A study by Exabeam has found that insiders, whether malicious or compromised, are now viewed as a greater cybersecurity risk than external attackers, with 64% of respondents ranking them as the top concern.

The rise of generative AI (GenAI) is a key factor, accelerating insider activity by enabling identity spoofing, AI-driven phishing, and social engineering at machine speed. More than half of organizations (53%) reported an increase in insider incidents over the past year, with government, manufacturing, and healthcare anticipating the steepest growth.

“Insiders aren’t just people anymore,” said Steve Wilson, Chief AI and Product Officer at Exabeam. “They’re AI agents logging in with valid credentials, spoofing trusted voices, and making moves at machine speed. The question isn’t just who has access — it’s whether you can spot when that access is being abused.”

Unauthorised GenAI use is adding to the problem, with three-quarters of organisations reporting unapproved deployment. Technology, government, and financial services sectors are the most affected, as AI tools designed to enhance productivity are repurposed for malicious activity.

Despite widespread adoption of AI in security tools, the report warns that organisations remain underprepared. While 88% have insider threat programs, fewer than half use user and entity behaviour analytics to detect abnormal activity early. Many still rely on traditional identity and access management, training, or DLP solutions, which lack the behavioural insight needed to spot subtle, AI-enhanced threats. 

“AI has added a layer of speed and subtlety to insider activity that traditional defences weren’t built to detect,” said Kevin Kirkwood, CISO, Exabeam. “Security teams are deploying AI to detect these evolving threats, but without strong governance or clear oversight, it’s a race they’re struggling to win. This paradigm shift requires a fundamentally new approach to insider threat defence.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.