In Ireland and around the world organisations are seeking out the AI tools that best meet their business agenda. KPMG is working with clients both to identify the best solutions and manage adoption. But for AI adoption to succeed, it must go hand in hand with building cyber resilience. To do that, leaders need to treat AI first and foremost as a people risk, providing clear governance around how it is used. The problem is that, while leaders look to roll out AI tools officially, chances are their staff members are already using AI unofficially. “Over the past 12 months, AI has rapidly become embedded in everyday productivity tools, putting experimentation at the fingertips of most team members, often quietly, and often without explicit leadership direction,” explains KPMG’s EMA cyber lead, Dani Michaux. “As a result, many organisations now face a growing gap between how AI is actually being used and how leaders believe risk is being managed.” That gap matters. “While AI is often discussed as a technology issue, the most significant risks emerging today are not purely technical. They are behavioural, cultural and organisational. And they are already affecting organisations of all sizes,” Michaux warns. Out of the shadows This unauthorised and indeed often unknown use of AI is being used to write code, analyse data, support decisions and automate activities in some businesses. Such ‘AI creep’ can become common practice long before organisations have agreed how AI should be used or governed. That’s a problem. “This spread of unsanctioned AI use, sometimes called shadow AI, creates blind spots that are difficult to detect until risk has already materialised,” explains Michaux. Indeed, it changes the very nature of risk. “Exposure is no longer confined to system failures or cyber vulnerabilities. It now increasingly sits in how people trust AI outputs, where over-reliance can quietly replace critical thinking, and fundamental reasoning is applied less rigorously than before,” says Michaux. It is a risk that affects not only large corporates, but smaller and medium sized companies too, many of which are deeply embedded in Irish and international supply chains. Depending on the AI tools they use, they too can introduce additional exposure to their client base. Growing awareness of such risks is reflected in KPMG’s Global Tech report which shows Irish leaders identify cyber attacks as the leading AI-related risk today, with concern expected to intensify over the next two years. That’s because AI expands the ‘attack surface’ in multiple directions at once, across data, decision making, automation and misuse by bad actors. AI also accelerates the speed at which issues can materialise, and the scale at which they spread. It’s why co-ordinated risk consulting supports leaders to ensure that, as such fragmentation grows, AI governance, controls and decision making across the organisation is aligned. Power to your people As a people issue first and foremost, organisational culture and ethics are critical to the safe and effective roll out of AI solutions. “Different teams experiment in different ways. Informal workarounds emerge, and cultural norms quietly define what is considered acceptable,” explains Michaux. “Tools are trusted more than judgment, confidence grows, and ethical boundaries can blur – without a shared understanding of what ‘good’ actually looks like. The most dangerous assumption leaders can make is that this is someone else’s problem – perhaps a concern for IT, for security, or for their innovation teams. If leadership does not explicitly frame AI as a core organisational risk, it becomes one by default.” Remember, AI risk is behavioural before it is technical. “Tools rarely fail on their own. Behaviours do. Over‑reliance on AI outputs, lack of challenge, and unclear accountability create risk long before systems break down. Policies matter but mindset matters more,” says Michaux. In an AI powered world, security and resilience are no longer purely defensive either. “AI introduces a dual dynamic. When poorly governed, it can accelerate and sharpen attacks, weakening defences at speed. But it can also strengthen resilience when it is used deliberately – enabling faster detection, continuous monitoring, and anticipation of risk. Leaders need to hold both truths at once,” she points out. Dani Michaux, EMA cyber security lead, KPMG Building resilience Leaders not only need to treat AI as a people risk but should be explicit about expectations for its use. “That includes reinforcing that responsibility always sits with people, not tools,” Michaux says. They must also use AI for threat detection and defence. “AI’s real resilience value lies in its ability to simulate before execution: threat detection, modelling anomalies, and stress testing decisions and scenarios before issues arise. Shifting the narrative from ‘AI as efficiency’ to ‘AI as defence’ changes how it is designed, deployed and governed,” she explains. Data vulnerabilities must also be addressed. “Data exposure is happening faster than ever before and is increasingly being weaponised,” Michaux warns. “As AI agents gain access to vast amounts of data and operate autonomously, the risk of both accidental and deliberate data leakage rises sharply, particularly where guardrails are not embedded from the start. Without strong guardrails, organisations risk losing control faster than they can respond.” Ultimately, AI supports decision‑making but it does not replace accountability. “Leaders should be able to articulate how AI-supported decisions are reached and where human judgment remains the deciding factor,” she explains. Successful AI adoption is not about being perfect from the get-go, but about mitigating risk as you go. “Expectations are rising that organisations can explain how AI‑supported decisions are made. At the same time, waiting for perfect clarity is becoming a risk in itself. Exposure continues to grow whether leaders act or not,” Michaux concludes. “AI‑related risk is already here. The real question is how deliberately it is managed. You don’t need perfect answers, but you do need to set a clear direction for your team. Acting now will make you more resilient and not just more compliant. This is less about future strategy and more about leadership choices being made today.” For organisations formalising their AI response, KPMG in Ireland’s AI consulting team can help shape governance, controls and safe adoption across the business.