The company says the challenges are getting worse as businesses adopt artificial intelligence across daily operations without matching security management.

The data comes from Check Point’s AI Threat Landscape Report covering January to February 2026 which shows that while companies roll out generative and agent-based AI tools, many do so with limited visibility over how these systems handle data or interact with internal platforms.

AI adoption is spreading fast across sectors. In many organisations, staff now rely on several AI tools at the same time for writing, coding, analysis and customer support tasks.

That spread has created what researchers describe as “Shadow AI”, where usage sits outside formal monitoring systems.

Check Point says this trend is increasing exposure to risks such as data leaks, credential theft and weak control over third-party integrations.

The report also notes that AI systems are being used not just as tools, but as semi-autonomous systems that can act within enterprise environments.

Speaking on the findings, Ian van Rensburg, Head of Security Engineering, Africa at Check Point Software Technologies said, “AI transformation is no longer theoretical, it’s happening right now,” said.

“But too many organisations are modernising faster than they are securing. That gap is quickly becoming one of the most serious business risks in the region.”

The report highlights a case where a developer used an AI-powered development setup to generate 88,000 lines of malware code in less than a week. Check Point says this reveals how AI can shorten development cycles for both legitimate and malicious purposes.

It also found that 90% of organisations using generative AI recorded high-risk prompt activity. In addition, one in every 31 prompts carried the risk of exposing sensitive information, including proprietary code and confidential business data.

Employees, on average, now use around 10 AI tools, usually without central approval or oversight. This creates gaps that traditional security systems, built around networks and endpoints, may not detect.

Check Point argues that organisations need to treat AI systems as core assets rather than add-on tools. The company recommends securing models, data flows, application programming interfaces and autonomous agents together, instead of focusing only on surrounding infrastructure.

Hendrik de Bruin said AI adoption requires stronger governance structures. He pointed to the need for clearer risk classification, improved visibility and defined accountability across teams deploying AI systems.

The report also pointed to policymakers as several African countries work on national AI strategies. It suggests that security measures should be built into AI frameworks from the start, rather than added later during implementation.

Check Point adds that fragmented adoption, where teams deploy separate AI tools without central coordination, increases the likelihood of weak points across systems. These gaps can affect both internal operations and supply chains connected to external partners.

The company maintains that traditional cybersecurity approaches are no longer sufficient on their own in environments where AI systems can act with limited human input. It says organisations need prevention-focused models that address threats before they cause disruption.

Organisations balancing innovation with stronger surveillance are more likely to manage risks effectively while maintaining operational trust.

The KnowBe4 Africa Human Risk Management Report 2025, which gathered responses from 124 senior cybersecurity leaders across 30 African countries, reveals a dangerous disconnect between perception and reality. 

Leaders often say their workforce understands cyber risks, scoring awareness at an average of four out of five, yet the systems needed to translate that awareness into effective action remain weak.

One of the starkest findings is around training. Although 68% of decision-makers insist security awareness training is tailored to job roles, the second most-cited challenge in the report is the lack of role-based alignment. 

In practice, many employees are still receiving generic, one-size-fits-all programmes, often delivered annually or biannually. Manufacturing and healthcare organisations were singled out, with 50% and 40% respectively admitting no role-specific tailoring at all.

Phishing simulations, widely recognised as a critical tool, are also underutilised. While 90% of organisations conduct them, only 7% do so monthly, and the largest share (40%) runs them just twice a year. 

The report warns that this “low frequency poses a critical challenge” because rare exposure makes it harder for employees to develop instinctive responses to real threats.

Technology adoption is another fault line. Between 41% and 80% of employees across the continent use personal devices for work, yet many of these devices lack proper security controls. 

This Bring Your Own Device (BYOD) trend, particularly high in North Africa where 61%–80% of workers use personal phones or laptops for office tasks, remains largely unmanaged. 

Compounding this is the rising risk of “shadow AI”. Nearly half of organisations (46%) admitted their AI governance policies are still “in development”, leaving staff free to use AI tools in potentially unsafe ways.

The report also reveals sharp regional contrasts. Southern Africa leads in training frequency, with 44% of organisations conducting sessions quarterly. East Africa is ahead in AI governance, with 50% of organisations already having formal policies in place. 

In contrast, West and Central Africa report the highest number of human-related security incidents, while North Africa combines the highest BYOD exposure with the lowest training frequency.

Anna Collard, SVP of content strategy & evangelist at KnowBe4 Africa, summed up the problem bluntly: “There’s a disconnect here – between what leaders think is happening, and what employees are actually experiencing. The data shows that without procedural and cultural follow-through, awareness simply doesn’t translate into readiness.”

For businesses, awareness alone is no longer enough, especially when it comes to the huge cybersecurity divide in Africa. The report calls for customised, role-based training, stronger incident reporting systems, clear AI governance, and region-specific strategies. Without these, Africa’s growing confidence in its cyber defences risks masking dangerous blind spots.