Autonomous AI tools are expanding the corporate attack surface faster than security teams can implement guardrails, according to new research by KnowBe4.

The security specialists’ latest report – From Agentic Risk to Human Wins: Building a Culture of Security in the Era of Agentic AI – says that with agentic AI now widely embedded in day-to-day work, 38% of South African cybersecurity leaders report that AI agents are already taking autonomous actions within organisational workflows.

However, a lack of governance is leaving organisations exposed. The report shows that a staggering 64% of organisations report their use of AI is unapproved or ungoverned. This unmanaged “Shadow AI” effectively operates as an invisible layer of shadow employees handling sensitive organisational data without oversight.

Key findings from the report include:

  • 86% of South African employees say that deepfake voice and video content is now so realistic it is impossible to know what to trust – and 63% openly admit they could be tricked by a deepfake scam at work.
  • Just over six in 10 cybersecurity leaders in South Africa (62%) report that mistakes during everyday work have had the greatest impact on their organisation’s cybersecurity in the past 12 months. Compounding this, 59% of employees acknowledge that time pressures and workplace distractions actively drive them to make critical security mistakes, even when they know the safe protocol.
  • 34% of South Africa’s cybersecurity leaders identify AI-enabled attacks as a key driver of future human-related cybersecurity risks.
  • 35% of employees reported that they commonly source their own agentic AI tools where options are unavailable or restrictive, leaving organisations vulnerable to cyberattacks. Concurrently, 48% of cybersecurity leaders report that the use of unsanctioned software and AI apps has actively impacted their security posture over the past 12 months.
  • Despite 64% of organisations claiming minor security improvements, only 14% have achieved the “gold standard” maturity level – a fully-integrated approach capable of managing human-and-agent-related cyber risk simultaneously. Furthermore, less than half (46%) of security leaders feel “very well prepared” to handle unexpected or emerging AI-driven threats over the next year.

The report shows that organisations making progress are those who prioritise cybersecurity as a culture over a mere function, seamlessly incorporating secure behaviours into daily work. These organisations are creating environments where employees feel safe reporting mistakes, with 95% of employees agreeing.

“Cybersecurity has entered a volatile phase where organisations are trying to secure a hybrid human and AI workforce that’s changing more quickly than security leaders can keep up,” says Anna Collard, SVP content strategy and CISO advisor at KnowBe4 Africa. “Attackers are moving at machine speed using attacks such as deepfakes to target employees and prompt injections to hijack AI agents. Leaving more than half (64%) of your corporate AI usage ungoverned is a massive open invitation to threat actors.”