Nearly a third of UK businesses have only recently rolled out their first AI risk strategy—while another third haven’t implemented any governance at all. That’s according to a new report from cybersecurity firm CyXcel, which warns that this growing blind spot in AI risk management is leaving companies dangerously exposed to data leaks, operational disruptions, and regulatory fines.
Despite acknowledging AI as a cybersecurity threat, many organisations remain underprepared. The study found that 18% of UK and US companies are currently ill-equipped to defend against AI data poisoning attacks—cyberattacks that compromise machine learning models by manipulating their training data. Even more concerning, 16% of firms lack policies to address the growing threat of deepfakes and identity cloning.
Megha Kumar, CyXcel’s Chief Product Officer and Head of Geopolitical Risk, called out the “catch-22” many companies face. “Organisations want to embrace AI, but they’re hesitant because they don’t have proper governance or risk management policies in place,” she said.
To bridge this gap, CyXcel offers its Digital Risk Management (DRM) platform—a tool designed to help businesses navigate the complex risks emerging in the AI era. It brings together cybersecurity, legal, technical, and strategic expertise into a single interface, offering insight and actionable strategies across areas such as cyber threats, regulation, supply chains, AI integrity, and geopolitical instability.
The platform also features a dispute resolution and litigation support service, reducing the time and resources companies need to meet evolving compliance requirements. With coverage across 26 sectors subject to regulations like the EU’s NIS2 directive and the Digital Operational Resilience Act (DORA), CyXcel says the platform is especially useful for industries that fall under Critical National Infrastructure (CNI) categories across the UK, US, and EU.
Edward Lewis, CEO of CyXcel, emphasized the rising global pressure for regulatory compliance. “Governments are stepping up cybersecurity rules, especially for critical infrastructure,” he noted. “We’re already seeing laws that require incident reporting and automatic updates—and more are coming, including mandatory ransomware disclosures in the UK.”
CyXcel also acknowledges it isn’t immune. Like the clients it serves, the company is subject to the same cybersecurity risks and regulatory scrutiny. Its own promotional materials underline this, stating that their commitment to digital risk is not just advisory, but deeply personal. After all, if the guidance CyXcel offers falls short, the reputational and legal consequences apply to them as well.
As AI adoption continues to accelerate across sectors, CyXcel’s findings serve as a wake-up call: embracing AI without building the necessary safeguards can leave companies more vulnerable than ever.
About the Author
