CISOs Weigh AI Gains Against Persistent Domain and Supply-Chain Risks in New CSC Survey

New CSC survey shows 73% of CISOs view AI as more opportunity than risk, yet domain attacks, third-party tool exposure and limited supplier controls persist alongside rising AI-driven threats flagged by Microsoft, Cisco and Five Eyes agencies.
CISOs Weigh AI Gains Against Persistent Domain and Supply-Chain Risks in New CSC Survey
Written by Tim Toole

CISOs are seeing AI as a net positive for defense while still wrestling with familiar threats and new exposures from third-party tools. CSC’s CISO Outlook 2026 report, released in mid-June, surveyed 300 senior executives including CISOs, CTOs, CIOs and heads of cybersecurity in the first quarter of the year. Seventy-three percent said AI presents more of an opportunity than a risk for cybersecurity. Yet the same leaders flagged clear gaps in controls and confidence.

Domain and DNS attacks topped the list of concerns. Respondents ranked domain or DNS hijacking and subdomain takeover as the leading threat in 2025, followed by cybersquatting and ransomware or malware. Only 14 percent described themselves as very confident in their ability to mitigate domain attacks. One in ten believed major organizations remain significantly underprotected against DNS outages. AI-powered domain generation algorithms drew attention too, with 86 percent citing them as a threat.

Third-party AI access raises separate alarms. Ninety-eight percent of respondents expressed concern about giving large language models and other AI systems access to company data. Seventy-nine percent said they are concerned or very concerned that suppliers’ and partners’ AI tool use creates risk for their own organizations. Still, 70 percent apply risk controls only to key suppliers.

Many security teams are already putting AI to work internally. Fifty-seven percent use AI-based monitoring and enforcement solutions. Forty-four percent apply AI to threat detection and fraud prevention. Both numbers rose from the prior year’s survey, when the figures stood at 50 percent and 36 percent respectively. CSC’s chief technology officer for Digital Brand Services, Ihab Shraim, noted that agentic AI could accelerate attacks by automating reconnaissance, impersonation and domain-based operations at scale. He urged CISOs to treat DNS and domain security as critical infrastructure that has often been overlooked.

Broader industry data points to similar tensions. Microsoft’s 2026 Data Security Index, drawn from more than 1,700 security leaders, found that 82 percent of organizations now plan to embed generative AI into data security operations, up from 64 percent the year before. Nearly half are implementing generative AI-specific controls, an eight-point increase. At the same time, 32 percent of surveyed data security incidents already involve generative AI tools. Poor integration and fragmented visibility remain top complaints.

Cisco’s State of AI Security 2026 report, published in February, described a widening gap between adoption speed and security readiness. It highlighted prompt injection, jailbreaks and supply-chain risks to AI systems as growing vectors. Security teams themselves have become early adopters of AI for detection, automation and incident response, yet many organizations still lack unified oversight.

Recent warnings from the Five Eyes intelligence alliance underscore the urgency. In a joint statement released June 23, the cybersecurity agencies of the United States, United Kingdom, Canada, Australia and New Zealand said frontier AI models are expected to exceed current expectations and transform both offensive and defensive capabilities within months, not years. The statement called on boards and leaders to assess AI-related risks immediately and strengthen resilience. Acting CISA Director Nick Andersen emphasized that adversaries are already using AI to move faster and more effectively.

State-level CISOs echo the pattern. A NASCIO-Deloitte survey released in early June found that only 22 percent of state chief information security officers felt confident protecting public data, down sharply from 48 percent in 2022. AI-enabled attacks ranked among their top three concerns. Twenty-three states reported already using generative AI in operations, with 21 more planning to do so within the year.

Supply-chain exposure remains a weak point across reports. CSC data showed limited controls beyond key vendors. Microsoft findings pointed to unsanctioned AI agents and shadow usage as persistent blind spots. Cisco noted that rushed integration of large language models into critical workflows often bypassed traditional vetting.

Looking ahead, social media impersonation and defamation are expected to rise as top threats, according to CSC respondents. Domain and DNS risks are not fading. The combination of optimistic internal AI adoption and uneven external controls creates a mixed picture. Leaders who treat domain infrastructure, third-party AI governance and unified visibility as priorities appear better positioned to capture the benefits while containing the downsides.

Shraim’s closing observation captures the practical stance many CISOs now hold: strategies for domain risk must evolve to match the increasing complexity of AI-augmented attacks. The numbers from CSC, Microsoft, Cisco and the Five Eyes agencies together suggest that opportunity exists, but only for organizations willing to close the gaps that still separate adoption from assurance.

Subscribe for Updates

EnterpriseSecurity Newsletter

News, updates and trends in enterprise-level IT security.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us