AI Cyber Benchmark

How are large organizations tackling

the AI Security challenge?
No doubt: AI is a
unique opportunity…
…that must be
secured!

© WAVESTONE | 2
Wavestone AI Cyber Benchmark - 2025

AI systems work differently from classic IT systems …

Evolve over time

LEARNING Non-deterministic

Non completely
explainable
On learning…
PROCESSING
INPUTS

On the inputs… OUTPUTS

On the outputs…
On processing…

© WAVESTONE | 3
Wavestone AI Cyber Benchmark - 2025

… and can therefore be attacked in very specific and new ways

POISONING ORACLE EVASION

MITHRIL SECURITY CHATGPT TRAINING

AUTONOMOUS CAR
POISONING TEST DATASET LEAK
Wavestone AI Cyber Benchmark - 2025
Regulatory approaches vary significantly across geographies
UNITED-STATES
Executive Order 14179
In place since January 2025
An approach focused on
positioning the US as an AI leader
• Rescind former Executive Order
14110 that provided
guidelines.
• Aims to remove any potential
barriers to AI development.
EUROPE
AI ACT
In place since March 2024
The EU positioned itself as the
world’s police officer and push
for citizen protection
• Risk-based approach.
• Every organization must comply by
May 2027.
• Already some consequences: new
iPhone with GenAI & ChatGPT voice
chat functionality pospotned …
CHINA
Cybersecurity requirements
for GenAI services
In place since May 2024
China focuses on pushing for best
practices in AI management and
data management
• China is focusing on the
cybersecurity of its system with a
risk-based approach and on
regulating the processing of data,
especially labeling.
© WAVESTONE | 5
Wavestone AI Cyber Benchmark - 2025

Today, beyond the hype effect, AI is a reality!

Some clients are adopting AI on a large scale:

Leading to a lot of activities
• Between 50 and 400 uses cases identified
but a lot of blurriness.
• A strong mobilization at Excom level

Our goal: help clarify how to tackle the AI security topic,

trough our AI Cyber Benchmark

• Govern
We benched these clients on their AI • Identify
Worked with +20 maturity, based on the 5 NIST’s pillars, • Protect
clients already and consolidated those results to • Detect
working on the topic. produce this first AI Cyber Benchmark. • Respond

© WAVESTONE | 6
Wavestone AI Cyber Benchmark - 2025

First lesson: state your stance on AI!

AI Advanced Creators 35% of our clients
• Build and sometimes sell AI models
• Both third party and in-house solutions
• Structured teams of data scientists and proven data science processes

AI Orchestrators 35% of our clients

• Embeds AI functionalities in their products/services, internally or externally
• Make available a GenAI Platform for app builders
• Mostly use third party solutions, that they integrate

AI Users 30% of our clients

• Uses AI punctually to boost productivity
• Uses third-party solutions
• No structured teams of data scientist or AI Hub.
© WAVESTONE | 7
Market quickly embraced the
need to adapt for AI’s arrival

Govern Identify
Maturity 39% 39%

Maturity of organizations assessed in the Wavestone AI Cyber Benchmark 2025

© WAVESTONE | 8
Wavestone AI Cyber Benchmark - 2025

A new governance to define at group level, with few resources

Of companies Of companies
assessed have a assessed have
87% defined trustworthy 7% sufficient AI expertise
governance in regards with the
at group level stakes

Our recommendation: compensate with an integrated governance that will help people to augment their skills

~60% of ~10% of
our
clients
Integrated model clients Decentralized model

AI HUB
~30% of Cybersecurity Legal CSR
Cyber for AI Legal for AI CSR/Ethics for clients in AI specific activities AI specific activities AI specific activities
Privacy for AI hybrid
(security, (data, third AI (fairness,
(privacy)
resilience) parties) sustainable) mode

AI office (data scientists) Data Office Privacy Risk Management

Transparency, explainability/interpretability, Reliability and validity of the model ) AI specific activities AI specific activities AI specific activities

© WAVESTONE | 9
Wavestone AI Cyber Benchmark - 2025

Frame your cyber

approach Identify AI systems to ensure that all new AI
initiatives are identified

Of companies assessed 1
have an AI security policy
• Frame use of AI large public Assess them against a limited set of questions
drawn from the 4 pillars of:
64% •
application
Indicates the process to secure • Intended use • Data and Input • Task and Output
AI project
2 • AI Models
• Integrate Third Party stance
against AI
Classify them into four risk categories based on the AI
Act:
3
Unacceptable Strong Moderate Minimal

Of companies assessed Define the appropriate risk treatment strategy for

have adapted their project 4
each category.
71% processes for AI
• Define role and responsibilities
• Define validation process

Wavestone Assessment Risk level

Accelerators questionnaire analysis
© WAVESTONE | 10

© WAVESTONE | 10
Wavestone AI Cyber Benchmark - 2025

We identified the six key recurring factors responsible for the

greatest risks
External facing systems, especially GenAI chatbot

Dataset for training unknown or containing personal data

Retrieval Augmented Generation (RAG) on critical / confidential data

Model modifications, sources or toolset from non-authoritative sources

GenAI capability to take actions

AI model with mission critical output (safety detection for instance)

But most of AI use case we assessed are typically used for non-critical processes that don't demand high
availability or strict integrity, often relying on human oversight
© WAVESTONE | 11
Protect: there is no “one-size-
fits-all” approach

Protect
Maturity 40%

Maturity of organizations assessed in the Wavestone AI Cyber

Benchmark 2025 © WAVESTONE | 12
Wavestone AI Cyber Benchmark - 2025

Let’s dive in a typical GenAI architecture!

