AI attacks are no longer experimental: Key findings from the March-April 2026 AI Threat Landscape  

Between late December 2025 and mid-February 2026, Gambit found that a single operator compromised nine Mexican government agencies, reaching tax records, civil registry data, patient files, and electoral infrastructure across a two-month campaign. 

What made it remarkable was not the scope but the method: the attacker ran the entire operation with commercial AI handling the exploitation work, and researchers only discovered what had happened after recovering materials from attacker-controlled servers. AI was not a productivity tool running in the background. It was the operational core of the attack.

Check Point Research’s March-April 2026 Threat Landscape Digest documents this breach alongside several other cases that collectively confirm something the industry has been watching for: AI-enabled attacks have moved out of the experimental phase and into routine criminal deployment.

Key findings: What the data actually says 

The Check Point Research team’s March-April 2026 Threat Landscape Digest surfaces something the industry has been bracing for: AI has crossed from the development phase into live attack deployment. Here is what stands out: 

– AI-orchestrated attacks have progressed from experimental, state-sponsored use to in-the-wild criminal deployment. A single operator. Nine government agencies. Over 5,000 AI-executed commands. The Mexico breach shows this capability is no longer limited to nation-state actors. Financially motivated criminals are using it, at scale, today.

– Agentic configuration files are being weaponised as persistent jailbreak vectors. 

Rather than arguing with an AI’s safety controls, attackers are changing the rules it operates under. By planting malicious instructions in the configuration files that AI coding tools load automatically at startup, they can override model behaviour once and have it persist silently across every session, including on developers’ machines who have no idea the file is there.

– AI-enabled attack platforms are commercialising AI capabilities. EvilTokens packages a complete AI attack pipeline into a product any criminal can purchase. Model selection, jailbreaking, and output delivery are all handled behind the scenes. The sophistication was built once and now ships automatically to every customer, dramatically lowering the barrier to running advanced AI-powered fraud.

– AI provider credentials have become a high-value target. API keys for Anthropic, OpenAI, Groq, Mistral, and others are being harvested deliberately alongside traditional credentials. Stolen keys give attackers access to powerful AI services without an account, make their operations appear to originate from legitimate users, and are difficult for providers to shut down once taken.

The mechanics of what actually happened 

Mexico: One operator, nine agencies 

The architecture the Mexico attacker built is worth understanding in detail, because it is almost certainly being replicated elsewhere. 

The attacker ran two commercial AI systems in parallel, one handling the live exploitation work, the other processing harvested data and feeding instructions back into the first. The cognitive load of what would previously have required a skilled team was handled automatically, in a loop, across weeks of persistent access.

The jailbreak method was elegant in its simplicity. Instead of arguing with the AI, the attacker changed the environment the AI operated in. They simply changed the file it reads at startup, embedding instructions that every subsequent session inherited without question. From that point, the AI operated under the attacker’s rules, not the developer’s. The attacker had effectively reprogrammed the AI’s default behaviour at the architectural level rather than the conversational one. 

EvilTokens: The jailbreak as product feature 

EvilTokens is what happens when that kind of capability gets packaged into a product, commoditisation. A buyer purchases access and receives AI-generated phishing emails written in the target’s own style, automated extraction of financial data from thousands of inboxes, and fake calendar invites timed to create pressure around wire transfer requests. The complexity is entirely invisible to the buyer. The social engineering pressure is coordinated across channels, automatically. 

The vulnerability race nobody is winning 

AI is surfacing vulnerabilities that sat undetected in core infrastructure for decades, while on the other side attackers are turning newly published advisories into working exploits within hours. The gap between disclosure and exploitation used to be measured in weeks. It is now measured in hours. Organisations that run monthly patch cycles are operating on a timeline that belongs to a different era of security. 

What this means for organisations 

The through-line across every case in this report is the same: AI is compressing time, expanding scale, and lowering the skill threshold required to execute sophisticated attacks. 

Defenses calibrated to human attack tempo are not equipped for this environment. Organisations need to reckon a few things directly:

– Shadow AI is a data leakage problem. One in five corporate AI prompts contains potentially sensitive information, and most organisations have limited visibility into what is being sent to which tools.

– AI configuration files are now a supply chain risk. A malicious file in a pull request or compromised repository can silently redefine how an AI agent behaves before any human reviews it. These files need the same scrutiny as third-party code dependencies.

– AI credentials need the same protection as cloud access keys. They provide persistent access, enable identity misattribution, and are being actively harvested at scale.

– Patch cycles need to get faster. Working exploits are appearing within hours of public vulnerability disclosures. Weekly or monthly patch review cycles are no longer matched to the speed of the threat.

The attribution gap is structural. Every operation documented in this report was discovered through attacker errors or provider-side monitoring, not through victim-side controls. AI-executed commands look like skilled human activity. Organisations that rely on behavioural detection alone are not seeing the full picture. 

Securing what comes next 

Check Point’s approach to this environment is built around one principle: prevention has to come first. Reaction time that works against human attackers does not work against machine-speed attacks. By the time an alert fires, the AI has already moved. 

Securing your AI transformation means securing the full AI stack, from the employees using AI tools day to day, to the applications being built with AI capabilities, to the autonomous agents operating across systems. It also means securing the network infrastructure that AI traffic runs through, from the firewall to the data centre.

– Workforce AI security gives security teams visibility and control over employee AI usage, enforcing policy and preventing sensitive data exposure in real time.

– AI agent security provides end-to-end coverage for enterprise-built agents, from discovering what exists and assessing risk, to runtime enforcement that blocks unsafe actions before they execute.

– MCP security verifies that large language models like ChatGPT, Claude, and Gemini have strict policy-based authorisation to access enterprise databases, sensitive files, and external development tools like GitHub.

– Generative AI security gives enterprises full visibility and control over employee use of generative AI tools to prevent data loss or misuse.

– AI-native application security secures APIs and private large language models against specialised AI attacks including prompt injection, data poisoning, and model abuse.

– AI Factory Firewall secures private enterprise LLMs and NVIDIA AI GPU server clusters in AI data centres, running as a containerised firewall with no impact on GPU performance.

The threat landscape changed. The security posture has to change with it.