The International AI Safety Report 2026 says general-purpose AI is automating more parts of cyberattacks, but completely “autonomous attacks remain limited” because AI systems “cannot reliably execute long, multi-stage attack sequences,” without humans.
The report describes failure modes it says have been observed in research, including agents executing irrelevant commands, losing track of operational state and failing to recover from simple errors without human intervention.
The report separates “assist” from “execute”
That same cyber section says AI systems can assist at multiple steps of the “cyberattack chain,” including identifying targets and vulnerabilities and generating malicious code, while still falling short on autonomous execution across a full operation.
The report also says “fully autonomous, end-to-end attacks have not been reported.”
Current attacker use
In a statement shared with TechInformed, Chris Anley, chief scientist at NCC Group, said the lack of fully autonomous cyberattacks “doesn’t remove the risk” because attackers are already using AI to find vulnerabilities and develop exploits, enabling more attacks with less technical expertise.
In the same statement, Anley said, “AI-enabled attacks are the new normal,” and said organizations should “invest in faster detection, robust controls and defensive AI” to keep pace with what he described as the “scale and speed of modern threats.”
DARPA’s AI Cyber Challenge quantifies vulnerability workflow performance
While the International AI Safety Report focuses on the lack of long-horizon reliability, data from DARPA’s AI Cyber Challenge (AIxCC) provides a benchmark for performance in discrete security tasks.
In a controlled setting during the August 2025 Final Competition, DARPA reported that competing AI systems discovered 54 unique synthetic vulnerabilities out of 63 challenges and successfully patched 43.
DARPA’s final data reflects a correction from earlier preliminary figures regarding patch success, while the total for discovered vulnerabilities remained unchanged.
A Congressional Research Service explainer notes that the AIxCC is specifically designed to transition AI systems toward “machine speed” identification and patching to harden critical infrastructure against human-led or AI-assisted threats.
WEF’s 2026 outlook positions AI as a major driver of cyber change
The World Economic Forum’s Global Cybersecurity Outlook 2026 places AI inside a broader risk picture that includes geopolitical fragmentation and uneven cyber capacity. The report describes AI as affecting cyber “on both sides of the fight,” strengthening defense while enabling more sophisticated attacks.
Incident datasets report AI exposure and persistent initial access paths
Verizon’s 2025 Data Breach Investigations Report Executive Summary says there is “evidence” of GenAI use by threat actors “as reported by the AI platforms themselves,” and cites partner-provided data stating that synthetically generated text in malicious emails has doubled over the past two years.
The same executive summary reports that 15% of employees were routinely accessing GenAI systems on corporate devices and that many used non-corporate emails (72%) or corporate emails without integrated authentication (17%).
Mandiant’s M-Trends 2025 reports that exploits (33%), stolen credentials (16%) and phishing (14%) were the most common initial infection vectors in its 2024 investigations.
Agent benchmarks document long-horizon brittleness and agent security gaps
Outside incident reporting, benchmark research has also focused on agent reliability. “The Agent’s Marathon,” published on OpenReview, says LLM agents “remain brittle in long-horizon tasks” and that performance “often deteriorates rapidly.”
On agent security, the authors of Agent Security Bench (ASB) say LLM-based agents can introduce “critical security vulnerabilities,” and present ASB as a framework to benchmark attacks and defenses across scenarios, tools and methods.
A 2025 survey paper on ScienceDirect similarly frames “LLM-based agents” as a distinct area for attacks and defenses and proposes evaluation criteria for assessing both.
The Policy Response: “If-Then” Safety Commitments
The 2026 report describes a shift toward “Frontier AI Safety Frameworks” as a primary method for risk management. The report states that these frameworks increasingly rely on “if-then” safety commitments, which define specific capability thresholds (the “if”) that, when reached by a model, trigger mandatory, pre-defined safety mitigations (the “then”).
According to the report’s section on risk governance, these commitments are intended to address the “evidence dilemma;” the challenge of creating policy when AI capabilities advance faster than scientific evidence of their risks.
The report notes that twice as many companies as last year have now published voluntary safety frameworks, though it highlights that “real-world evidence of their effectiveness remains limited.”
To strengthen these layers, the report advocates for a “defense-in-depth” approach, which combines technical safeguards, system-level monitoring, and organizational risk processes to ensure that a failure in one control does not lead to a systemic breach.