Four Threats, One Confession: The Attacker Has the Advantage
Every now and then an analyst says the quiet part into a live microphone. That happened at the Gartner Security and Risk Management Summit, where the verdict on four headline threats was not "emerging" or "watch this space." It was that on all four, enterprise defences are overmatched and the attacker holds the advantage. The tooling is not up to the job yet. Sit with that for a second, because vendors do not usually let their favourite conference admit the products do not work.
The four sitting at the top of the 2026-27 ThreatScape are deepfakes, software supply chain, prompt injection, and AI application compromise. If you have read this blog before, none of those will surprise you. What is worth your time is the shape of each problem, and why "buy a box" is the wrong reflex for all of them.
Deepfakes and the death of trusting your eyes
Gartner's figure is that 62% of organisations have already taken a deepfake hit tied to social engineering or bypassing voice and face recognition. The honest engineering insight buried in the panic is this: you do not need to detect the deepfake to stop the attack. You need an authentication path that does not collapse just because the voice sounds right. A failed second factor kills a flawless fake. The detection arms race is a trap. The control that survives is layered authentication plus tooling for caller-ID spoofing and SIM-swap, because identity is the real battlefield and the fake face is just the delivery mechanism.
Supply chain: still bleeding, now automated
Supply chain attacks are not new. What changed is the automation. Self-propagating worms turned credential theft into a force multiplier, sweeping secrets and pivoting into the next repo without a human at the wheel. The Gartner read on the ecosystem was characteristically diplomatic about NPM, which is to say it called it a mess. None of the fixes are exotic. Strong version-control policy. Secrets scanning that people actually leave switched on. Least privilege bolted onto your CI/CD pipelines instead of service accounts that can do everything. The features mostly exist. Teams skip them and ship secrets anyway.
Prompt injection: the part you cannot patch
This is the one that should keep AppSec people up at night. Indirect prompt injection rose 32% in a single quarter on Google's numbers. An attacker plants a malicious instruction in a webpage and waits for your agent to read it. No exploit, no payload in the classic sense, just text that your model treats as a command. And once you move to autonomous, agentic flows, the failure mode is brutal:
Once the execution chain is poisoned, the whole thing goes downhill, and you cannot really recover from that.
The vendors selling "prompt injection detection" that quietly just greps for scary keywords are not going to save you. There is no clean 100% block for injection or jailbreaking, and pretending otherwise is how you end up owned with a green dashboard. The grown-up answer is to red-team your own AI systems. Pen test the agent. Find the indirect injection paths before someone external does it for the cost of a crafted webpage.
AI application compromise: more surface, more CVEs
There were 2,130 AI-related CVEs disclosed in 2025, up roughly 35% year on year. Memory poisoning, insecure infrastructure, the usual sins reappearing in a new layer of the stack. And then the detail I cannot ignore, because I run this stuff myself: analysts noted you can still scan the internet and find OpenClaw instances exposed with admin rights. A popular agent framework, a known stack of critical vulnerabilities, deployed wide and deployed badly. We keep wiring powerful automation to the public internet faster than we secure it, then act surprised.
The pattern under all four
Strip the AI glitter off and the same lesson is sitting underneath every one of these. The attacker advantage is not built on genius. It is built on the controls we keep deferring. Authentication that actually holds. Least privilege that is real instead of aspirational. Adversarial testing of the things we ship instead of trusting a marketing slide. None of it is new. All of it is unglamorous. That is precisely why it still works, and precisely why most shops still have not done it.
