Mind the Gap: Bridging the Disconnect in AI Security Policies

In the rush to integrate AI, many organisations believe they have established a secure foundation to manage its potential risks. And, according to our recent report, Cyber Resilience 2025: Futureproofing AI Adoption, 85% of cyber risk owners express confidence in their AI security policies.

However, this sense of security may be premature.

Only 34% of employees are even aware that these policies exist. This gap between employer confidence and employee awareness poses a critical threat to organisational resilience, as the most advanced policies are only effective when widely understood and actively followed.

In this blog, we explore how organisations can bridge this gap by promoting an inclusive, practical approach to resilience – equipping employees to become active participants in securing AI-driven workplaces.

We’ll also offer a glimpse into our upcoming webinar, Cyber Resilience: Extinguishing Cyber Threats Before They Spread, featuring cyber expert Rob Demain’s advice to take into consideration for your 2025 plans.

 

The AI Awareness Gap: Key Findings from the Research

The report highlights several insights that underscore the importance of aligning cyber security policies with employee awareness and engagement:

1. Low Employee Awareness of Cyber Policies

   With only a third of employees aware of existing AI security policies, many organisations operate with a limited protection scope. This awareness gap shows that organisations often confine cyber security and AI policies to certain teams or share them only during onboarding, failing to reach the wider workforce. Without clear communication and reinforcement, these policies become siloed and ultimately lose effectiveness.

2. High Usage of Unauthorised AI Tools

   According to the report, 62% of employees have used generative AI tools like ChatGPT or Copilot, with 41% doing so at least once per week – often without organisational approval. While such tools can undoubtedly enhance productivity, unregulated AI usage can expose sensitive information to third parties and introduce potential vulnerabilities. E2e-assure founder, Rob Demain, raised during the International Cyber Expo 2024 that despite this, we should not blame employees for negligence as it is the employer’s responsibility to ensure policies are put in place and followed.

3. Confidence Versus Reality

   The significant gap between employers’ confidence in policies and the on-the-ground reality points to a need for greater cohesion. This disconnect reveals that confidence alone does not translate into comprehensive resilience and highlights the necessity of a unified, inclusive approach to cyber security.

 

Bridging the Gap: Steps for Building a Resilient AI-Driven Organisation

Addressing this disparity requires more than creating policies; it needs a deliberate strategy for cultivating awareness, engagement, and proactive participation across all levels of an organisation. These steps provide a practical framework for moving from policy confidence to policy coherence.

1. Elevate Employee Engagement and Awareness

A resilient organisation requires that every employee, from entry-level staff to executives, is aware of and understands AI security policies. To achieve this:

• Simplify Communication
  Policies should be written in accessible language, with clear examples and visual aids where possible. This ensures that complex security practices are understood by all employees, regardless of technical background.
• Integrate Regular Training: Establish quarterly or semi-annual training sessions that cover AI use, cyber risks, and the organisation’s specific policies. These sessions should be interactive and relevant to employees’ daily workflows.
• Encourage Employee Feedback: Employees are often the first to notice policy gaps or challenges. By creating an open channel for feedback, organisations can gain insights from those who are directly impacted by policies, enabling continuous improvement.

 

2. Create Simple and Practical Security Guidelines for End Users

To foster adherence, it’s crucial to design security protocols that are easy for employees to incorporate into their daily routines. Complex guidelines are more likely to be bypassed or forgotten.

• Implement Intuitive Security Tools  Automated security measures, like password updates and data encryption, can run seamlessly in the background, reducing the burden on employees while maintaining essential protection. By adding automatic containment actions that isolate potentially compromised end-user devices (EUD), organisations can swiftly limit risk, reducing the potential impact of employee device vulnerabilities.
• Offer Clear AI Usage Policies: Since unauthorised AI tool use is widespread, organisations must establish clear, well-communicated guidelines for approved tools and usage practices. By addressing the risks and benefits of specific AI tools, employees can make informed choices aligned with organisational standards.

 

3. Choose the Right Cyber Security Partner to Support a Resilient Framework

Partnering with a cyber security provider who understands both the risks and potential of AI adoption is vital. The right provider offers both technical support and expertise to help organisations implement effective, flexible security solutions.

• Collaborate on Cyber Security Roadmaps: A robust cyber security roadmap takes both present and future AI integration into account. Work with a provider to craft a roadmap tailored to your organisation’s growth, helping to anticipate new challenges and pre-empt emerging threats.
• Enable Continuous Threat Monitoring: Given the dynamic nature of AI-related threats, real-time monitoring is essential. The right provider will deliver 24/7 monitoring and a rapid response system, keeping organisations protected against new, unanticipated risks.

4. Foster a Cyber-Resilient Culture

True resilience is as much about organisational culture as it is about technology. When employees at all levels view cyber security as part of their role, policies become more than rules—they become embedded in the company’s daily practices.

• Recognise and Reward Cyber-Conscious Behaviours: Highlight employees who exhibit strong cyber security practices, whether through training participation, proactive reporting, or adherence to guidelines. Positive reinforcement can encourage others to follow suit.
• Promote a Resilience-First Mindset: Share cyber security updates and success stories regularly to reinforce the message that everyone has a role in maintaining resilience. When leaders communicate the importance of these practices, they set a tone that cascades through the entire organisation.

Conclusion

Building a resilient AI-driven organisation requires more than just strong security policies—it’s about closing the gap between leadership confidence and employee awareness. If you’re interested in exploring how to strengthen your organisation’s defences, join us for the upcoming webinar, Cyber Resilience: Extinguishing Cyber Threats Before They Spread, where cyber expert Rob Demain will share actionable strategies for a resilient 2025.

Join Us to Stay Proactive: Cyber Resilience Webinar

During the LinkedIn live session, cyber veteran Rob Demain will provide in-depth strategies and expert insights on building an inclusive, resilient workplace. Participants will understand the foundations of resilience and resistance and the defenders’ approach to resilience in SecOps.

Register here: https://www.linkedin.com/events/cyberresilience-extinguishingcy7252596599665692672/theater/