Example of an AI architecture

Training dataset Model Applicative

or RAG frontend
In-house documentation- API / SaaS
driven enrichment In house User GUI

Build infrastructure

End users

Monitoring infrastructure

Plug-in & Interconnections

© WAVESTONE | 13
Wavestone AI Cyber Benchmark - 2025

AI users: secure your data and check your suppliers

Example of an AI architecture • Protect the data being accessed or generated (access

rights, policies, etc.)
• Configure the parameters and ensure the ability to monitor
Training dataset Model Applicative
or RAG
the ecosystem
frontend
In-house documentation- API / SaaS • Select your providers: verify compliance with your security
driven enrichment In house User GUI requirements (learning phase, data usage, etc.) including
contractual requirements and measures regarding shared
data

Build infrastructure

End users
Of our clients adapted their
Monitoring infrastructure
40% Third Party assessment
methodology for AI vendors
Plug-in & Interconnections

Component to protect

© WAVESTONE | 14
Wavestone AI Cyber Benchmark - 2025

AI Orchestrator: choose your models and platforms and

implement MLSecOps

Example of an AI architecture
• Set up criteria to choose the right model: whitelist
suppliers, code review, operational testing…
Training dataset Model Applicative
or RAG frontend • Build inputs and output controls
In-house documentation- API / SaaS • Ensure proper security of the front end
driven enrichment In house User GUI
• Make AI project “secure by design” with MLSecOps

Build infrastructure

End users
Of our clients have a model
Monitoring infrastructure
43% selection process to identify
trusted sources
Plug-in & Interconnections

Component to protect

© WAVESTONE | 15
Wavestone AI Cyber Benchmark - 2025

Advanced Creators: full responsibility of the whole stack

Example of an AI architecture • Implement in-depth security measures, alongside with data

scientist:
• Model architecture security, as randomized smoothing,
adversarial learning, bagging
Training dataset Model Applicative
or RAG • Training data security: with synthetic data, differential privacy
frontend
API / SaaS
• Model protection, as homomorphic encryption and differential
In-house documentation-
driven enrichment In house User GUI privacy…
• Think about the security measures as a differentiator to resell
your apps and model

Build infrastructure Of our clients have

End users established measures and
adapted tooling to detect
Monitoring infrastructure
7% and defend against
Plug-in & Interconnections
malicious prompts and
other identified threats

Component to protect

© WAVESTONE | 16
Wavestone AI Cyber Benchmark - 2025

First AI risks mitigations measures are Radar of the AI Risk

available mitigations solutions
The existing cyber controls
may be updated to mitigate
cybersecurity risks of AI!

Must-have controls

Standards controls

High-end controls

Implement them in your stack

or using platforms
capabilities…
© WAVESTONE | 17
 Wavestone AI Cyber Benchmark - 2025

AI Security Solutions Radar M

col L sec
ility lab ur
inab Secure chat / ora e
tio
l a ss
exp irne
, fa
LLM Firewall n

88 nd

a s
ic
Eth
Scan me for the

M ne r
vu
Providers

od ab
l
full publication

el ilit
identified in

ro y a
bu ss
September 2024 se

stn ess
n
d R ng
po

ess me
Detection an earni
es

and nt
eL
Machin
Sy
An nth
on e A
c I
tic iza

re plia
ym

om
da tion

gu nc
ta

lat e
AI risk manageme
/

ion
ection

s
AI & Privacy
ta Prot

nt
Da
AI security radar • 2024 • 18

Some companies have offers covering more than one category: our
ke

decision was to limit their presence to a single category on the radar.

Fa

This is the second version of our AI Security Radar: we kindly encourage

eep all other companies to contact us to present their offer.
-D
Anti

© WAVESTONE | 18
Detection: two pillars to combine

Detect
Maturity 29%

Maturity of organizations assessed in the Wavestone AI Cyber

Benchmark 2025 © WAVESTONE | 19
Wavestone AI Cyber Benchmark - 2025

First, Pentesting! But with a twist: threats are

present along the entire AI lifecycle
64%
Collection Processing Model Tests Deployment Monitoring
. Of our clients have a
pentest process in
place to test the use
case
Poisoning attacks Oracle attacks Manipulation attacks Prompt injection
⁄ Dataset poisoning ⁄ Membership inference ⁄ Evasion
⁄ Retraining poisoning ⁄ Model extraction ⁄ Model reprogramming
⁄ Model inversion ⁄ Denial of service

