Companies are paying the price of prioritising AI over security

By Bruce Bennie (pictured), Area Vice President for Australia and New Zealand, Fastly

Companies accelerating the deployment of Artificial Intelligence (AI) are advancing at a pace that is outstripping their ability to secure it.

At the same time, the fundamentals of how organisations design and operate technology systems are shifting. AI is introducing new dependencies, integration layers, and system behaviours that conventional security models were not built to accommodate.

Modern AI systems and autonomous agents require broad access to sensitive corporate data sets, along with the ability to process and act on that information at scale. This challenges established approaches to identity and privilege management, which have traditionally relied on tightly controlled and predictable access boundaries.

Fastly’s recently released Global Security Research Report[1], found that at this early stage of wide-scale adoption, so-called ‘AI-first’ organisations are showing significant vulnerabilities compared to those taking a more measured approach. This has been dubbed an ‘AI speed tax’.

The challenge of being ‘AI First’

An ‘AI-first organisation’ is defined as one that has deployed AI across workflows and incorporates AI into new projects by default.

These rapid adopters are experiencing weaker resilience to attacks and slower incident response. Indeed, the research found AI-first organisations are grappling with almost seven-month recovery timelines, a full 80 days longer than others.

The impact is likely to be protracted across sectors like finance and retail that are highly reliant on digital services. These prominent sectors for the Australian economy have faced high-profile attacks in the past year due to the sensitive customer data they hold.

AI has become a new attack surface

Longer recovery timelines are only part of the widening performance gap between AI-first organisations and their peers. Cyber criminals are increasingly focusing on AI infrastructure, with AI-first firms absorbing a disproportionate share of the impact.

Nearly half (48%) of AI-first organisations reported that AI was directly exploited in an attack over the past year, compared with just 10% for non-AI first organisations. The architecture of AI systems, including agentic workflows and more decentralised data flows, is also creating additional entry points for threat actors.

At the same time, the scale and complexity of AI-related infrastructure change is producing early-stage operational friction as security teams adapt to new tools and working models. According to the report, AI was identified as a contributing factor in security oversights for 42% of AI-first organisations.

The rapid adoption of new systems without mature controls is leaving organisations exposed, with minor missteps more likely to escalate into material security incidents.

Improving security in an AI-driven world

It’s clear AI adoption is going to continue rising in Australia and around the world. In the same way that AI-first businesses are making AI central to operations, security has to be a consideration from the outset of projects, not retrofitted after the fact.

The key steps to securely scaling operations in today’s threat landscape are:

1. Follow a ‘secure-by-design’ strategy

Embedding security architecture into systems from the outset allows organisations to accelerate delivery with greater confidence. This is reflected in industry findings showing 81 per cent of organisations report that resilience investments have enabled them to safely increase the pace of innovation.

However, extending a secure-by design approach to AI systems introduces additional complexity. Many business leaders are still developing mature governance frameworks, particularly around accountability when incidents occur.

As a result, there is a growing case for security leaders to be embedded earlier in strategic decision-making processes rather than consulted post-design.

2. Heighten system visibility

Visibility also needs to be improved to provide organisations with a clearer picture of where AI is being used. Mapping AI use and ensuring each employee is aware of their role in protecting the business prevents blind spots and individual oversights from hampering progress.

This includes understanding not just sanctioned tools, but also the extent of shadow AI across the organisation.

3. Protect the new perimeter

AI systems are powered by web applications and APIs, which are now key targets for attackers. Ensuring the right security monitoring and alerting is in place is essential to maintaining control over both internal systems and external access points.

4. Ensure ownership is clear

More than half of AI-first businesses lack clear ownership of incident response, compared to just 23% of others. AI is blurring traditional boundaries between teams, making it harder to define responsibility when incidents occur. Upskilling existing teams and establishing clear accountability will help organisations respond more effectively when issues arise.

Creating an ingrained AI mindset

Early adopters of AI need not decelerate their efforts, but they do need to recognise that robust security is a prerequisite for sustained success. Organisations rapidly reshaping their cultures to enable AI-driven innovation can scale with greater confidence where security leadership is embedded in AI strategy from the outset, and where the security implications of every employee’s role are clearly defined.

Those that strike the right balance between speed and control will be best placed to capture the upside of AI without incurring disproportionate risk. Those that do not will continue to incur an AI Speed Tax.

[1] https://learn.fastly.com/the-ai-speed-tax.html