IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Marshall erwin ciso headshot
#
Firewalls
#
Digital Transformation
#
Network Security

AI-first firms hit by slower, costlier cyber recoveries

Thu, 26th Feb 2026
Author image
By Mark Tarre, News Chief

Fastly has published its latest Global Security Research Report for Australia and New Zealand, arguing that organisations that describe themselves as "AI-first" face longer recovery times and higher costs after cybersecurity incidents than their peers.

AI-first businesses reported taking nearly seven months on average to fully recover from cybersecurity incidents-around 100 days longer than organisations that do not identify as AI-first.

Fastly dubbed the gap the "AI Speed Tax", linking longer recovery times to security programmes that have not been modernised at the same pace as AI adoption across IT environments.

The report also pointed to a widening cost difference, with the financial toll of a cybersecurity incident for AI-first businesses exceeding that of non-AI-first organisations by 135%.

AI in incidents

AI-first organisations were also more likely to say AI played a direct role in their most recent security incident. Almost half (48%) said AI was directly exploited in their last incident, compared with 10% of non-AI-first organisations.

Fastly said the results show how AI systems can expand the attack surface, highlighting "agentic workflows" and decentralised data flows as sources of added complexity for security teams.

In a statement alongside the report, Fastly Chief Information Security Officer Marshall Erwin said businesses should modernise security at the same pace as AI rollout.

"The speed of AI adoption is reshaping security infrastructure almost overnight. For AI-first businesses, the priority isn't to slow down innovation, it's to modernise security at the same rate that AI is transforming their infrastructure," Erwin said.

He said this includes "securing AI and inference infrastructure, monitoring and throttling unwanted AI crawler activity, anticipating the rise of shadow AI and shoring up your outer perimeter".

Visibility gaps

The report said AI-first organisations more frequently linked AI use to blind spots that contributed to incidents. It found 42% of AI-first organisations said AI use led to a security oversight or blind spot that contributed to their last incident, compared with 29% of non-AI-first organisations.

The findings point to challenges in visibility and control as AI becomes embedded across operations. The report also flagged policy enforcement as a growing issue, as organisations try to track where AI is in use and how it affects incident response and recovery.

"There is a major shift happening in terms of what organisations are responsible for defending," Erwin said. "The challenge is no longer confined to malicious actors and isolated security incidents. Instead, it's about managing an infrastructure footprint that is growing rapidly and, often, invisibly."

Scraping costs

Beyond direct incident recovery, the report highlighted operational and infrastructure impacts linked to AI activity. It said AI scraping has become a material cost centre for 75% of organisations, with average annual infrastructure impacts exceeding AUD $595,000.

Half of organisations surveyed said infrastructure expenses had increased as a direct result of AI activity. The report also said 48% had faced operational disruption, while 33% reported issues affecting online visitors, including sluggish load times and broken functionality.

Fastly attributed the combined effect to rising cost and architectural complexity as AI-related traffic and tooling expand across environments.

Security spending

The report said organisations are investing in several security areas in response. Agentic discoverability was cited by 59% of respondents, while 53% pointed to API security and 51% cited web application firewalls.

It also found high levels of concern about attacks targeting AI-related components. Some 85% of respondents said they were concerned about distributed denial-of-service attacks targeting AI agents, and 56% reported an increased need for AI-specific security expertise.

Fastly positioned Web Application and API Protection tools as a way to manage risks associated with AI-driven change at the edge of networks and applications.

"From unmonitored agentic activity to escalating scraping costs, the risks are real, operationally and commercially. As a result, Web Application and API Protection (WAAP) tools are becoming business-critical solutions because they provide essential visibility and control organisations need to secure innovation at the edge," Erwin said.

Fastly said the research surveyed 2,000 IT decision-makers with influence over cybersecurity in large organisations across multiple industries in the Americas, Europe and Asia-Pacific, with interviews conducted online during the fourth quarter of 2025.

Related stories
Qualtrics named Leader in Gartner Voice of Customer
Gumloop raises USD $50m to scale workplace AI agents
ŌURA reports ANZ sleeps soundly, though stress is holding many back
Microsoft patches major SQL Server flaw in March update
Superloop picks Aria for unified cloud billing push

Top stories

Herbert Smith Freehills Kramer adopts Legora AI firmwide
Decidr, ICON partner on SAP AI to automate Procure-to-Pay
CrackArmour flaws in AppArmour risk Linux root access
Kyndryl flags rising gap in quantum, data & networks
Wonderful raises USD $150m to scale global AI agents