AI races ahead—while social engineering and skills gaps raise the security stakes

Positive Technologies said social engineering remains one of the most effective cyber-attack vectors, appearing in nearly 70% of cases, and warned that attackers are increasingly using AI for large-scale abuse. The statement, delivered by Anastasia Fedorova, frames AI not only as a defensive tool but as an accelerator for phishing, fraud, and credential theft at scale. The implication is that threat actors can lower the cost of deception while raising volume, compressing the time between compromise and detection. For executives, the key takeaway is that “human-layer” security is becoming more automated and therefore harder to manage with static controls. Strategically, this cluster points to a broader geopolitical pattern: AI adoption is moving from pilots to operational systems across economies, while governance and security practices lag behind. The articles also highlight efforts to shape norms—such as developing a shared code of conduct for AI use in think tanks—suggesting that policy communities are trying to keep pace with rapid capability diffusion. Meanwhile, industry reporting from Brazil and Hong Kong emphasizes automation and digital transformation in construction and logistics, which expands the attack surface through connected devices, robotics, and data-driven workflows. The winners are firms that can integrate AI safely and train talent quickly; the losers are organizations that treat cybersecurity and workforce development as afterthoughts. Market and economic implications are most visible in AI-enabled construction, logistics, and broader digital transformation spending. In Brazil, reporting that infrastructure investment could reach R$ 300 billion in 2026 signals sustained demand for engineering services, construction tech, and industrial software, while also increasing exposure to cyber risk in project management, procurement, and operational technology. In parallel, the skills gap in AI adoption suggests near-term pressure on labor markets and training budgets, potentially slowing ROI for companies that cannot staff AI operations. For investors, the security angle can translate into higher demand for cybersecurity tooling, identity and access management, and training services, while AI automation in physical sectors can lift productivity expectations but raise compliance and incident costs. What to watch next is whether AI governance initiatives turn into enforceable standards and procurement requirements, and whether cybersecurity vendors can demonstrate measurable reductions in social-engineering success rates. Key indicators include reported phishing/fraud effectiveness trends, adoption of AI-assisted security controls, and the pace of workforce upskilling programs tied to AI deployment. In Brazil, monitor infrastructure tender cycles and whether contractors require security-by-design clauses for connected construction and logistics systems. In Hong Kong’s building sector, track the rollout of AI/robotics on sites and any incidents that reveal gaps in safety and cyber resilience. Escalation risk rises if AI-driven social engineering outpaces detection and if infrastructure digitization proceeds without stronger identity, monitoring, and incident-response capacity.

Geopolitical Implications

• 01

  AI capability diffusion is outpacing security and governance, increasing cross-border cyber risk even without kinetic conflict.

• 02

  Norm-setting initiatives (codes of conduct) signal a move toward institutional AI governance, which can shape future compliance regimes and procurement rules.

• 03

  Digitization of physical infrastructure (construction, logistics, industrial operations) creates strategic leverage for states and firms that can secure identity, data, and operational technology.

• 04

  Workforce skills gaps can become a strategic constraint, widening the gap between AI-ready economies and those exposed to higher incident costs.

Key Signals

• —Public reporting of social-engineering success rates and AI-enabled phishing/fraud trends.
• —Security vendor metrics on identity compromise reduction and time-to-detect improvements.
• —Brazil infrastructure tender language on cybersecurity requirements and incident-response obligations.
• —Rollout milestones for AI/robotics in Hong Kong construction and any reported safety/cyber incidents.
• —Progress from AI code-of-conduct drafts to adoption by institutions and funders.