre’s updated Cyber Assessment Framework to understand how adversaries use AI in attacks or target corporate AI systems. The ICO’s outlined threats include AI-enhanced phishing, deepfake-driven social engineering, automated vulnerability scanning and exploitation, AI-powered malware that adapts in real time, credential stuffing and data poisoning of AI models, and indirect prompt injection attacks.
Basic controls should include Cyber Essentials and the Cyber Governance Code of Practice, a solid patching process, and multi-factor authentication on remote access, admin accounts and email, with a dynamic threat-based security approach. Organisations should also meet GDPR obligations with measures such as data minimisation, DPIAs for high-risk data, and encryption to reduce breach impact.