Custom AI to drive half of cyber incidents by 2028

Custom-built AI applications are set to become a central driver of cyber incident work. Gartner forecasts that by 2028, half of enterprise cybersecurity incident response efforts will focus on incidents involving these systems.

The forecast comes as organisations expand AI-driven software across business processes and customer-facing services. Gartner says many applications are reaching production before teams complete testing and security reviews. Security teams also lack playbooks and procedures for AI-related incidents.

Christopher Mixter, a Gartner VP Analyst, linked the shift to rapid development cycles and the way AI systems can change after deployment. "AI is evolving quickly, yet many tools - especially custom-built AI applications - are being deployed before they're fully tested. These systems are complex, dynamic and difficult to secure over time. Most security teams still lack clear processes for handling AI-related incidents, which means issues can take longer to resolve and require far more effort," Mixter said.

Incident response teams typically work across detection, containment, eradication and recovery. With AI systems, failures can also involve model behaviour, data handling and integration with other services. That mix can complicate investigations because an issue may resemble a security event, a software defect, a data quality problem, or some combination of the three.

AI Security Platforms

Gartner also expects broader adoption of AI security platforms. It predicts more than 50% of enterprises will use them by 2028 to cover both third-party AI services and custom-built AI applications.

These platforms have emerged as organisations look for a single management layer across multiple AI tools. Common concerns include prompt injection attacks, data misuse and inconsistent controls when departments use different AI services. Governance demands have also risen as business units roll out new AI features quickly.

Security leaders should assess whether tools cover both in-house and external AI use, including visibility into AI activity and policy enforcement across internally built systems and vendor-provided services.

Compliance Pressure

Gartner also forecasts rising exposure from manual compliance work. By the end of 2027, it expects manual AI compliance processes will expose 75% of regulated organisations to fines exceeding 5% of global revenue.

The prediction reflects a regulatory environment that continues to evolve across regions. While requirements vary, Gartner expects convergence around structured AI risk management. That increases pressure on organisations that still rely on spreadsheets, ad hoc evidence collection and manual approvals for compliance reporting.

AI safety rules add another layer of complexity for risk and compliance teams already balancing security, privacy and cyber risk requirements. AI-specific rules expand the scope to include model risk, data provenance and ongoing monitoring.

Data Debt Burden

Through 2030, Gartner forecasts that 33% of IT work will be spent remediating AI data debt to secure AI. The term refers to weaknesses in the underlying datasets many organisations rely on, including unstructured or poorly secured information spread across file shares, SaaS platforms and legacy systems.

As AI features expand access to internal data stores, gaps in data classification and access control become harder to ignore. Data loss prevention programmes are expanding to cover AI-driven data flows, including monitoring requests made by generative AI tools and agentic AI systems that retrieve information from multiple sources.

Sovereignty Concerns

Gartner also predicts increased focus on sovereignty of cloud security controls. By 2027, it expects 30% of organisations will require comprehensive sovereignty of their cloud security controls in response to geopolitical turmoil.

Organisations are increasingly assessing where data resides, who can access it and how cloud security is administered across borders. This can affect vendor selection and contract terms, particularly for services that depend on cloud-hosted control planes. It also shapes resilience planning, including whether security operations can continue under regulatory restrictions or disruption to international supply chains.

Identity Attack Surface

Identity remains a continuing risk area. Gartner forecasts that by 2028, 70% of CISOs will use identity visibility and intelligence capabilities to shrink the identity and access management attack surface and reduce the risk of credential compromise.

Identity sprawl continues as organisations add cloud services, automation, service accounts and machine identities. Many companies also use multiple identity and access tools, creating blind spots and inconsistent configuration. Gartner expects CISOs to put more emphasis on unified views of identity risk and improved detection of misconfiguration and unusual access patterns.