UK security leaders are making their voices heard. Four in five want DeepSeek under regulation. They see a tool that promises efficiency but risks chaos.
Business is already under pressure. Trade disputes drag on. Interest rates remain high. Cyber threats grow. Every move to expand operations adds risk, and risk is harder to measure when AI enters the equation.
AI spreads fast. It cuts costs, fills gaps, and automates mundane tasks. But it also opens hidden doors. In the UK, AI is now part of daily work. A KPMG survey showed that while 69% of employees use it, only 42% trust it.
Slightly over half feel comfortable with wider adoption. That gap between use and trust highlights the problem businesses and regulators face.
Regulation in the Balance
The debate runs from boardrooms to Parliament. In February 2025, UK Prime Minister Keir Starmer stood alongside US President Donald Trump to announce a deal on AI and advanced tech. Starmer said the UK would not over-regulate, emphasizing opportunity over caution.
The Artificial Intelligence Regulation Bill is also back on the agenda. It was first introduced in 2023, and resurfaced this March, with a focus on governance, privacy, and cyber risks. Add to the mix the EU AI Act and the recent US AI Action Plan and you can understand why CISOs need to put their AI systems under scrutiny. They need to prove they can be used safely or make the case for why they shouldn’t be.
AI adds yet another layer of vulnerability. CISOs must juggle rising AI-powered cyber threats, AI-inherited risks and bias, Shadow AI, leadership demands, and regulatory expectations. Prevention is no longer enough. Recovery plans, stronger endpoints, and improved visibility are essential. Resilience is now a requirement, not a goal.
DeepSeek Under Scrutiny
Among AI platforms, DeepSeek stands out, and not for the right reasons. Governments have banned it from state-owned devices, and many businesses are restricting its use. This is mostly due to justified data security and national security concerns.
Research supports the alarm. AppSOC red-teamed DeepSeek-R1 and uncovered failure across the board: 91% jailbreak success, 86% vulnerability to prompt injection, 93% malware generation, 81% hallucinations, and 68% toxic output. Their conclusion was blunt: enterprises should avoid deploying DeepSeek-R1, especially where sensitive or regulated data is involved.
There’s more at stake than technical flaws. DeepSeek stores user data on servers in China, whose laws allow authorities access without any user consent. For companies that are governed by GDPR or other regulatory frameworks, that is a clear conflict.
Data provenance, retention, and privacy are all in question, with past incidents reinforcing the concerns. For instance, in January 2025, DeepSeek suffered a cyberattack that disrupted services and was used to distribute malicious infostealer packages disguised as legitimate tools.
The Call for Government Action
CISOs are listening. Eight in ten say the UK must regulate or restrict DeepSeek. Many worry the country is already lagging behind the US and EU on cyber standards. The risk is not just hypothetical. With widespread adoption, even a single breach could cascade through networks and compromise sensitive information.
Investment, skills, and mixed signals
Even with the risks, AI is also part of the solution. Seven in ten leaders see it as helping close skills gaps. Many organizations are hiring AI specialists, and a significant number plan to expand AI talent this year. Senior executives are attending AI training courses. Yet nearly half of security teams feel unprepared for AI-driven threats.
Budget constraints remain a sticking point. Also, preparedness levels for emergencies, including cyber-related incidents, remain generally low, with only 14% feeling that local authorities are largely or totally prepared.
Some 27% identified lack of money as a significant barrier to taking further steps to prepare for emergencies. Tools are available, knowledge is growing, but resources lag behind needs.
Remote Work Remains a Weak Link
Hybrid work continues to complicate cyber defense. Nearly two-thirds (60%) of CISOs claim remote work has complicated their cyber resilience posture, saying it increases the risk of cybersecurity incidents. They also worry that unregistered devices are likely to cause a security event. While many firms have incident response protocols in place, most still focus on prevention rather than recovery.
With flexible work now a legal right in the UK, hybrid setups are permanent. That makes endpoint security, full network visibility, and strong recovery plans essential.
Resilience First
The personal stakes for CISOs are high. Many worry about losing their jobs if a breach succeeds. Regulations like NIS2 and DORA ask for board accountability when an incident happens. AI is adding new threats every day, and the stakes are only too real. A resilience-first strategy is critical.
That means building readiness into every plan and investing in staff training, using AI defensively, and balancing prevention with recovery.
It’s not all doom and gloom. Government surveys show a slight drop in reported breaches. Cyber hygiene is getting better, while risk assessments, cyber insurance, continuity planning, and formal policies are all becoming standard practices.
The environment remains difficult. AI is showing no signs of slowing down, and bad actors do not sit around and wait. Remote work is here to stay.
For CISOs, the message is to stay vigilant, demand resources, and make hard choices about which tools are safe to use. If the past is any indication of the future, DeepSeek cannot be ignored.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
