In 2025, researchers recorded 346 AI incidents, nearly half of which, 179, involved deepfakes for voice, video, or image impersonation. Q3 2025 alone saw 2,031 verified deepfake incidents, with 48.3% targeting businesses. The shift from consumer-targeted scams to industrial-scale enterprise attacks is now complete.

The incidents span every modality. Text chatbots have invented policies, sworn at customers, and advised businesses to break the law. Voice AI has been used for election interference and drive-thru ordering failures. Image generation has caused brand crises when outputs were historically inaccurate or when marketing assets could not be operationally delivered. Deepfake video has authorized millions in fraudulent transfers by impersonating executives on Zoom calls.

The common thread across these incidents is not the technology. It is the governance gap. Most organizations lacked the rigorous AI governance needed, failing to implement basic security controls like multi-factor authentication for high-value approvals, runtime AI monitoring, and deepfake detection. Regulatory frameworks like the EU AI Act and NIST AI RMF are only now catching up, but many incidents revealed gaps between policy and technical implementation.

Air Canada: Chatbot invented refund policy (2024)

A customer relied on a chatbot response about bereavement fares and refunds. The advice turned out to be made up. A tribunal held the airline responsible for the misinformation and required honoring the fabricated policy. The legal precedent is now clear: "the bot said it" becomes a product promise when it is on your site, even if your terms say otherwise.

DPD: Chatbot swore at customers (2024)

A customer prompted a support chatbot into profanity and insults. DPD disabled it after the incident went viral. Brand and trust damage happened instantly when guardrails proved brittle. The exchange demonstrated that "brand voice" can be hijacked by prompt interactions unless guardrails are designed and tested like any other interface.

NYC MyCity: Chatbot advised breaking the law (2024)

New York City deployed a chatbot to answer business questions. Investigations found it produced incorrect guidance, including advice that could violate regulations. The city defended it publicly while issues persisted. Hallucinated "official" guidance creates legal exposure and erodes trust in public-facing systems.

NEDA: Eating disorder chatbot paused (2023)

The National Eating Disorders Association's chatbot, intended as a support tool, reportedly provided problematic dieting and ED-related guidance. The organization suspended it. In high-risk domains, "edge cases" are the cases that matter. Testing must include adversarial and vulnerable-user scenarios.

Mata v. Avianca: Fake citations, real sanctions (2023)

Lawyers filed a brief with citations generated by ChatGPT that did not exist. The court sanctioned counsel, demonstrating a simple rule: if an output must be true, it must be verified against primary sources. LLMs can produce confident, plausible references. "Looks right" is not evidence.

Samsung and enterprise bans: Sensitive data pasted into chatbots (2023)

Reports emerged of employees at multiple companies pasting proprietary code and data into public chat tools, triggering internal bans and policy changes. The incident pattern is not malice. It is convenience plus unclear boundaries. Governance is not just the model. It is data handling, tooling, and policy enforcement.

AI-assisted code: Security quality regression (Research)

Multiple studies and practitioner analyses report that AI assistance can increase vulnerability rates and reduce secure-by-default behavior, especially for novices. The risk is systematic: speed goes up, review burden rises, and insecure patterns spread faster. The governance control is eval gates: offline eval sets, adversarial tests, and red-teaming before production.

McDonald's ended AI drive-thru voice ordering pilot (2024)

McDonald's ended a voice AI test with IBM after inconsistent ordering performance. Public examples circulated showing errors. Speech-to-intent systems fail at the messy edges: accents, noise, ambiguity, and interruptions. The governance gap was unclear human fallback when the system failed.

New Hampshire "Biden" robocalls: AI voice deepfake (2024)

An AI-generated voice impersonating President Biden was used in robocalls to mislead voters. Enforcement actions followed. Voice cloning makes identity a weak signal. The governance control is out-of-band verification for high-risk instructions. "I heard their voice" is no longer proof of identity.

