Prime

Cybercrime: Generative AI redraws Kenya's cyber risk landscape

Syntura Regional Director East Africa Anthony Muiyuro makes his remarks during the Syntura Experience Hub Launch on March 27, 2025 at the Capital Club East Africa. 

Photo credit: File | Nation Media Group

By  Kabui Mwangi

Correspondent

Nation Media Group

Organisations in Kenya began 2026 with a deceptive sense of cybersecurity comfort after reported cyberattacks declined 81.6 percent year-on-year during the quarter to September 2025, even as a quieter but potentially deeper risk expands through workplace use of generative AI tools.

Employees are increasingly using public generative AI platforms to draft emails, analyse data, write code and prepare reports, embedding AI into daily workflows faster than governance structures can adapt.

The rapid adoption is creating new data exposure risks that do not resemble traditional cyber threats, as sensitive information is often shared voluntarily.

Related

Generative AI tools are, by design, data processors, meaning every prompt or uploaded document potentially transfers information beyond an organisation’s direct control and outside established security and compliance frameworks.

A global cybersecurity survey by research firm Check Point last month shows that one in every 27 GenAI prompts submitted from enterprise networks posed a high risk of sensitive data leakage, while 91 percent of organisations using GenAI tools were affected by high-risk prompt activity.

“Sensitive corporate data is increasingly being uploaded to third-party generative AI services without adequate controls, sanitisation or oversight, often outside established security governance,” notes Check Point.

“With employees using an average of 11 GenAI tools, organisations need the ability to monitor and restrict what data is shared with every platform.”

Mr Anthony Muiyuro, East Africa Regional Director at Syntura, terms local firms as “highly vulnerable”, adding that AI adoption has outpaced internal rules, oversight and employee awareness.

According to Mr Muiyuro, many workers assume AI platforms function as private workspaces, unaware that prompts, chat histories and uploaded data may be stored, reviewed or used for model improvement.

This misunderstanding is widespread since generative AI is largely viewed as a productivity tool, rather than a system that changes how corporate and customer data is shared.

As a result, many organisations still rely on perimeter security controls and non-disclosure agreements that were designed for predictable internal data flows.

“Most Kenyan enterprises are not adequately prepared. While a few large banks, telcos and multinationals are beginning to define AI usage policies, many firms have no clear guidance on what workers can or cannot share with AI tools,” he says.

“Governance is often reactive. There are limited controls around data classification, no clear auditability of AI usage and minimal staff training on AI-related data risks. Well-intentioned workers can unknowingly expose confidential information.”

The risk is particularly acute in financial services, government, logistics, healthcare and education, where sensitive personal, operational and strategic data is routinely handled by employees.

In many of these places, there is no visibility into which AI tools employees are using, what information is being shared or whether sensitive data is leaving the organisation.

Mr Muiyuro says criminals are positioning themselves to exploit the shift by targeting systems and leveraging data unintentionally exposed.

According to the expert, attackers are likely to harvest leaked credentials, internal files or customer information that employees feed into public AI tools.

“Criminals are also using generative AI to scale and localise attacks, including phishing messages written in culturally familiar language or impersonating trusted institutions,” he says.

The combination of leaked internal data and AI-assisted social engineering increases the effectiveness of scams, particularly against SMEs and digitally expanding firms.

GenAI further lowers the barrier for attackers, allowing small groups or individuals to launch personalised, convincing attacks at scale without the resources previously required for such campaigns.

Experts advise local companies to begin by defining clear, practical rules on what types of data may be used in AI tools and what information is off-limits.

These rules must be embedded into daily workflows and communicated in plain language, rather than buried in lengthy policy documents.
“Beyond controls, organisations must enable and encourage responsible AI use, not suppress it. Employees should feel confident using AI tools within clearly defined guardrails that protect data, customers and the organisation's reputation,” Mr Muiyuro says.

“This starts with clear practical guidance on what AI tools are approved, what data can be used and what is off-limits – communicated in plain language rather than legal policy documents. Organisations should provide secure, enterprise-grade AI platforms, reducing the temptation for workers to use unsanctioned public tools.”

[email protected]

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.

Get it First!

Stay up to date on the editors' picks of the week.

Latest

  1. PRIME The flower horse that stopped visitors, and told a bigger story

  2. PRIME Kenyattas, Ndegwas to get over Sh22bn in NCBA deal

  3. PRIME Entrepreneur built a nut-butter business from a health crisis

  4. Fuel protests

    PRIME How fuel protests triggered freeze in electricity tariffs hike

In the headlines

View All