Waiting for an AI Policy? Cybercriminals Aren’t.

Don’t Press Pause—They’re Already Pressing Play

Remember that scene in Spaceballs where they’re “preparing to move out,” only to be told—just go? That’s where many cybersecurity teams are right now.

While internal governance committees debate terminology, ownership, and the 53rd revision of the draft AI policy, cybercriminals are moving at ludicrous speed.

AI-driven attacks, LLM-enabled data leakage, and deepfake-enabled fraud are on the rise. According to a 2024 survey by Splunk, 35% of organizations have already experienced security incidents related to the misuse of AI tools, and IBM reports that data loss through LLM platforms has risen by over 40% year over year. Meanwhile, deepfake use in phishing attacks has doubled since 2022, with Symantec noting a surge in impersonation scams across financial services and HR functions.

Yet only 21% of global enterprises have an AI risk policy in place (Gartner, 2024), and less than 15% of employees have received any formal training on responsible AI use or associated risks (Forrester, 2023).

So while your organization might be waiting for policy perfection, attackers are already exploiting the vacuum.

What’s Slowing You Down? Culture and Complexity

Creating a thoughtful AI safety policy is essential for long-term governance, compliance, and risk management. But for many large organizations, internal complexity gets in the way:

• Multiple layers of legal, IT, risk, and leadership review

• Lack of clarity around AI ownership or use case boundaries

• Fear of enabling misuse by acknowledging employee experimentation

• Misalignment between technical safeguards and operational culture

The reality is this: if your organization has a strong, aligned culture and nimble cross-functional operations, you’ll ship policy faster. But if decision-making is hierarchical, communications are fragmented, and teams are unclear on who leads what—you’re at risk of creating a policy vacuum.

And in that vacuum, attackers thrive.

What You Can Do Now (While the Policy Is Still in Draft Mode)

Just because your formal AI security policy isn’t ready doesn’t mean you’re powerless. You can:

• Educate on General AI Risks: Teach teams about LLM misuse, data leakage risks, prompt injection, and deepfakes—even if tooling policies are TBD.

• Survey Your Workforce: Use pulse surveys to identify who’s using AI, for what, and where the digital adoption risks sit.

• Target High-Risk Roles First: Train HR, finance, legal, and exec support teams on AI-enhanced impersonation, phishing, and social engineering.

• Use Real-World Stories: Share relevant legal cases, breaches, and news of AI misuse to start conversations.

• Build Champions: Engage curious employees and early adopters as internal AI literacy advocates.

• Track Behavior & Feedback: Use microtraining, feedback loops, and engagement data to inform policy before it’s finalized.

Remember, cultural readiness and risk communication can precede policy. And they should.

Final Thought: Don’t Let Perfect Be the Enemy of Prepared

AI governance, risk, and compliance (GRC) frameworks will take time to mature. But human risk management can’t wait.

If your AI safety policy is still in committee, make your people your first line of defense. Train for behaviors, not just rules. Prepare for misuse, misconfiguration, and mistakes. And start building the secure digital culture you’ll need to support whatever policy comes next.

The adversaries aren’t waiting. You shouldn’t either.

We can help you launch risk education campaigns, AI literacy programs, targeted phishing simulations, and role-based awareness strategies—now. Let’s get started before “waiting” turns into “wishing.”