Skip to content
Holding·last review29 May 2026

As measured by the 2026 Verizon Data Breach Investigations Report, AI is raising the throughput of cyberattacks rather than the underlying capability of attackers, because AI-assisted intrusions overwhelmingly scale known techniques rather than generate novel ones; the more consequential 2026 shift is that vulnerability exploitation has overtaken stolen credentials as the leading initial-access vector, and together these redirect enterprise defensive priority toward patch velocity and identity hygiene over hunting novel AI-authored threats.

Anchored on the 2026 Verizon DBIR (published late May 2026), which draws in part on a collaboration covering 793 enforcement-actioned threat actors. Load-bearing figures from the report as reported: under 2.5% of observed techniques qualified as rare or novel; 44% of AI-assisted initial access was still phishing; vulnerability exploitation (around 31% of breaches) overtook stolen credentials as the leading initial-access vector for the first time; a large majority of privilege-escalation incidents involved no named CVE; shadow-AI use rose from 15% to 45% of workers (Verizon describes this as a fourfold rise in its data-loss dataset); third-party involvement in breaches climbed toward 48% of the total. Scope: a snapshot of attacker behaviour as measured in this report, NOT a claim that AI can never produce novel offensive capability; the defensive-priority inference (patch velocity + identity hygiene over novel-threat hunting) is editorial advisory built on the data. VERIFIED 2026-05-29: DBIR published 19 May 2026; vulnerability exploitation at 31% as the #1 initial-access vector (first time in 19 years), under 2.5% rare techniques, 44% of AI-assisted initial access still phishing, the 793-actor Anthropic collaboration (Mar 2025-Feb 2026), shadow-AI 15%->45% (fourfold), and third-party 48% all confirmed via the Verizon newsroom and PushSecurity/SpyCloud/SCWorld analyses. Canonical: verizon.com/business/resources/reports/dbir/. 90-day review cadence (27 Aug 2026). Trigger conditions to revisit before next cadence: (a) the 2027 DBIR or comparable incident data shows AI generating materially novel techniques at scale, which would move the claim toward Partial or Not holding; (b) stolen credentials retake the leading initial-access position, weakening the vulnerability-exploitation half of the claim; (c) a documented at-scale AI-native attack technique with no human-era analogue. Related published corpus: /approved-tool-unapproved-capability-shadow-ai/ (the shadow-AI discovery problem the 45% figure points at) and /owasp-agentic-ai-top-10-walkthrough/ (the agent-specific identity-hygiene controls).

Published
29 May 2026
Last reviewed
29 May 2026
Next review
+70d· 27 Aug 2026
Primary sources
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-190's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: As measured by the 2026 Verizon Data Breach Investigations Report, AI is raising the throughput of cyberattacks rather than the underlying capability of attackers, because AI-assisted intrusions overwhelmingly scale known techniques rather than generate novel ones; the more consequential 2026 shift is that vulnerability exploitation has overtaken stolen credentials as the leading initial-access vector, and together these redirect enterprise defensive priority toward patch velocity and identity hygiene over hunting novel AI-authored threats.

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-008 · Partial · 17 Jun 2026

    Source-text figure re-review: Google's 2024 Environmental Report reports a 28% year-over-year increase to 8.1 billion gallons, not the 33% (from a 6.1 billion 2023 base) asserted at publish. The 8.1B 2024 figure and the Microsoft WUE 0.30 L/kWh / 39%-improvement figure are unchanged and verified. Article corrected to 28% and the unsupported 6.1B base removed; the claim text retains the original figure with this correction per the Holding-up protocol.

  • AM-132 · Partial · 10 Jun 2026

    One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.

  • AM-129 · Partial · 10 Jun 2026

    One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.

Reviews coming up in Reporting

  • AM-063 · Holding · next +9d (27 Jun 2026)

    AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…

  • AM-061 · Holding · next +9d (27 Jun 2026)

    Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…

  • AM-003 · Partial · next +9d (27 Jun 2026)

    GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…