AI use outpaces governance in Australia & New Zealand

KnowBe4 has published research on AI and human-related cyber risk in Australia and New Zealand. The study found that 64% of organisations in the region already use AI agents that take autonomous actions within workflows.

The findings point to a widening gap between the spread of AI tools in day-to-day work and the controls used to govern them. Among surveyed organisations in Australia and New Zealand, 50% said their AI use was unapproved or ungoverned. Meanwhile, 59% of employees said they commonly source their own agentic AI tools when approved options are unavailable or too restrictive.

The survey covered 75 security decision-makers and 200 employees in Australia and New Zealand as part of a wider global poll of 4,000 professionals at organisations with 250 or more staff.

Deepfake concern

Alongside the rise of autonomous AI tools, the research found widespread concern about deception targeting employees. In Australia and New Zealand, 85% of workers said deepfake voice and video content is now so realistic that it is impossible to know what to trust, and 68% said they could be tricked by a deepfake scam at work.

That view contrasts with the confidence expressed by managers. The study found that 93% of leaders believed employees could identify impersonation messages sent through internal tools, while 88% said staff could identify deepfake voice and video content.

The figures suggest a disconnect between frontline staff and decision-makers over how prepared organisations are for impersonation and manipulation attacks. They also come as 49% of cybersecurity leaders in the region identified AI-enabled attacks as a main driver of future human-related cybersecurity risk.

Human behaviour

The research also highlighted the continuing role of employee behaviour in security incidents. Nearly all organisations surveyed in Australia and New Zealand, or 99%, said human-related behaviours had affected their cybersecurity over the past 12 months.

More than half of employees, or 56%, said time pressure and workplace distractions lead them to make security mistakes even when they know the correct process. Another 24% said they sometimes choose not to report a security mistake because of embarrassment, despite 93% of organisations saying employees feel safe to report mistakes or suspicious activity without fear of blame or embarrassment.

Use of unsanctioned tools emerged as another theme. The same share of employees and cybersecurity leaders, 59%, said unauthorised software and AI applications had become a problem, with leaders reporting that such tools had affected their security posture during the past year.

Hybrid threat

The report describes a threat environment in which both staff and software agents can become targets. As organisations allow AI tools to act within internal processes, attackers can manipulate employees through impersonation or exploit AI systems through methods such as prompt injection.

Dr Kawin Boonyapredee, Chief Information Security Officer Advisor at KnowBe4 APJ, said the pace of change was creating pressure for security teams.

"Cybersecurity has entered a volatile phase where organisations are trying to secure a hybrid human and AI workforce that's changing more quickly than security leaders can keep up," said Dr Kawin Boonyapredee, Chief Information Security Officer Advisor, KnowBe4 APJ.

He said current controls are not keeping pace with the spread of autonomous AI within companies.

"Attackers are moving at machine speed, using attacks such as deepfakes to target employees and prompt injections to hijack AI agents. Leaving half of your corporate AI usage ungoverned is a massive open invitation to threat actors," said Dr Boonyapredee.

Australia and New Zealand were above the global average on one key measure. While 64% of regional cybersecurity leaders said AI agents were already acting autonomously in organisational workflows, the global figure was 58%.

That places the region among the more active adopters of agentic AI in business settings, while underlining the challenge for governance, staff awareness and incident reporting as AI tools move further into routine operations.

The broader global study polled 800 security decision-makers and 3,200 employees across the Americas, Europe, the Middle East, Africa and Asia-Pacific.