This issue we’re introducing TCF Community Voices. The series features perspectives from practitioners, advisors, and operators across the family office community. The views expressed are those of the contributor and do not represent the positions of The Cyber Foundation. If you have an article to contribute or a request for a topic you’d like us to explore, please connect with us here.

This article was contributed by Peter de Pentheny O'Kelly. Peter built and ran a private AI operating layer in production at a multi-asset family office. Deep Hawks is his single-operator practice: diagnose, build, hand over the keys. Additionally, Peter sits on the Advisory Board of The Cyber Foundation and is the leading contributor to TCF's 2026 Family Office AI Survey (see below for details.)

Enjoy!

I’ll put the thesis up front, because everything else in this issue hangs on it. The tool making attackers dramatically more dangerous is the same tool that can make you dramatically harder to hit. Used well, the same model that writes the attacker’s phishing will read your own environment and tell you where you are exposed. Most coverage tells only the first half of that story. I want to land both, because in practice you can’t separate them.

Earlier issues of the TCF Intelligence Briefing covered the deepfake threat and the ShinyHunters campaign: cybercriminals who got into firms managing over $320 billion in assets not by breaking in, but by asking. This issue of the Intelligence Briefing discusses the engine now sitting behind both of those threats. What is less discussed is what that same engine does for the people defending their family office.

For most of the last decade, a convincing, targeted attack took real effort. I no longer think that’s true, and the numbers are blunt about it.

In December 2025, AI-generated phishing went from 4% to 56% of all phishing observed across a platform watching four million users. By Q1 2026, Cisco Talos was naming AI-generated phishing as the leading way attackers got their first foothold in the incidents it investigated. IBM put the average AI-powered breach at $5.72 million, 13% above a traditional one. This isn’t only a volume story. The machine-written attacks have started outperforming the humans who used to write them.

Reporting: Hoxhunt 2026 · IBM Cost of a Data Breach 2025 · Cisco Talos IR Trends Q1 2026

Hyper-personalized spear phishing, at scale. AI can read public sources, map who you know and how you talk, and fire off personalized emails referencing real events and real contacts across thousands of targets at once. For a principal whose name, philanthropy, and board seats are public record, the attacker doesn’t have to do the homework. You already did it for them, on LinkedIn and in the conference program. Microsoft’s Cyber Signals 2025 logged a 46% rise in AI-generated phishing content; Keepnet tracked a 400% rise in successful AI-attributed scams, with click rates up to four times higher than the old methods.

Reporting: Microsoft Cyber Signals 2025 · Keepnet 2026

Deepfake voice and video. We covered this in our first issue and I won’t relitigate it. Every capability we described is AI-driven, and the defense hasn’t changed.

Agentic AI attacks. This is the one that holds my attention. The real shift isn’t smarter content; it’s AI that runs the attack itself, without a human steering each step. In 2025, a state-sponsored group used an AI agent to get into roughly 30 organizations with no operator guiding the moves. Point a system like that at your environment and tell it to get credentials, and it will research targets, write the phishing, hold a live conversation with your helpdesk, and try thousands of doors at once, all night, without getting bored or sloppy. Forrester expects an agentic deployment to cause a public breach in 2026.

Reporting: The Hacker News, May 2026 · Forrester via TechTarget, 2026

AI-powered attacks go where the public information is rich and the defenses are thin. That is a precise description of a family office. Our principals, families, advisors, and giving are documented across the press, conference rosters, LinkedIn, and nonprofit filings. An AI building a profile of a principal doesn’t need to hack anything to understand the relationships, the rhythms, and the org chart.

And our defenses aren’t keeping up. In the Omega Systems 2025 survey, only 17% of family offices planned to prioritize staff awareness training in 2026, and only 8% had fully outsourced cybersecurity. I would rather we close that gap on purpose than discover it at 2 a.m. on a Tuesday.

Reporting: Omega Systems / Family Wealth Report, 2025

Here’s the part that doesn’t come from an attacker at all. We’re already using AI to draft documents, summarize meetings, and prep materials for legal and financial advisors. Most of the platforms doing that work say, in their own terms, that what you enter is not confidential and may be used to train the model.

Two words decide everything here, so let me define them plainly. A sandbox is an isolated space where an AI tool can do its work without touching, or exposing, the rest of your data. The risk is whatever crosses that boundary: what you type may not stay private, may train someone else’s model, and in at least one case has stripped a legal protection outright.

In February 2026, U.S. District Judge Jed Rakoff in the Southern District of New York ruled that a CEO who used an AI platform to prepare legal-defense documents had waived attorney-client privilege, because the platform’s terms treated what he entered as non-confidential. Anyone on your team using a standard AI tool to draft around a legal matter, a tax position, or an estate plan may be quietly waiving the very protection that’s supposed to govern it.

