ICO publishes five-step playbook against AI-powered cyber threats

TL;DR:

  • The Information Commissioner’s Office has published a five-step guide setting out what it expects from UK organisations facing AI-enhanced phishing, deepfake social engineering, automated vulnerability scanning, AI-powered malware, credential stuffing, data poisoning, and indirect prompt injection.
  • The regulator points organisations to the NCSC’s updated Cyber Assessment Framework, the Cyber Essentials technical controls, the Cyber Governance Code of Practice, and the government’s AI Cyber Security Code of Practice as the baseline.
  • For organisations using AI tools that process high-risk personal data, the ICO restates the requirement to complete a data protection impact assessment and apply explicit safeguards against AI-targeting attacks.

The ICO’s five steps cover threat awareness, layered defences, restricted access, detection and incident response, and personal-data protection. The list is not new ground individually — patching, MFA, least privilege, supplier due diligence, data minimisation, DPIAs — but the framing names AI-specific threats that did not feature in earlier ICO cyber blogs. Prompt injection and tool poisoning, where malicious instructions ride hidden inside content or metadata that an AI agent ingests, are flagged alongside more familiar deepfake and credential-stuffing risks.

What changes for UK SMEs

For UK SMEs, the practical signal is in step two — the ICO restates its expectation that organisations storing personal data have Cyber Essentials technical controls in place and have implemented the Cyber Governance Code of Practice. That is the bar against which a future investigation or enforcement decision will be measured. If a breach involves an AI-enabled attack vector, missing those baselines turns a defensible incident into an enforceable one.

UK angle: layered with NCSC, AISI, and government codes

The blog sits inside a tightening UK regulator stack. NCSC has updated its Cyber Assessment Framework to reflect AI threats explicitly. The AI Cyber Security Code of Practice from government provides operational guidance. The AI Security Institute is publishing vulnerability-finding evaluations of frontier models (most recently GPT-5.5, comparable to Claude Mythos on the same benchmark per AISI’s published work). The ICO blog is the data-protection-regulator overlay on that stack — the piece organisations will be expected to read in plain English and act on.

Looking forward

Three steps for UK organisations this week: confirm Cyber Essentials posture, audit MFA coverage across remote access and admin accounts, and add prompt injection and tool poisoning to any AI procurement or DPIA template that currently mentions only conventional security threats. The ICO has telegraphed where it will look first when AI-related personal-data incidents start landing on its desk.