The Growing Cyber Threat Landscape in the Age of AI
As artificial intelligence continues to reshape the cyber threat landscape, businesses and public institutions are facing an urgent challenge: adapting their defenses to counter attacks that are increasingly automated, intelligent, and difficult to detect. This transformation is not just a technological shift—it’s a fundamental redefinition of how organizations must approach cybersecurity.
According to Gbemisola Osunrinde, CEO of Smartcomply, preparedness requires a fundamental shift from reactive security to resilience built on visibility, governance, and continuous monitoring. In an exclusive interview, she outlined what organizations must do to survive in an era where AI accelerates both the pace and sophistication of cyber threats.
The Urgent Need for Preparedness
A new report on Africa’s AI and cyber frontier reveals that while 74% of regional organizations rank cyber risk as their top strategic priority—far exceeding the global average of 57%—only 29% actually conduct tabletop exercises to simulate real incidents. This leaves most leadership teams unprepared for threats they have never effectively rehearsed.
The stakes are particularly high in East Africa, where digital platforms underpin financial inclusion, public services, and daily economic activity. A dangerous asymmetry has emerged between offensive capability and defensive maturity. While 60% of organizations globally believe they have already been targeted by an AI-enabled attack, only 7% have successfully deployed AI-driven defences to counter them.
In East Africa, this asymmetry is driving measurable exposure. The region now records the continent’s highest document fraud rejection rate at 27%, a figure driven by automated bots overwhelming verification APIs at scale. In Tanzania, AI-driven fraud attempts surged by 317% in the last review period, as attackers moved from low-tech scams to high-fidelity identity spoofing.
What Does Preparedness Look Like for Businesses?
According to Osunrinde, preparedness for businesses starts with visibility and governance. Organizations must know where their critical data resides, who has access to it, and how AI tools—both authorized and unauthorized—are being used internally. She emphasized that AI-driven phishing, impersonations, automated vulnerability scanning, and adaptive malware campaigns mean that companies must adopt continuous monitoring, behavioral analytics, and AI-assisted detection systems to match the threat landscape.
However, technology alone is not the answer. Preparedness also means strengthening internal controls, implementing zero-trust architectures, conducting regular red-team simulations that mimic AI-powered attacks, and ensuring that executive leadership understands cyber risk as a board-level issue rather than a purely IT concern.
The report highlighted a dangerous “execution gap” where strategic awareness has not translated into operational resilience. Only 5 of global leaders reported significant budget increases specifically tied to AI-related risk despite 53% ranking AI-enabled threats among their top three concerns.
Osunrinde emphasized that resilience improves when organizations plan for failure instead of assuming stability. Businesses that run realistic incident scenarios, invest in cross-functional skills, and design security into products from the outset respond faster and recover better.
Preparing Public Institutions for AI-Driven Threats
For public institutions, the stakes are even higher as AI-driven attacks increasingly target critical infrastructure, public databases, and citizen-facing platforms. Preparedness in this context requires coordinated threat intelligence sharing, clear incident response frameworks, and strong inter-agency collaboration.
Governments must also invest in digital literacy and workforce training, because human error remains one of the most exploited vulnerabilities. A defining example of systemic vulnerability was the Pegasus Technologies breach in Uganda, where attackers exploited an aggregator to bypass telecom defenses using 2,000 SIM cards, siphoning UGX 11 billion ($3 million) across MTN, Airtel, and Stanbic Bank.
Osunrinde identified regulatory readiness as critical and emphasized that institutions must align with evolving data protection, AI governance, and cybersecurity standards. “Being compliant is not simply about avoiding penalties, it is about building resilient systems that can withstand increasingly automated and intelligent adversaries,” she added.
The Culture of Performative Compliance
A recurring theme across expert interviews is that privacy and cybersecurity are inseparable, but many organizations still treat them as separate compliance tracks. According to Mugambi Laibuta, chairperson of the Data Privacy and Governance Society of Kenya (DPGSK), many consequential data risks remain poorly captured in official reporting. These include SIM-swap fraud, account takeovers, insider data misuse, opaque data brokerage, and the misuse of personal data for political or commercial manipulation.
Although Kenya’s financial sector shows relatively strong compliance, smaller organizations struggle, with compliance often more performative than practical due to capacity constraints. This culture of “performative compliance” creates a habitat for emerging threats such as Shadow AI, where unvetted tools bypass governance to introduce data poisoning risks, while simultaneously enabling Advanced Persistent Threats to thrive.
Why Preparedness Is Urgent in Kenya
According to the report, the “urgent need” for preparedness in Kenya is underscored by the ever-increasing cyber threats, attacks, and the associated costs. Between April and June 2025 alone, more than 4.5 billion cyber threat events were recorded in Kenya, translating into estimated losses of approximately KSh 29.9 billion (US$230 million).
In January 2025, government websites and databases were the most targeted by cyber threats. In November 2025, various websites belonging to the Kenyan government were hacked and defaced. A spot check established that websites such as President William Ruto’s official portal, websites linked to ministries and state agencies—including Health, Education, Labour, Environment, ICT, Tourism, State House, and Interior—were affected by the cyberattack.
Ultimately, preparedness in the age of AI is about resilience. It means assuming that attacks will happen, reducing the attack surface, detecting threats early, responding rapidly, and recovering with minimal disruption. The organizations that will thrive are those that treat AI not just as a threat vector, but as a defensive capability, leveraging it responsibly to anticipate and neutralize risks before they escalate.




