57,000 user accounts. 728,000 sensitive file names. 46.5m chat messages. These are some of the assets a cybersecurity firm claimed they were able to access on McKinsey’s internal AI platform last month. It’s the kind of scenario all businesses dread. It’s also one that, in today’s digital age, few companies are immune from. So while on this occasion the breach by a so-called ethical hacker was more fire drill than full crisis, the incident should serve as a cautionary tale that AI-ambitious companies take seriously.
In today’s digital age, an attempted hack on your company is more likely a matter of when than if. The arrival of AI as a widespread feature of the business world has created new avenues for attacks and increased the sophistication of threats. But instead of disappearing into a pit of existential angst, organisations should learn the lessons from high-profile incidents and take steps to reduce any risks their internal AI adoption might present.
On this occasion, the hack wasn’t instigated by a nefarious actor and the firm behind it alerted McKinsey to the system’s vulnerabilities once it uncovered them. Compared to the sustained crises that engulfed M&S and Co-op last year, the fallout from McKinsey’s breach was relatively contained. The firm was able to fix any identified issues within hours and made it clear to the market that no client data or confidential information was accessed by any third-parties.
Regardless of how deep this hack actually went, episodes like this should serve as a cautionary tale for enterprises investing in rolling out AI.
McKinsey launched its internal generative AI platform in 2023, and uptake was swift with three-quarters of staff reported as active users in 2024. The firm was quick off the mark as a new era of AI dawned, and investing early proved to be a commercially savvy move: already last year around 40% of its revenue was being generated by AI-related projects. McKinsey had to walk the walk internally in order to sell AI services externally. It’s a market success story.
It remains unclear what led to McKinsey overlooking the vulnerabilities in its system. However, organisations should be aware that going too fast in the roll-out stage can create vulnerabilities further down the line. A desire to not be left behind has, over recent years, spurred other organisations to run before they can walk. By prioritising the speed of AI roll-outs and the perceived imperative to be ahead of the pack, many enterprises may have unwittingly opened themselves up to hugely consequential risks when it comes to cybersecurity and data handling. And it’s not always the more complex end of AI investment that creates vulnerabilities; it can be basic processes – such as password hygiene and access controls – that trip people up in the race to roll out.
At the same time, too many companies have poured money into the space without clarity on what success looks like or how they’ll gauge it. While companies like McKinsey are demonstrably benefitting from going all-in on the technology, a huge swathe of organisations are struggling to pinpoint what ROI their investments have actually delivered. As the managing director of BCG recently pointed out, “fear of losing out” has prompted over-zealous investment in AI, to the detriment of defined, measurable strategy.
Speed has a stranglehold on the conversation. Just a couple of weeks ago the chancellor said she wanted Britain to be the fastest adopter of AI in the G7 in a bid for growth. This ‘move fast’ mindset has companies competing in a race where they don’t know what the prize is. Being first off the mark doesn’t guarantee a podium finish, there’s no participation trophy on offer, and if efforts don’t pay off (as is the case for as much as 95% of generative AI pilot projects), the stumble could be far more costly than waiting on the sidelines.
If companies want to avoid the nightmare scenario of a real AI system hack, while also driving true returns on their investments, they need to take a “go slow to go fast” approach.
The best defence is resisting the rush and getting the groundwork right. That means bringing compliance, security, and data governance principles to the fore. It means shifting focus from visible AI adoption and shiny metrics to the unglamorous work of securing data, designing information‑retention rules, and governing access (both in terms of locking data down and opening it up to the right users and tools), and building proper guardrails. And that takes time. Treating “always‑on” compliance and data governance as competitive advantages is the only way to ensure AI systems don’t become liabilities.
For businesses itching to participate in the AI race, it’s possible to make the case for the ‘last mover advantage’ when it comes to going big – focusing on experimenting with AI pilots, making the foundations secure, and ensuring ROI benchmarks are clear before rolling out systems. With the right guardrails and data in place, AI-ready – not AI-eager – companies will be the ones that reap rewards without laying themselves open to unnecessary risk.
Steve Salvin is the CEO and founder of Aiimi.
Picture credit: SOPA Images / Contributor via Getty Images.
Click Here For The Original Source.