Reporting: Family Wealth Report, April 2026

The fix is not to stop using these tools. I use them every day. It is to decide, before anyone types anything, what category of information is allowed into which system, and to actually read the terms of whatever is already running across the office.

This is the part that ties all of it together, and the part most of us in leadership roles have not yet sat with.

There are, roughly, two kinds of AI users. The vast majority are chatbot users: ask a question, get an answer. The frontier models are now so good at being chatbots that, used this way, there’s almost no difference between last year’s model and this year’s. If that’s how you use them, the upgrades genuinely are not for you.

The other kind of user does something first. Before they ask the tool anything, they set it up to know their world: they give it the documents, the history, the structure, and the guardrails it needs to be useful. I call these people power users, and I want to be clear about what I mean, because it isn’t a technical badge. A power user is simply someone who has done the unglamorous work of briefing the tool the way you’d brief a new hire on their first day. Do that, and the same model that hands everyone else a generic answer becomes enormous and fully custom to you.

That gap is the whole story; it only widens, and it doesn’t close on its own later. The distance compounds, the way it always does with anything that builds on itself, so the people who stay on the wrong side of it tend to stay there. Most senior people know they’d benefit from a hand making the jump, and plenty carry too much ego, or too little time, to ask for it. That’s a human problem, not a technical one. Pretending the wave is smaller than it looks is not a strategy.

Make the jump, and “keeping up” stops being abstract. It pays out three ways at once.

This is where the two halves of the issue meet, and it is the part usually waved away with the phrase “AI tools.” So let me be concrete about what AI on your side of the table actually looks like, because it isn’t a product you buy.

Point a model at 90 days of your own sign-in and email logs and ask it what looks wrong. It surfaces the 2 a.m. login from an unfamiliar device that your team would have scrolled past. Hand it your wire-approval process and tell it to act like the attacker: it tells you which step it would exploit, and how. Give it the exact “this is IT, your MFA needs updating” script from the ShinyHunters playbook and have it run your staff through that call until hanging up is reflex. Ask it to draft the one-page policy for what information is allowed into which system, then to poke holes in its own draft.

That is the answer to the question the title asks. AI is your best friend here for the same reason it is your worst enemy: the capability that lets an attacker research you at scale lets you audit yourself at scale, faster and cheaper than any consultant. IBM reports that organizations using AI-powered security tools see breach costs averaging $1.8 million lower than those without. None of the moves above need an enterprise budget. All of them need you to have made the jump from chatbot user to power user, because a chatbot user can’t keep any of it running.

Reporting: IBM Cost of a Data Breach 2025

We don’t yet have a clear, community-specific picture of how family offices are actually engaging with AI: what’s in use, what governance exists, what’s keeping principals up at night, and where the exposure and the opportunity intersect. The survey is how we find out.

Like the TCF 2025 State of Cybersecurity Survey, this survey will produce a published report and anchor a new Insights Series. Part of the payoff is benchmarking: seeing where you stand against your peers. But the deeper reason is simpler: most people don’t know where to start. Setting up an AI environment responsibly, from a security standpoint, is genuinely grey and genuinely personal. Lock it all the way down and the tools are useless; leave it wide open and you’ve created the exposure described above. The middle ground looks different for every office.

What I expect we’ll learn is where the pain actually is. Why that matters is the part I care about most: giving people the confidence that a path forward exists, even when the work ahead is hard, is a real relief. We’re putting the finishing touches on it now. When it’s ready it will land here first, and the results will come back to the community. Keep an eye on this Briefing.

So why would a cybersecurity foundation run a survey about your AI use? Because the risk runs both directions. If you don’t understand the frenemy coming for you, you’re exposed. If you only ever use these tools as a chatbot, you’re leaving capability and protection on the table. Exposure on one side, opportunity on the other, and the same handful of decisions governs both.

The hardest part of this moment isn’t choosing a tool. It’s having judgment on your own side of the table: someone whose only interest is yours, who isn’t holding a license to sell you something, who can tell you honestly where you can let the machine run and where you absolutely cannot. That independent, vendor-agnostic posture is the whole reason The Cyber Foundation exists. We raise the floor, so you walk into any vendor conversation already knowing what you need and don’t get taken. We don’t gatekeep the ceiling.

- Peter

Our TCF Insights Series, a 3-part discussion of our 2025 Family Office Cybersecurity survey report and findings, concludes June 17th. If you missed Parts 1 and 2, you can watch here.

Part 3, “The Cybersecurity Lens on Financial Controls”, will be June 17, 2026, 10:00 PT / 13:00 ET with our guest Robert Charles, Chief Finance and Compliance Officer at the Digital Harbor Foundation. Register below!

Start a conversation with us about where your family office stands.

TCF Confidence Checks Talk to us about where you are with your cybersecurity program.