Cybersecurity

AI agents: the new frontier of cybercrime business must confront

The emergence of AI agents in cybercrime has ramped up the threat level for business organizations.

Image: Unsplash

  • The emergence of AI agents in cybercrime has ramped up the threat level for business organizations.
  • Sophisticated cybercriminals now operate as a business, which presents a systemic threat to legitimate businesses.
  • Senior leadership must ask themselves the right questions in order to effectively build cyber resilience.

The concept of Advanced Persistent Threats (APTs) has been recognized since as early as 2011 as a threat model in cybersecurity. APTs refer to highly skilled and well-resourced adversaries who infiltrate corporate systems with stealth and persistence, often motivated by strategic objectives like intellectual property theft, financial gain or sabotage. These attacks typically unfold over months or years, adapting to defenses and evading detection.

Fast forward to 2025, and the cyberthreat landscape has accelerated beyond conventional defences. Today's attackers are eager to incorporate AI agents in their arsenal: autonomous digital entities that potentially think, learn and adapt at a speed that surpasses human capabilities.

For decades, cybersecurity was about building higher walls, but eventually, organizations accepted that there was no silver bullet. With the emergence of AI agents, the threat complexity increases again; it is the APT concept, but even more sophisticated.

According to the World Economic Forum's Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards report, threat actors are increasingly using AI to amplify the scale, sophistication and speed of their malicious activities. The report highlights the use of generative AI to supercharge phishing, identity theft and zero-day exploitation – all of which worsen the challenges organizations face in maintaining resilience against AI-enabled threats.

Verizon’s 2025 Data Breach Investigations Report indicated that "AI-assisted malicious emails doubled (from 5-ish% to 10-ish%) over the past two years", underscoring the need for proactive defenses. Considering the legacy vulnerabilities and the variety of ways attackers can exploit them – such as outdated systems, weak credentials and misconfigured processes – malicious AI agents won't have too much difficulty in finding opportunities to escalate their attacks and cause persistent damage. This highlights the urgent need for businesses to develop comprehensive strategies that combine technology, governance and human factors to combat this new threat.

Cybercrime as a business model – and a business problem

Groups like Scattered Spider exemplify the complexity and sophistication of modern cybercrime. According to the SANS Institute, these organizations operate like businesses, using a well-structured playbook that includes social engineering, exploitation of vulnerabilities and advanced techniques to infiltrate systems. They are adept at bypassing advanced security tools, and their deep knowledge of enterprise Windows environments, cloud platforms and virtualized infrastructure makes them particularly challenging to detect and remove. They often use legitimate tools for malicious purposes, blending seamlessly with normal business operations.

This sophistication suggests that some attackers may have previously worked with such systems legitimately – underscoring their ability to operate like a business and posing a formidable threat to even mature cybersecurity programmes.

0 seconds of 0 secondsVolume 90%
Press shift question mark to access a list of keyboard shortcuts
00:00
00:00
00:00
 

Attackers continue to exploit traditional methods, such as stolen credentials and social engineering, to compromise organizations. One key example is the widespread use of stolen credentials by cybercriminals, which accounted for 30% of initial access points in incidents. Attacks like the Coinbase case show that attackers often don't need sophisticated exploits, such as zero-day attacks or APTs; they simply need access. And that usually comes from the weakest link: people.

The challenge posed by cybercrime is a challenge to our business models. When increasingly organized attackers can outsource parts of their operation, the risk landscape becomes fragmented and decentralized. We now need to find solutions to face an entire ecosystem of interlinked actors. The Change Healthcare attack illustrates the impact of a systemic cyber risk. It paralyzed clinics, laboratories and insurers for weeks, incurring $3 billion in indirect costs to date, in addition to reputational damage.

AI agents amplify this model, enabling attackers to deploy autonomous bots that continuously refine tactics, probe defences and coordinate attacks across different geographies. According to Google Cloud's research on the adversarial misuse of generative AI, state-sponsored threat actors are experimenting with Gemini to enable their operations and achieve cybercrime productivity gains. It is an evolving reality.

This broad spectrum of emerging threats demands timely and coordinated action from today's leaders. When attackers can also buy their way in – by acquiring credentials from an insider or a criminal access broker – the challenge calls not just for a technological response, but also effective governance.

Questions for senior leadership

The issue of AI in cybercrime is something for which everyone in security is trying to find practical solutions. AI agents add a layer of complexity that most risk frameworks cannot yet handle leaving boards and CEOs with the critical responsibility of evolving governance structures to stay ahead.

So, how do we govern a risk that is autonomous, scaleable and learning-capable? And how do we do it in such a way that embeds cybersecurity as a pillar of business resilience?

When cybersecurity becomes a boardroom priority, the conversation must evolve. For boards and senior leadership teams, it is crucial to ask the right questions to ensure organizational resilience in the face of autonomous cyberthreats. Ones that address revenue streams, critical operations and governance structures:

How much risk are we taking in this scenario? Have we adequately modelled the consequences of an attack, including regulatory fines, customer churn, supply chain disruptions and litigation? What measures are we taking to manage this risk? Do we have contingency plans, financial reserves or cyber insurance that can enable business continuity? Do we have the proper structures in place to detect, respond to and recover from an AI-driven attack at machine speed in the event it occurs?

Discover

How is the Forum tackling global cybersecurity challenges?

The line between human and machine adversaries is blurring, and the old playbook won't work in this new game. Boards and senior executives must understand that cybersecurity is now a core business function; one that protects cash flow, reputation and business continuity. Organizations that understand and embrace this mindset shift will thrive in an era where cyberthreats may explore innovation better than we do.

Accept our marketing cookies to access this content.

These cookies are currently disabled in your browser.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
World Economic Forum logo

Forum Stories newsletter

Bringing you weekly curated insights and analysis on the global issues that matter.