BCG: Could Gen AI Reshape Cybersecurity and Online Safety?

As AI becomes embedded in daily digital life, organisations and individuals face mounting cybersecurity challenges.

From deepfake creation to data privacy vulnerabilities, Gen AI presents both opportunities and risks that demand a human-centric approach to online protection.

Gen AI has emerged as what cybersecurity experts describe as a "double-edged sword" for digital safety.

While the technology unlocks significant opportunities for businesses and individuals, it simultaneously introduces new cyber threats that challenge traditional security frameworks.

According to BCG's AI Radar 2026, 65% of CEOs say accelerating AI is one of their top-three priorities for 2026, highlighting the technology's growing importance in corporate strategy.

However, this rapid adoption comes with considerable security implications that organisations must address.

Matt Cooke, EMEA Cybersecurity Strategist at Proofpoint, comments on the dual nature of Gen AI.

He says: "While Gen AI unlocks exciting opportunities, it also presents new dangers, including deepfakes, misinformation and data privacy vulnerabilities.

"That's why a human-centric approach to online safety matters so much – because your online life is your real life. Screens don't make things disappear, screenshots are forever and the internet remembers."

The cybersecurity challenges posed by AI have prompted regulatory responses across multiple jurisdictions, though approaches differ significantly between regions.

Deepfake regulations emerge globally

In the UK, it officially became illegal to request or create AI deepfakes without a person's consent on 6 February.

This legislation addresses one of the most pressing cybersecurity concerns associated with generative AI: the creation of non-consensual intimate imagery and manipulated content that could undermine trust in digital communications.

Federal regulation on deepfakes in the US came into effect on 13 May 2025.

The "Take It Down" Act was passed in May 2025 and was the first major federal statute directly targeting the publication of AI-generated deepfakes and other non-consensual intimate imagery.

Forty-six state laws have criminalised either or both creation and distribution with intent.

These regulatory developments reflect growing recognition that AI-powered tools have lowered the technical barriers for creating convincing fake content, presenting significant risks to individuals and organisations alike.

Divergent approaches to AI governance

US legislation on AI differs significantly from that in other parts of the world, with a focus on innovation and government AI in federal policy.

An executive order was signed by President Donald Trump in January 2025 that aims to sustain and enhance America's global AI dominance.

America's AI Action Plan, released in July 2025, promotes the rapid expansion of AI, aiming for a rapid build out of data centres and removing federal regulations that hinder AI development.

However, 38 states adopted or enacted around 100 AI-related measures, including one of the most recently passed Acts in Texas which became effective in January 2026, regulating certain uses of AI systems, focusing on commercial use.

Following this slew of changes in US state regulation on AI, President Trump signed another executive order in December 2025 aimed at blocking states from enforcing their own AI regulations.

Those already passed will not be impacted.

According to White House AI Adviser David Sacks, the order will give the administration the tools to push back on the most "onerous" state rules.

He affirmed that the government would not oppose AI regulations around children's safety.

Building trust in machine-led systems

The regulation of AI in the UK is sometimes regarded as being behind that of the EU and the US.

As it stands, there is no general statutory regulation of AI in the UK, but there are more niche regulations including the law passed in February 2026 on the creation of deepfakes.

An AI bill was announced as part of the King's Speech in July 2025, but this would only regulate the most powerful AI models.

A formal AI Bill is not expected until the next King's Speech, reportedly set to take place in May 2026.

Paul Holt, Group Vice President of EMEA at DigiCert, says: "As a parent, I have learned that safety in the modern world is no longer about watching everything. It is about putting the right systems in place when oversight is no longer possible.

"Safer Internet Day is a reminder that in a machine-led internet, trust has to be proven, every time, or it will fail at scale."

For organisations navigating this evolving landscape, the message is clear: cybersecurity strategies must account for both the opportunities and vulnerabilities that generative AI introduces, with robust systems in place to verify trust and protect data privacy.