Google’s Office of the Chief Information Security Officer has released a sweeping new assessment of how artificial intelligence is reshaping the threat environment for enterprises, governments, and critical infrastructure operators. The report, published through Google Cloud’s official blog, arrives at a moment when organizations across industries are racing to deploy AI capabilities while simultaneously grappling with the security implications of doing so. The findings paint a picture not of hypothetical future risks, but of adversarial activity already underway — and they suggest that defenders may need to fundamentally rethink how they model threats in an AI-augmented world.
Phil Venables, Google Cloud’s CISO, and a team of researchers from Google’s Threat Intelligence Group have documented a pattern they describe through three lenses: distillation, experimentation, and integration. Each represents a distinct phase in how threat actors are adopting AI tools, and each carries specific implications for how security teams should be allocating resources and attention. The report is notable not for breathless predictions about superintelligent malware, but for its grounded, evidence-based accounting of what adversaries are actually doing right now with commercially available and open-source AI systems.
Distillation: How Attackers Extract Value From Foundation Models
The concept of distillation, as Google’s team describes it, refers to the process by which threat actors extract useful capabilities from large foundation models and repurpose them for malicious applications. This is not a theoretical concern. Google’s Threat Intelligence Group has observed actors attempting to use large language models to generate phishing content, produce social engineering scripts, and even write code for malware components. The distillation framework acknowledges that while foundation models have safety guardrails, determined adversaries are finding ways to work around them — sometimes by fine-tuning smaller open-source models on outputs generated by larger, more capable systems.
This dynamic creates a persistent asymmetry. Organizations that build and deploy AI models invest heavily in alignment and safety measures. But once a model’s outputs are in the wild, those outputs can be captured, curated, and used to train derivative models that lack any such safeguards. According to the Google Cloud blog post, this distillation process is already happening at scale, and it represents one of the most immediate and practical threats that AI poses to enterprise security. The implication for defenders is clear: the proliferation of open-source models means that safety measures at the foundation model level, while necessary, are insufficient on their own.
Experimentation: Adversaries Are Testing AI at Every Stage of the Kill Chain
The second dimension of the threat — experimentation — describes how both state-sponsored and financially motivated threat actors are actively testing AI tools across the full spectrum of offensive operations. Google’s researchers have tracked activity by groups affiliated with nation-states including China, Russia, Iran, and North Korea, all of which have been observed using AI-powered tools to enhance reconnaissance, generate convincing lure content, and accelerate vulnerability research. The experimentation is broad but, according to the report, has not yet produced a fundamentally new class of attack. Instead, AI is making existing attack techniques faster, cheaper, and more scalable.
This finding aligns with assessments from other major threat intelligence providers. Microsoft’s Threat Intelligence team published similar observations earlier this year, noting that groups like Forest Blizzard (associated with Russia’s GRU) and Emerald Sleet (linked to North Korea) had been using large language models for scripting assistance and target research. The convergence of these findings across multiple major intelligence sources suggests that AI-augmented offensive operations are no longer an emerging trend — they are an established reality. What remains uncertain is the pace at which experimentation will yield genuinely novel attack capabilities, as opposed to incremental improvements in efficiency.
Integration: When AI Becomes Embedded in Offensive Infrastructure
The third and most consequential phase described in Google’s framework is integration — the point at which AI capabilities become a permanent, embedded component of adversarial toolkits and infrastructure. Venables and his team warn that this phase is approaching faster than many organizations appreciate. As AI agents become more capable of autonomous action — browsing the web, executing code, interacting with APIs — the potential for adversaries to deploy AI-driven attack chains that operate with minimal human oversight grows substantially.
Google’s report specifically flags the risk posed by AI agents that can be manipulated through indirect prompt injection or other techniques that exploit the gap between an AI system’s intended behavior and its actual behavior when confronted with adversarial inputs. As enterprises increasingly deploy AI agents to handle customer interactions, process documents, and manage internal workflows, each of these deployments represents a potential attack surface. The report urges organizations to treat AI agents with the same rigor they would apply to any other privileged software component — including strict access controls, monitoring, and incident response planning.