… that we tested and adapted to land our AI redteam framework on the market
7%
Assessing AI capabilities and biases Assessing AI systems flaws Of our clients use
Hallucination, Misinformation, Robustness, Pre-prompt access, Input/Output filtering, Illegitimate advanced model
Harmfulness Prompt Injection… internal data retrieval , API limitations, Detection &
monitoring robustness evaluation

New approach and tooling required, often using LLM to attack LLM !
© WAVESTONE | 20
Wavestone AI Cyber Benchmark - 2025
Feedback from our GenAI Red Teaming team
+10 PROJECTS
Chatbots, GenAI, LLM, etc.
7 SECTORS
Energy, retail, luxury,
transportation, chemicals,
cosmetics, distribution.
100% JAILBROKEN
Illegitimate content,
hallucination, bias, etc.
Faulty DevSecOps processes
TOP FLAWS IDENTIFIED
Web Integration flaws Data leakage through
& Injection attacks prompt injection / trapped
documents
Weak privileges ML/AI platform missing
management security configuration
Lack of monitoring API/Plugin security gaps
Overreliance on platform
moderation
Standard ML Specific
© WAVESTONE | 21
Wavestone AI Cyber Benchmark - 2025

Then, integrate AI systems in the global detection strategy

Detection data is available... But not yet integrated in the surveillance system of the companies

72% 13%

Of our clients Of our clients

Monitor their specific & regular AI

Collect their AI systems applicative
systems and send them to the SOC
logs
when relevant

Ensure the ability to detect abnormal behavior in your model

but also in the whole platform ecosystem (AI FW, access control breach)
© WAVESTONE | 22
Respond … a whole new world

Respond
Maturity 9%

Maturity of organizations assessed in the Wavestone AI Cyber

Benchmark 2025 © WAVESTONE | 23
Wavestone AI Cyber Benchmark - 2025

First initiatives have appeared, but the field is still new

Joint Cyber Defence Collaborative artificial

Actions on incident response intelligence cyber tabletop exercise
AI processes update • Identify gaps
• Enhance collaboration on AI incidents

Specificities of AI technologies will need

specific investigation capabilities

Artificial Intelligence Adversarial Threat

Forensic capabilities on ML
0% algorithms among the
organizations assessed
Security Incident Landscape for AI
Response Team Systems
• Analyse and respond to threats
• AI incidents analysis and information sharing
• Vulnerability mitigation
© WAVESTONE | 24
 Now … what should you do ?

GOVERN IDENTIFY PROTECT DETECT RESPOND

Maturity 39% 39% 40% 29% 9%
100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

Source: Wavestone AI Cyber Benchmark 2025 © WAVESTONE | 25

Wavestone AI Cyber Benchmark - 2025

Align your effort with your stance: start steady… but start now!
AI Advanced Creators

• Securing all tools and processes of MLOps teams

• Advanced protection for ML key assets, especially
if AI systems are largely exposed or resold
• Ensure proper detection and response
capabilities
• … and everything below Join forces with all
teams, especially data
AI Orchestrators science experts, as well as
• Secure AI platforms and use their capabilities all stakeholders in the
• Secure Data repository for AI access (RAG) Trustworthy AI ecosystem
• Enrich security tooling for critical use case
• … and everything below A team effort is required to
build long term trust in
AI Users your AI projects!
• AI Risk Awareness
• Governance, Policies & Compliance (AI Act)
• Third party AI risk framework
• AI Red Teaming for exposed/confidential data UC
© WAVESTONE | 26
One more thing…

…AI can also enhance

cybersecurity capabilities!

© WAVESTONE | 27
Wavestone AI Cyber Benchmark - 2025

In short, there are 4 categories of

use-cases to remember
1 Multi-language awareness Use Case Analysis Matrix
Ease
2 CISO / Compliance GPT to ease documentation access
communication

High
3 Use of deepfake for phishing / crisis exercises
activities 4 Document creation and modification assistance 12
6 5
5 Third Party Security questionnaires analysis 14 15

ADDED
9

VALUE
11 7
6 Automated labelisation for DLP 13
Accelerate cyber 1
7 Live data anonymization (text/voice)
processes 8 2 3
8 Augmented redteam / attack path discovery 10
4
9 Source code security analysis

Low
Difficult Easy
10 GenAI SOC Copilots FEASABILITY
Reinvent detection 11 SOC playbook update via ML Use case highlighted are offered by a large number software vendor
and reaction 12 AI-based automated reaction / attack blocking Use case underlined and bold are the most implemented by our clients
13 User behavior analysis for nudging

Business An approach relying mainly on

14 Fraud detection for Front Office / Back Office
surveillance & 15 Behavioral Fraud detection on customers device
software/service vendors
monitoring
© WAVESTONE | 28
Wavestone AI Cyber Benchmark - 2025

Contact

Gérôme BILLOIS
Partner
[email protected]

Wavestone.com
Wavestone.com