More than three-quarters of European CISOs believe their C-suite doesn’t fully understand the cyber risk posed by their own employees, a gap that’s widening just as AI makes attacks on human judgement faster, more convincing and harder to spot.
That’s according to new research from MetaCompliance, the human cyber risk management firm, which polled 200 CISOs across the UK, France, Germany and Sweden. The picture it paints is of security leaders trying to hold the line on human-layer risk without the consistent senior backing, clear ownership, or shared understanding they need to do so.
AI is changing what CISOs are worried about
The survey found that among CISOs who feel less confident about their organisation’s cyber resilience than they did a year ago, AI-enabled social engineering was the single biggest reason cited, named by almost half of that group. It’s a sign that attackers are moving away from crude, easily-spotted phishing and towards convincing impersonation and fraud attempts generated at scale.
Employees, unsurprisingly, remain squarely in the firing line. More than two in three CISOs still rank their own staff as the biggest security risk to the business, suggesting AI isn’t creating a new problem so much as turbocharging an old one.
Specific concerns bear that out:
- Over 40% of CISOs are worried AI is increasing the speed and impact of social engineering attacks
- 40% fear staff are feeding sensitive data into generative AI tools
- 41% are concerned about malicious insiders using AI to enable fraud, cybercrime or data theft
- In the UK specifically, deepfake impersonation stands out as a top worry — more than half of UK CISOs flagged it as a major threat, the highest figure of any country in the study
Support from the top doesn’t stick
Where the research gets more uncomfortable for boardrooms is on backing. Almost four in five CISOs (79%) say leadership enthusiasm for security awareness programmes tends to fade once the initial push is over, and 76% say they’re stuck trying to satisfy different stakeholders who all want different human-risk metrics. Roughly a quarter point to cross-functional alignment as one of the areas they feel least confident managing.
James Mackay, CEO of MetaCompliance, said AI has changed the stakes: “Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale.”
He argued that puts a premium on sustained executive engagement rather than one-off initiatives: “Human cyber risk is no longer just an awareness issue or a training issue; it is a strategic business risk… If leadership support fades after the initial push, organisations are left exposed.”
Where CISOs go from here
Improving resilience against AI-driven social engineering is now a stated priority for the year ahead, with close to a quarter of CISOs naming it as a key focus. Mackay suggested the shift needs to be structural rather than seasonal: organisations that fare best will treat human risk as an ongoing management discipline rather than a periodic training exercise, giving employees real-time, contextual support at the moment a risky decision is actually being made, rather than relying solely on annual training modules.
The findings come at a moment when AI-generated phishing, deepfake voice and video, and synthetic impersonation are becoming difficult to distinguish from genuine communications — putting fresh pressure on security teams to secure top-level buy-in before the next wave of attacks arrives.

