In July 2025, McDonald’s had an unexpected problem on the menu, one involving McHire, its AI-powered platform used to recruit and screen job applicants. The system, developed by Paradox.ai, featured a rookie-level security flaw: the backend for restaurant operators accepted “123456” as both username and password, and lacked multi-factor authentication. As a result, the personal data of around 64 million applicants was in danger. Luckily, the flaw was uncovered by security researchers Ian Carroll and Sam Curry, who notified the company.
With organizations rushing to deploy AI tools without fully auditing them, incidents like this are not uncommon. AI adoption is moving faster than AI security and governance, according to an IBM report. Last year, 13% of organizations reported breaches involving AI models or applications, while another 8% said they don’t even know whether those systems have been compromised.
And insurers know that. Many have tightened policy language, raised premiums, and carved out explicit exclusions for certain AI-related incidents, an effort that aims to limit exposure to risks that are poorly understood. A survey by Delinea found that 42% of respondents said their cyber insurance policies now include exclusions tied to AI misuse and liability.