Google paused Gemini image generation (2024)

Google paused and limited Gemini's ability to generate images of people after widely shared inaccuracies in historically sensitive contexts. Brand and legal risk spikes when synthetic images are mistaken for "depictions of reality," especially around protected classes and sensitive events.

Willy's Chocolate Experience: AI marketing disaster (2024)

Promotions used AI-generated or AI-style visuals. Customers reported the real event did not match expectations and went viral as a "bait-and-switch." Refunds were demanded, police were called, and the story made global news. Synthetic marketing assets can create an expectation debt that operations cannot repay, triggering reputational blowback.

Hong Kong / Arup deepfake video call fraud (2024)

Reports describe fraudsters using deepfake video to impersonate executives in calls, leading to approximately $25 million in unauthorized transfers. The vulnerability was not only the media. It was the payment authorization workflow. "I saw them on Zoom" is no longer a control.

Q3 2025 alone saw 2,031 verified deepfake incidents, with 48.3% targeting businesses. The shift to industrial-scale attacks is complete. Corporate environments are now the primary target, with real-time deepfake CEO impersonation during video calls becoming a documented attack vector.

1. Hallucination as policy

Confidently wrong answers become product promises. Legal and brand exposure follows. The Air Canada case established the precedent: the organization owns what the chatbot says, even if the chatbot invented it.

2. Prompt injection / instruction hijack

Outputs and actions bypass intent and policy. Users can steer systems into off-brand or unsafe responses unless guardrails are designed and tested like any other interface. The Chevrolet incident, where a chatbot was manipulated into selling a product for $1, demonstrated the risk.

3. Ambiguity at the edges

Accents, sarcasm, mixed intents, and partial context cause operational failure. Speech-to-intent systems fail at the messy edges. The McDonald's drive-thru pilot demonstrated that "mostly right" is not a control when errors are visible to customers at scale.

4. Over-automation (no human fallback)

Small errors become incidents at the speed of automation. Without explicit escalation paths, SLAs, and ownership, the blast radius of a single failure expands to every user the system touches.

5. Weak provenance

No citations, no source-of-truth linkage. "Looks correct" becomes "is correct" in the user's mind. The Mata v. Avianca case demonstrated that fabricated citations can reach court filings when provenance is not enforced.

6. Data leakage

Employees paste secrets; logs retain sensitive data. Compliance and security incidents follow. The Samsung ban and similar enterprise responses demonstrate that convenience plus unclear boundaries creates systematic risk.

7. Model drift and vendor updates

Silent behavior changes break contracts and cause regressions. When the vendor updates the model, the behavior your users depend on can change without notice. The governance control is version pinning, regression tests, and release notes for every model and configuration change.

EU AI Act: Key Deadlines

• February 2, 2025: Prohibited AI practices became enforceable. Social scoring, real-time remote biometric ID in public, manipulative AI. Non-compliance can result in fines up to 35 million euros or 7% of global turnover.
• August 2, 2025: Rules for General Purpose AI (GPAI) and related governance obligations take effect.
• August 2, 2026: Original deadline for compliance with high-risk AI system obligations: risk management, conformity assessment, registration, transparency.
• December 2, 2026: Transparency requirements for AI-generated content, including watermarking and content marking.
• December 2, 2027: Extended deadline for high-risk AI systems in Annex III, including biometric ID, employment and recruitment algorithms, credit scores, and public services.

High-Risk AI Compliance Checklist

• Risk Management System: Enterprise-wide, documented, continuous risk assessment and mitigation plan.
• Data Governance: Training data must be of high quality and managed to eliminate bias and security risks.
• Technical Documentation: Comprehensive system documentation covering design, purpose, functioning, and limitations.
• Transparency: Users must be provided clear information about AI system usage and limitations.
• Human Oversight: Demonstrate real, effective human oversight is feasible and practiced.
• Accuracy, Robustness, Security: Implement safeguards to ensure system accuracy and resilience to attacks.
• Conformity Assessment: Most high-risk AI will need a CE marking via internal assessment or external notified body.
• Registration: List high-risk AI systems in the official EU database before placing them on the EU market.
• Post-Market Monitoring: Ongoing tracking and reporting for deployed systems, including incident reporting.
• Fundamental Rights Impact Assessment: Assess and document impacts on fundamental rights, separate from GDPR DPIAs.

