NEWS

ISC2 Research: AI-Powered Social Engineering Now the Top Cyber Threat

Published: May 31, 2026

ISC2 published a new research deep dive on May 20, 2026, and one number jumps out for anyone working toward the CISSP. Out of the 16,029 cybersecurity professionals surveyed for the 2025 ISC2 Cybersecurity Workforce Study, AI-powered social engineering was the single most common challenge they reported over the past 12 months, named by 51 percent. Asked what they expect to face over the next two years, 57 percent pointed to the same thing, putting it at the very top of the list.

That matters because for years these surveys have been dominated by one story: not enough people. This is the first time an AI-specific threat has outranked the workforce shortage. If you have read ISC2’s April 2026 AI security guidance, this finding is the data behind why the exam already treats AI the way it does.

What did ISC2’s May 2026 research actually find?

The deep dive pulls apart how cybersecurity practitioners now view artificial intelligence, and the headline is that AI sits at the top of two opposite lists at the same time. When professionals were asked which emerging technologies will have the most positive security impact, AI led with 41 percent, ahead of automation in cybersecurity (35 percent) and zero trust (33 percent). When handed the same list and asked which would have the most negative impact, AI led again, this time at 52 percent.

AI was the only technology to climb on both measures compared to 2024. Its positive score rose from 36 to 41 percent, and its negative score rose from 48 to 52 percent. So practitioners are not cooling on AI or warming to it. They are doing both, harder, in the same breath. Agentic AI made its first appearance in the 2025 survey and landed straight in the top five for positive impact (21 percent) while ranking second for negative, which tells you people are watching autonomous agents with real caution.

  • AI leads both impact lists. 41 percent of practitioners named AI as the biggest positive force for security, and 52 percent named it the biggest negative force. It is the only technology to rise on both counts since 2024.
  • Social engineering is the top reported challenge. AI-powered social engineering hit 51 percent for the past year and 57 percent for the next two, the highest of any challenge in either timeframe.
  • The workforce shortage moved to second. Worker and skills shortages slipped from the number one past-year challenge in 2024 to number two, and changing regulatory requirements dropped out of the top five entirely.
  • More mature controls inspire more confidence. Zero trust and security automation land on the net positive side, while quantum computing, agentic AI, and AI advancement cluster on the net negative side.

How Pros See AI’s Security Impact AI 41% positive impact 52% negative impact Accelerator for defenders Force multiplier for attackers

Why is AI-powered social engineering suddenly the top threat?

Because the attack side of AI matured faster than the defense side, and social engineering was the first place it showed up at scale. Generative tools now write clean, targeted phishing in any language, clone a voice from a few seconds of audio, and stand up convincing deepfake video for a fake executive on a video call. The craft that used to take a skilled human hours now takes a model seconds, and it can run that play against thousands of targets at once.

The survey reflects that shift plainly. AI-powered social engineering was a brand new line item in 2025, and it walked straight to the front. Its arrival pushed worker and skills shortages down from the top past-year challenge to second place, and it knocked keeping up with changing regulatory requirements out of the top five. Risks tied to emerging technology more broadly (blockchain, AI, virtual reality, quantum computing, intelligent automation) also rose, from 38 percent for the past year to 46 percent looking ahead.

The pressure is not even across industries. Practitioners in legal (62 percent) and education (58 percent) reported some of the highest challenge levels over the past year. Looking forward, the nonprofit sector tops out at 64 percent naming AI-powered social engineering as a problem, and it stays high almost everywhere else. Government and military respondents feel the workforce squeeze more sharply than most, which fits the geopolitical pressure those sectors are under.

Top Challenges: Past Year vs Next Two Years AI-powered social engineering 51% past 57% next Worker and skills shortage 39% past 37% next Emerging-tech risk (AI, quantum, more) 38% past 46% next

How does this map to the CISSP domains?

It maps cleanly, and that is the point worth sitting with. Social engineering and security awareness have always lived in Domain 1, Security and Risk Management, where the exam tests whether you can run an awareness program that actually changes behavior rather than one that just checks a training box. The survey is telling you that the awareness and human-risk material in Domain 1 is no longer the soft, easy-to-skip part of the body of knowledge. It is the front line.

