Thales Data Threat Report warns that mad scramble to embrace AI comes with risk

In an online talk about AI, Eric Hanselman, chief analyst at S&P Global Market Intelligence 451 Research, offers a tour of key findings from the global edition of the Thales 2025 Data Threat Report.

The report is based on a survey of more than 3,100 IT and security professionals in 20 countries across 15 industries, and looks at the expanded impacts of AI, the post-quantum security shift, and progress on the question of data sovereignty.

“We hear so much about AI, there are so many challenges in so many different aspects,” Hanselman says. “But in data security, this really is a fundamental focus – and has to be, in order to drive AI functionality.”

“We need to be able to address the delivery of data at scale to be able to feed AI and to be able to allow organizations to truly realize the promise that AI offers.”

The pace of change is jarring for the security sector and beyond, as digital transformation occurs en masse. Thales says nearly 70 percent of organizations view the rapid pace of AI development, and generative AI in particular, as the leading security concern related to its adoption, followed by lack of integrity (64 percent) and trustworthiness (57 percent). Seventy-three percent of organizations are investing in “AI-specific security tools” with either new or existing budgets.

Malware attacks and phishing remain key problems, although data breaches are down.

‘Data ingestion engine the likes of which we haven’t seen before’

But AI has created such a kerfuffle that it has generated its own whirlwind of problems. According to a release on the study, “while most respondents said rapid adoption of GenAI is their top security concern, respondents in the more advanced stages of AI adoption aren’t waiting to fully secure their systems or optimize their tech stacks before forging ahead. Because the drive to achieve rapid transformation often outweighs efforts to strengthen organizational readiness, these organizations may be inadvertently creating their own biggest security vulnerabilities.”

As Hanselman puts it, “many enterprises are deploying GenAI faster than they can fully understand their application architectures, compounded by the rapid spread of SaaS tools embedding GenAI capabilities, adding layers of complexity and risk.”

Data classification is a particular problem, as organizations struggle to manage the masses of data within their environment. Of course, Hanselman says, in order to be able to secure data, you have to be able to classify it.

“If we put that in the lens of AI, this becomes a doubly difficult challenge. Because the push to AI gives ua a data ingestion engine the likes of which we haven’t seen before. And the temptation to feed data into that AI environment without the corresponding ability to classify that data means that we’re picking up a significant amount of risk.”

Cloud assets are the biggest attack target – not just cloud-based infrastructure, but also credential-theft-based attacks. “It puts additional focus on making sure that the protections we have on cloud are going to be sufficient to manage this.”

Hanselman also addresses compliance, and why it matters beyond the wagging fingers of regulators. “There is good correlation with compliance performance and breach history – and this is a trend that continues this year. If you’re passing audits, you are much less likely to be breached.”

Concerns about quantum threat, cryptoagility ‘continuing to evolve’

When it comes to security for post-quantum computing (PQC), the message is the opposite: “the clock is ticking on post-quantum readiness.”

The top threat cited is future encryption compromise – or “the risk that quantum computers could eventually break current or future encryption algorithms, exposing data once considered secure.” Hanselman calls these “harvest now, decrypt later” capabilities.

Todd Moore, global vice president of data security products at Thales, says “it’s encouraging that three out of five organizations are already prototyping new ciphers, but deployment timelines are tight and falling behind could leave critical data exposed. Even with clear timelines for transitioning to PQC algorithms, the pace of encryption change has been slower than expected due to a mix of legacy systems, complexity, and the challenge of balancing innovation with security.”

Hanselman says “now that we’ve got a new set of approved NIST quantum-resistant ciphers, organizations should be starting to put those into their environments.”

Article Topics

451 Research  |  cybersecurity  |  enterprise  |  generative AI  |  post-quantum cryptography  |  Thales  |  Thales Digital Identity and Security