Jump to Content
Security & Identity

How to stop AI voice clones from bypassing your security perimeter

June 11, 2026
https://storage.googleapis.com/gweb-cloudblog-publish/images/GettyImages-1312787030.max-2600x2600.jpg
Tom McWalters

Senior Principal, Value Creation

Get original CISO insights in your inbox

The latest on security from Google Cloud's Office of the CISO, twice a month.

Subscribe

Imagine an IT help desk agent receives a frantic call. The caller is a high-profile executive at your company, urgently needing access to a locked account to close a time-sensitive deal. The voice is unmistakable — the cadence, the tone, the slight impatience, but it’s not your executive.

Instead, it’s an AI voice double, designed to trick you into handing over the executive’s real credentials — the keys to the enterprise kingdom.

Executives with public personas are frequently recorded in keynotes, earnings calls, and interviews, and that makes them prime targets for impersonation. Attackers are constructing AI-generated deepfakes built on these public recordings, and deploying them during high-pressure help desk calls to manipulate employees, according to Google Threat Intelligence Group (GTIG) research and Mandiant Consulting engagements.

In honor of Phishing Awareness Week, we wanted to take a look at the rise of industrialized social engineering, a trend that has only been bolstered by AI. Our M-Trends 2026 report found that vishing (voice phishing) accounted for 23% of all cloud-related security incidents. Meanwhile, the median time from a successful intrusion attempt to hand-off to a threat actor has collapsed from eight hours in 2022 to just 22 seconds today.

The value at risk is severe, with estimated losses around $200 billion annually, and annual loss-growth exceeding 20%. The stark reality of modern cyber threats is that attackers are no longer using complex technical exploits to break in. They’re manipulating and exploiting trust so they can simply log in.

Eroding the the perimeter

The traditional, relatively stable network perimeter has been replaced by one far more malleable: Identity.

These attacks succeed because standard operational metrics create direct vulnerabilities. There is a paradox in standard IT support models: Efficiency works against resilience.

Threat actors focus on the identity-control plane, targeting systems like Active Directory to secure sweeping administrative access. Threat groups use AI to bypass traditional multi-factor authentication (MFA) prompts, and then use AI again to help them traverse hybrid cloud and on-premise environments mere minutes after gaining initial access.

These attacks succeed because standard operational metrics create direct vulnerabilities. There is a paradox in standard IT support models: Efficiency works against resilience.

Standard help desk metrics, like average handle time (AHT), create a direct vulnerability by driving help desk employees to prioritize speed over strict identity verification.

To combat this threat, you should decouple IT support speed from security verification to build true resilience — and there’s much more that you can do.

The strategic action plan: Board-level mandates

Addressing the executive identity breach requires top-down mandates to secure the enterprise. We recommend these three key steps:

  1. Decouple support from speed: Revise help desk key performance indicators (KPIs) and abandon speed-based metrics like AHT for identity-sensitive support interactions. Instead, emphasize and reward adherence to rigorous security controls and verification protocols instead.
  2. Deploy phishing-resistant MFA: Legacy MFA is insufficient. Transition the organization away from SMS codes and mobile push notifications, starting with executives. Use security protocol based on tougher standards to spoof, such as FIDO2 hardware keys and device-bound passkeys.
  3. Audit disclosure controls: The Securities and Exchange Commission has increased penalties for "hypothetical" active identity intrusions in public disclosures. Your general counsel and CISO must routinely audit incident escalation procedures to guarantee accurate public and regulatory intrusion reporting.

How your CISO can help

Board members and executive leaders need to ensure these identity-focused vulnerabilities are addressed. Ask your CISO three critical questions in your next security briefing:

  • If all leadership accounts have not yet been enrolled in phishing-resistant (FIDO2) MFA, what will it take to get us there?
  • If we’re still using speed-based KPIs (like AHT) for identity-sensitive support interactions, how quickly can we remove them?
  • How is the CISO’s office working with the general counsel to ensure proper incident disclosure protocols are in place for identity breaches?

The era of trusting a familiar voice on the phone is over, but we can close the door on the AI-enabled identity breach by securing the identity control plane and aligning our operational metrics with our security realities. To learn more about guarding against vishing attacks, check out our protective hardening recommendations.

Posted in