Singapore – A new study from KnowBe4 has warned that the growing use of autonomous AI agents and increasingly sophisticated deepfakes is creating new cybersecurity risks for organisations in Singapore, with many companies lacking governance over AI deployments.
The report examined how the rapid adoption of agentic AI is affecting organisational security. According to the study, 99% of surveyed organisations in Singapore use AI in their workflows, while 44% reported that their AI usage is unapproved or ungoverned, a phenomenon the report describes as “Shadow AI.”
The research also found that 40% of cybersecurity leaders in Singapore said AI agents are already performing autonomous actions within organisational workflows, expanding the attack surface for cyber threats.
Employee concerns over AI-enabled attacks were also highlighted in the report. According to the findings, 93% of Singaporean employees believe deepfake voice and video content has become so realistic that it is difficult to determine what is trustworthy, while 87% said they could potentially fall victim to a deepfake scam at work. These figures exceed the reported global averages of 86% and 64%, respectively.
Despite these concerns, confidence among cybersecurity leaders remains relatively high. The study found that 88% believe employees can identify impersonation messages sent through internal communication tools, while 74% are confident employees can detect deepfake voice and video content.
The report also identified human behaviour as a continuing cybersecurity challenge. All surveyed cybersecurity leaders in Singapore said employee-related behaviours had affected their organisations’ cybersecurity over the past 12 months. Meanwhile, 67% of employees acknowledged that workplace distractions and time pressures contribute to security mistakes, even when they know the correct procedures.
Use of unsanctioned AI tools also emerged as a concern. Nearly one-third (32%) of employees said they frequently source their own agentic AI tools when approved alternatives are unavailable or too restrictive. Correspondingly, 56% of cybersecurity leaders reported that the use of unauthorised software and AI applications had negatively affected their organisations’ security posture during the past year.
The research further pointed to a disconnect between organisational culture and employee behaviour around incident reporting. While 88% of organisations said employees feel comfortable reporting mistakes or suspicious activity without fear of blame, 37% of employees admitted they sometimes choose not to report security mistakes because of embarrassment.
“Cybersecurity has entered a volatile phase where organisations are trying to secure a hybrid human and AI workforce that’s changing more quickly than security leaders can keep up,” said Dr Kawin Boonyapredee, CISO Advisor at KnowBe4 APJ. “Attackers are moving at machine speed, using attacks such as deepfakes to target employees and prompt injections to hijack AI agents. Leaving nearly half of your corporate AI usage ungoverned is a massive open invitation to threat actors.”
According to the report, organisations should focus on strengthening governance around AI adoption while fostering a security-focused culture that encourages positive employee behaviour. It recommends designing systems that guide secure practices, reinforcing positive actions rather than tracking failures, and extending a security-first mindset across both human employees and AI agents.

