UK security leaders are listening to their voices. Four in five people are seeking Deepseek under regulations. They promise efficiency, but they see tools that take risks to chaos.
Business is already under pressure. Trade disputes are dragged down. Interest rates remain high. Cyber threats grow. All movements that extend the operation add risk and make it difficult to measure risk as AI enters the equation.
AI spreads quickly. Reduce costs, fill gaps, and automate common tasks. But it also opens a hidden door. In the UK, AI is now part of my daily job. A KPMG survey showed that 69% of employees use it, but only 42% trust it.
Over half are satisfied with the wider adoption. The gap between use and trust highlights the challenges facing businesses and regulators.
Balance regulation
The discussion takes place from the boardroom to the council. In February 2025, British Prime Minister Kielstama, along with US President Donald Trump, announced a deal between AI and Advanced Tech. Priority said the UK would not over-adjustify and emphasize opportunities to pay attention.
The artificial intelligence regulations bill has also returned to the agenda. It was first introduced in 2023 and reappeared this March, focusing on governance, privacy and cyber risk. Mixing EU AI law with the recent US AI Action Plan will help you understand why CISOs need to scrutinize AI systems. They need to prove that they can be used safely.
AI adds yet another layer of vulnerability. CISOS should juggle the rising cyber threats driving AI, AI-based risks and biases, shadow AI, leadership demands, and regulatory expectations. Prevention is not enough anymore. A recovery plan, stronger endpoints, and improved visibility are essential. Resilience is now a requirement, not a goal.
Deepseek under scrutiny
Among the AI platforms, Deepseek stands out and isn't the right reason. The government has banned it from state-run devices, and many companies have restricted its use. This is primarily due to legitimate data security and national security concerns.
Research supports alarms. AppSOC Red-Teamed DeepSeek-R1 and overall failure were discovered: 91% jailbreak success, 86% vulnerability to rapid injection, 93% malware generation, 81% hallucination, 68% toxic production. Their conclusions were dull. Companies should avoid deploying DeepSeek-R1, particularly when sensitive or regulated data is involved.
It is at risk more than technical flaws. DeepSeek stores user data on servers in China. The law allows access by authorities without the consent of the user. For businesses that comply with the GDPR or other regulatory framework, that is a clear conflict.
Source, retention and privacy of data are all issues, and past incidents have heightened concerns. For example, in January 2025, Deepseek was used to distribute malicious Infostealer packages disguised as legitimate tools, suffering from cyberattacks that disguised its services.
A call for government action
CISO is listening. Eight in ten say the UK must regulate or limit DeepSeek. Many are worried that the country is already behind the US and the EU by cyber standards. Risk is not just a hypothesis. The widespread adoption allowed even a single violation to cascade through the network and compromise sensitive information.
Investment, Skills and Mixed Signals
Despite the risks, AI is also part of the solution. Seven in 10 leaders believe they will closely support the skills gap. Many organizations employ AI professionals and have made significant numbers of plans to expand AI talent this year. Advanced executives are taking part in AI training courses. However, almost half of the security teams feel unprepared for AI-driven threats.
Budget constraints remain fixed points. Additionally, the level of preparation for emergencies, including cyber-related cases, remains generally low, with only 14% of local governments feeling primarily or fully prepared.
Approximately 27% have identified money shortages as an important barrier to taking further steps to prepare for emergencies. Tools are available and knowledge is growing, but resources are lagging behind the needs.
Remote work is still a weak link
Hybrid work continues to complicate cyber defense. Almost two-thirds (60%) of CISOS claim that remote work complicates cyberresilience attitudes, increasing the risk of cybersecurity incidents. They are also concerned that unregistered devices are likely to cause security events. Many companies have implemented incident response protocols, but most focus on prevention rather than recovery.
In the UK, flexible work is a legal right, so hybrid setups are permanent. This makes endpoint security, full network visibility and a strong recovery plan essential.
Resilience first
CISOs have a high personal interest. Many people worry about losing their jobs if the violation is successful. Regulations such as NIS2 and Dora require boards of directors to be accountable when an incident occurs. AI adds new threats every day, and the interests are just too realistic. A resilience-first strategy is important.
This means preparing for every plan, using AI defensively, and balancing prevention and recovery.
It's not all fate and darkness. Government investigations show a slight reduction in reported violations. Cyber hygiene is improving, but risk assessments, cyber insurance, continuity planning, and formal policies are all becoming standard practices.
The environment remains difficult. The AI shows no signs of slowing down, and the bad actors are not sitting and waiting. Remote work will remain here.
For CISOs, the message is to be vigilant, request resources, and make tough choices about which tools are safe to use. If the past is a sign of the future, you cannot ignore Deepseek.