The AI angle reaches further than Domain 1, though. ISC2’s April 2026 Exam Guidance for Artificial Intelligence laid out where AI security concepts now appear across the credential, and the answer was Security and Risk Management, Security Architecture, and Domain 8, Software Development Security. That is governance and risk decisions on one end, secure design of AI systems on the other. The deep dive also flags zero trust and risk-based vulnerability management as the controls practitioners trust most, and both sit squarely in the architecture and engineering material the CISSP already covers.

None of this requires a separate AI certification. The CISSP tests AI security the same way it tests everything else, from the chair of a security manager making a risk decision, not an engineer building the model. If you can reason about how an AI system changes your threat model, what controls reduce that risk, and how to defend the humans who will be targeted by AI-generated lures, you are studying the right way.

Where AI Security Lands in the CISSP AI & Social Eng. Domain 1 Security & Risk Mgmt Awareness, human risk, AI governance D3 Arch. Zero trust Domain 8 Software Dev Security Secure AI design, agentic AI risk

What should CISSP candidates and holders do about AI security now?

If you are studying, treat AI as part of the regular domains rather than a topic to cram separately. Expect scenario questions where an AI tool changes the risk picture and you have to pick the response a security manager would choose. The computerized adaptive exam rewards judgment over recall, so the useful prep is reasoning through AI risk decisions, not memorizing model architectures. Anything written before the April 2024 outline update treats AI security as a footnote, so check the date on your study guide.

If you already hold the certification, this is a clean source of continuing professional education. Reading the survey, working through your organization’s exposure to AI-generated phishing and deepfake fraud, and helping rewrite the awareness program to cover voice cloning and video impersonation all map to real CPE activity and to work your employer probably needs done anyway. Frameworks help here too. The NIST AI Risk Management Framework gives you a structured way to talk about AI risk that lines up with the managerial mindset the CISSP rewards.

The honest read on this research is that the human layer just got a lot harder to defend, and the people best positioned to handle it are the ones who can connect a phishing trend to a control decision to a board-level conversation. That is the exact muscle the CISSP builds. The full ISC2 analysis is worth reading in its entirety over on the ISC2 Insights research deep dive.

Is AI-powered social engineering really the top cybersecurity challenge in 2026?

According to ISC2’s May 2026 research deep dive into the 2025 Cybersecurity Workforce Study, yes. It was named by 51 percent of professionals for the past 12 months and 57 percent for the next two years, the highest of any challenge in both timeframes, drawn from a survey of 16,029 practitioners.

Does the CISSP exam cover AI security?

Yes. ISC2’s April 2026 AI exam guidance confirmed that AI security concepts already appear across the current CISSP blueprint, mainly in Security and Risk Management, Security Architecture, and Software Development Security. There is no standalone AI domain, and you do not need a separate AI certification to pass.

Which CISSP domain covers social engineering?

Domain 1, Security and Risk Management, owns security awareness and human-risk topics, including social engineering defense. The survey results suggest that material now carries more practical weight than its exam percentage alone implies.

Why do professionals see AI as both positive and negative for security?

Because it works for both sides. AI led the positive-impact list at 41 percent for automation and faster detection, and the negative-impact list at 52 percent because attackers use the same tools to scale phishing, deepfakes, and voice cloning. It was the only technology to rise on both measures since 2024.

How can certified members earn CPE credits on AI security?

Reading ISC2 research, assessing your organization’s exposure to AI-generated attacks, updating awareness training to cover deepfake and voice-cloning fraud, and studying frameworks like the NIST AI Risk Management Framework all count toward continuing professional education and double as real security work.

One last thought from someone who has watched a lot of threats come and go. The tooling behind these attacks will keep improving, but the defense has not changed as much as it looks. You still classify risk, you still pick controls, and you still train people to pause before they trust a message. AI made the lures better. It did not retire the playbook, and the CISSP is still teaching the right one.