NIST AI Risk Management Framework

The NIST AI RMF provides the implementation framework for enterprise AI risk management. The four core functions form the backbone of any AI risk program:

• Govern: Establish robust governance structures. Define clear policies for AI use, accountability, and risk management. Assign roles and responsibilities, ensure oversight, and foster a culture of risk awareness.
• Map: Systematically identify AI systems, their context, data sources, stakeholders, dependencies, and intended uses. Document potential risks and impacts.
• Measure: Continuously monitor and evaluate AI system performance, risks including bias, security, safety, and fairness, and outcomes using metrics and tests.
• Manage: Prioritize risk mitigation actions, implement controls, and establish continuous improvement. Monitor third-party AI risks and supply chain vulnerabilities.

March 2025 updates expanded the AI threat taxonomy to include generative AI risks: data extraction, poisoning, evasion, model manipulation, and supply chain vulnerabilities.

Gate 0: Problem and Risk Framing

Confirm this is the right intervention. Clear user and business objective. Failure modes listed. Risk tier assigned for privacy, safety, and regulatory. Baseline process documented. No-go triggers: "we will know it when we see it," unclear owner, cannot state harms.

Gate 1: Data and Access Readiness

Ensure data can legally and ethically support the use. Data inventory and lineage. Legal basis and consent. Retention policy. PII handling. Training and serving parity plan. No-go triggers: unknown provenance, policy gaps, cannot reproduce dataset.

Gate 2: Evaluation Plan

Define how you will decide "works." Offline metrics tied to objective. Human review rubric where needed. Acceptance thresholds. Bias and safety checks scoped. No-go triggers: no thresholds, only anecdotal demos, no plan for edge cases.

Gate 3: Prototype and Red-Teaming

Stress the design before it hardens. Prototype meets minimum thresholds. Red-team findings triaged. Mitigations implemented: filters, guardrails, UX. No-go triggers: unmitigated critical harms, prompt-only "controls" for high-risk use.

Gate 4: Pilot (Limited Exposure)

Prove in-context performance. Instrumentation in place. Shadow or A/B where feasible. Operational runbook. Rollback path tested. No-go triggers: no monitoring, no rollback, ambiguous ownership of incidents.

Gate 5: Production Launch

Deploy responsibly. Go-live checklist complete. On-call and incident process active. Change management for model updates. Post-launch review scheduled. No-go triggers: "ship and hope," no communications plan, unreviewed last-minute model swap.

Gate N: Continuous Assurance

Keep it safe and useful over time. Drift checks. Periodic evals. Re-approval triggers. Audit trail functioning. No-go triggers: silent regressions, untracked prompts and models, missing audit evidence.

Question 1: Can your AI system cite the approved source for every claim it makes to a customer?

This sounds technical. It is not. It is the single most consequential governance question an executive can ask about their AI program right now.

If the answer is no, then your system can invent policy. Air Canada's chatbot invented a refund policy. The tribunal held the airline liable. The legal precedent is now clear: you own what the chatbot says, even if the chatbot made it up.

A governed system looks different. Every claim traces to an approved source document. The user can see the citation. The system cannot generate claims that are not grounded in the source of truth. If the system does not know, it says so and escalates to a human.

Question 2: When the AI fails, how fast can a human take over, and who owns that handoff?

This is the blast radius question. Without explicit escalation paths, SLAs, and ownership, small errors become incidents at the speed of automation.

If the answer is unclear, then your system has no human fallback. The McDonald's drive-thru pilot ended because the fallback was unclear. The DPD chatbot went viral because there was no circuit breaker. The $25M deepfake fraud succeeded because the approval workflow did not require out-of-band verification.

A governed system has explicit escalation. There is a human who can take over. The handoff is fast. The SLA is defined. The ownership is clear. The incident response is documented.