Intelligence in Risk Advisory + Compliance

Trust Problems – Why AI Is a Board-Level Issue

By Matt Donato
Posted on Mar 13 / 2026

For years, phishing has been treated as a security operations problem. The prescribed solutions were familiar: train employees better, deploy stronger email filters, run more simulations. 

That approach is no longer sufficient. 

Artificial intelligence has fundamentally changed how social engineering works. What was once labor-intensive and inconsistent can now be executed at scale with near-perfect quality. The result is a threat that moves at business speed, uses business-level sophistication, and exploits the very behaviors organizations encourage - responsiveness, trust, and efficiency. 

This is no longer just a security issue. It is a trust governance problem. 

 

The Shift 

Historically, phishing was easy to spot. Poor grammar, generic greetings, awkward phrasing, and obvious urgency gave attackers away. Employees were trained to look for those signals, and for a long time, that worked. 

AI has eliminated that advantage. 

Today’s attacks arrive with flawless language, accurate context, and messaging that mirrors your organization’s communication style. They reference real projects, real vendors, real colleagues, and real business workflows. When a message sounds exactly like your CFO asking about a vendor payment, or a department head requesting urgent access, distinguishing legitimate from fraudulent becomes genuinely difficult - even for experienced professionals. 

What once required significant time, research, and expertise can now be generated in minutes. Attackers can produce thousands of unique, context-aware messages on an industrial scale, each tailored to its recipient. Social engineering is less and less “handcrafted” - it’s automated. 


Why This Matters Now 

The threat model has changed in three critical ways. 

First, attacks now move at the same velocity as normal business operations. In organizations where speed and responsiveness are rewarded, hesitation feels like failure and attackers exploit that dynamic. 

Second, these messages are often indistinguishable from legitimate communication. The traditional “tells” no longer exist. Every organization, regardless of size or industry, is now a viable target for sophisticated social engineering. 

Third, and most importantly, these attacks don’t require malware, malicious links, or technical exploitation. An AI-crafted message can persuade employees to share credentials, approve payments, alter configurations, or bypass controls entirely. The attack succeeds by exploiting trust, not technology. 

In real-world testing, even mature organizations are finding that well-designed AI-assisted pretexts, whether via email, phone, or messaging platforms, can achieve extraordinarily high success rates. This isn’t a failure of awareness. It’s a reflection of how convincing these attacks have become. 


The Real Vulnerability 

When employees respond to a convincing request from an apparent colleague or trusted partner, they are doing exactly what the organization expects them to do: be helpful, be responsive, and trust internal communication. 

Framing this as “user error” misses the point entirely. 

The vulnerability isn’t employee judgment - it’s how organizations design and govern trust. 

Traditional security controls - spam filters, malware scanners, reputation systems - were built for a different era. They are excellent at catching noise and known patterns. They were never designed to detect plausible, context-aware human communication that looks and feels legitimate. 

AI-driven social engineering operates in the gap between technical controls and human workflow. That gap is now where the highest-impact risk lives. 


What Has to Change 

This is no longer a problem technology alone can solve. It requires rethinking how trust flows through the organization. 

The strategic question becomes: 
Where do we implicitly grant trust without verification, and what happens if that trust is exploited? 

High-risk actions - financial approvals, credential resets, access changes, sensitive data requests - must require verification that is independent of the original communication channel. Crucially, that verification cannot feel exceptional or punitive. It must be normalized, expected, and embedded into everyday workflows. 

This represents a shift: 

  • From awareness to architecture
  • From training employees to spot attacks to designing systems that don’t require them to
  • From reacting to incidents to proactively identifying where processes rely on unverified trust 


Why This Is a Leadership Issue 

AI didn’t invent social engineering - it industrialized it. 

Attacks now operate with the same speed, polish, and contextual awareness as everyday business communication. That reality demands a reframing at the highest levels of the organization. 

The conversation must shift from employees failing to spot phishing to organizations failing to govern trust

This is a business risk problem on par with financial controls, regulatory compliance, and operational resilience. It belongs in enterprise risk discussions, not just security operations meetings. 

The question for leadership is no longer whether employees can identify sophisticated attacks. It’s whether the organization has designed systems where a single point of trust - an email that “looks right,” a call that “sounds right” - can trigger material financial or operational consequences. 

In an environment where AI makes precision social engineering accessible to anyone, that is no longer an acceptable risk posture. 

Are you ready to get started?