KnowBe4 has published a study on AI and human-related cyber risks in Australia and New Zealand. The study found that 64% of organizations in the region already use AI agents to perform autonomous actions within their workflows.
The findings demonstrate a widening gap between the prevalence of AI tools in daily work and the controls used to manage them. 50% of organizations surveyed in Australia and New Zealand said their use of AI was not authorized or controlled. Meanwhile, 59% of employees said they typically procure their own agent AI tools when approved options are unavailable or too restrictive.
The study surveyed 75 security decision makers and 200 employees in Australia and New Zealand as part of a broader global survey of 4,000 professionals from organizations with 250 or more staff.
Deepfake concerns
The study found that concerns about employee-targeted deception are widespread alongside the rise of autonomous AI tools. In Australia and New Zealand, 85% of employees said deepfake audio and video content is so real that they don’t know what to believe, and 68% said they would be likely to fall for a deepfake scam at work.
This view stands in contrast to the confidence expressed by executives. The survey found that 93% of leaders believe their employees can identify spoofed messages sent through internal tools, and 88% said their employees can identify deepfake audio or video content.
These numbers suggest a rift between frontline staff and decision-makers over how organizations are prepared for impersonation and manipulation attacks. It is also influenced by the fact that 49% of cybersecurity leaders in the region identify AI-powered attacks as a key driver of future human-related cybersecurity risks.
human behavior
The study also highlighted the continued role of employee behavior in security incidents. Nearly all organizations surveyed in Australia and New Zealand, or 99%, said human-related actions had impacted their cybersecurity in the past 12 months.
More than half of employees (56%) say time pressure and workplace distractions lead them to make security mistakes even when they know the correct process. And even though 93% of organizations say employees feel comfortable reporting mistakes or suspicious activity without fear of recrimination or embarrassment, an additional 24% say they sometimes don’t report security mistakes because they’re embarrassed.
The use of unauthorized tools emerged as another theme. An equal share of employees and cybersecurity leaders (59%) say unauthorized software and AI applications are a problem, and leaders report that such tools have impacted their organization’s security posture in the past year.
hybrid threat
This report describes a threat environment where both staff and software agents can be targeted. When organizations allow AI tools to operate within internal processes, attackers can manipulate employees through impersonation or exploit AI systems through methods such as prompt injection.
Dr. Kawin Boonyapredee, chief information security officer advisor at KnowBe4 APJ, said the pace of change is putting pressure on security teams.
“Cybersecurity is entering a precarious phase, as organizations seek to secure a hybrid human-AI workforce, and change is happening faster than security leaders can keep up,” said Dr. Kawin Boonyapredy, chief information security officer advisor at KnowBe4 APJ.
He said current controls have not kept pace with the proliferation of autonomous AI within enterprises.
“Advertisers are moving at machine speed, targeting employees with attacks like deepfakes or facilitating injections to hijack AI agents. Leaving half of enterprise AI usage unchecked is a massive, unprotected invitation to threat actors,” said Dr. Bhuniapredy.
Australia and New Zealand outperform the global average on some key indicators. 64% of regional cybersecurity leaders said AI agents are already operating autonomously within their organization’s workflows, compared to 58% globally.
This has made the region more aggressively deploying agent AI in business settings, while also highlighting challenges to governance, staff awareness, and incident reporting as AI tools move further into daily operations.
This broader global study surveyed 800 security decision makers and 3,200 employees in the Americas, Europe, the Middle East, Africa, and Asia Pacific.
