Agentic artificial intelligence is compressing the time it takes to carry out commercial espionage and fraud. A new report by QBE North America and risk consultancy Control Risks examines how agentic AI is reshaping the threat environment for businesses.
Earlier AI tools required human direction at each step. Agentic models work differently. They set their own objectives, adapt to obstacles, and execute multi-step attacks with limited oversight. That shift reduces the need for large teams of threat actors.
A QBE survey of 400 decision-makers across IT, administration, and insurance found that 29% reported at least one AI-linked cyber incident in the past year. The survey covered US businesses with between 100 and 2,000 employees.
Ian Walsh, vice president and US cyber product leader at QBE North America, said the technology has changed the threat calculus for organizations.
“Agentic AI represents a step-change in how threat actors operate by compressing timelines and expanding capabilities in ways organizations have never faced before,” Walsh said.
One of the report’s key findings is that agentic AI lowers the barrier to entry for less skilled attackers. Capabilities once limited to sophisticated groups are now within reach of a broader range of actors. The technology generates new attack entry points alongside existing ones, complicating threat monitoring.
That wider attacker pool is reflected in broader loss data. The FBI’s 2026 Internet Crime Report put US cyber losses at nearly $21 billion in 2025. Munich Re underwriter Hannah Hays said Q1 2026 was the most hostile threat environment on record. Ransomware gangs are running AI-enhanced campaigns that are more automated and targeted than in prior years.
The fraud picture is deteriorating at a similar pace. The FBI’s 2025 Internet Crime Complaint Center report recorded a 37% rise in AI-assisted business email compromise incidents. Deepfakes now account for 6.5% of all fraud attacks, a 2,137% increase since 2022.
The report draws a clear line between machine execution and human accountability. Threat actors still set attack goals and make key decisions. Inside organizations, humans govern how agentic AI systems are trained, define their boundaries, and hold final authority on compliance.
The report also addresses what organizations should do on the defensive side.
“The human element remains central in mitigating risk and building resilience,” Walsh said. “To stay ahead of evolving threats, organizations must act with speed, combining security fundamentals with AI-enabled defenses and comprehensive coverage.”
The report recommends layering AI-enabled detection on top of existing controls such as access management, network monitoring, and incident response planning.
The cost of getting that balance wrong is rising. IBM’s Cost of a Data Breach Report 2025 put the global average breach cost at $4.7 million. Sophos found that 59% of organizations were hit by ransomware in the past year.
Those figures are pushing insurers and brokers to ask whether underwriting models and policy wordings are built for AI-accelerated attack cycles.