The Defender’s Advantage: AI as a Force Multiplier for Security Teams
The Google Cloud CISO Perspectives report is not entirely grim in its outlook. A significant portion of the analysis is devoted to the ways in which AI is already proving valuable for defensive operations. Google highlights its own deployment of AI-powered tools for threat detection, malware analysis, and security operations center (SOC) automation. The company’s Sec-Gemini model, purpose-built for cybersecurity applications, is cited as an example of how AI can be tuned specifically for defensive use cases — analyzing indicators of compromise, correlating threat intelligence, and reducing the mean time to detect and respond to incidents.
The report argues that defenders have a structural advantage in AI adoption because they operate within controlled environments where AI systems can be trained on high-quality, proprietary data. Attackers, by contrast, must work with whatever data and models they can access or steal. This asymmetry, if properly exploited, could allow well-resourced security teams to stay ahead of adversarial AI adoption. However, the report cautions that this advantage is not automatic — it requires deliberate investment in AI security capabilities and a willingness to rethink traditional security architectures to account for AI-specific risks.
What Enterprises Should Be Doing Now
Google’s recommendations for enterprise security leaders are specific and actionable. First, organizations should conduct thorough threat modeling exercises that account for AI-augmented adversaries. This means assuming that phishing content will be more convincing, that vulnerability exploitation will be faster, and that social engineering attacks will be more personalized and harder to detect. Second, enterprises deploying their own AI systems need to implement security controls that are native to AI workloads — not simply bolted on from traditional security frameworks.
The report emphasizes the importance of securing the AI supply chain, including the models, training data, and inference infrastructure that underpin enterprise AI deployments. Supply chain attacks targeting AI components — such as poisoned training data or compromised model weights — represent a growing risk vector that many organizations have not yet addressed. Google recommends adopting a zero-trust approach to AI infrastructure, treating every component as potentially compromised until verified. The company also advocates for industry-wide collaboration on AI security standards, noting that the threat is too large and too fast-moving for any single organization to address alone.
The Regulatory and Policy Dimension
Beyond the technical recommendations, the report touches on the policy environment surrounding AI security. Google’s team notes that regulatory frameworks in the United States and Europe are still catching up to the reality of AI-powered threats. The EU AI Act, which entered into force in stages beginning in 2024, establishes requirements for high-risk AI systems but does not specifically address the offensive use of AI by threat actors. In the U.S., executive orders on AI safety have focused primarily on the development of frontier models rather than on the defensive measures needed to protect against AI-augmented attacks.
This regulatory gap creates uncertainty for enterprises trying to determine their obligations and exposure. Google’s report implicitly calls for a more threat-informed approach to AI regulation — one that accounts not just for the risks posed by AI systems themselves, but for the risks posed by adversaries who are using AI to attack traditional and AI-enabled infrastructure alike. As governments around the world continue to develop AI governance frameworks, the security community’s input will be essential to ensuring that those frameworks address the full spectrum of AI-related risk.
A Measured Warning for an Industry in Transition
What distinguishes Google’s latest threat intelligence report from much of the commentary surrounding AI and cybersecurity is its restraint. The report does not claim that AI will render existing defenses obsolete overnight, nor does it suggest that AI-powered attacks are currently beyond the capacity of well-prepared security teams to detect and mitigate. Instead, it offers a detailed, evidence-based assessment of where adversaries are today and where they are likely to be in the near future. The message to enterprise security leaders is not one of panic, but of urgency: the window for building AI-native security capabilities is open now, but it will not remain open indefinitely.
For organizations that have been treating AI security as a future problem, Google’s report serves as a pointed reminder that the future has already arrived. Adversaries are experimenting, distilling, and beginning to integrate AI into their operations. The question for defenders is whether they will match that pace — or fall behind.