82% of security leaders fear AI will amplify challenges around toxic combinations

New research from Panaseer, a leader in security posture management powered by Continuous Controls Monitoring (CCM), shows 82% of security leaders fear AI will amplify challenges around toxic combinations of control failures. Moreover, 92% believe growing IT complexity increases the threat of toxic combinations, putting high-value assets at greater risk.

Toxic combinations of control failures refer to the interconnected risks spanning multiple inventories and asset relationships, that compound to create a pathway for attackers to compromise a business. Now attackers have AI at their disposal, security leaders are increasingly concerned that attackers will exploit these combinations as Marc Möesse, Chief Product Officer from Panaseer explains:

"The term 'toxic combinations' originates from pharmacology, where mixing certain drugs can have deadly effects. In cybersecurity, it describes the compounded risks when multiple security weaknesses overlap, creating layer upon layer of risk. Almost all breaches result from some form of toxic combination. For example, a user who has failed multiple phishing tests might have access to critical systems and an exploitable vulnerability on their device. Individually, each risk is relatively minor, but combined, the risk increases considerably. The whole is markedly greater than the sum of its parts. Now with AI, attackers can create more sophisticated attacks with minimal effort, so there is a greater chance that attackers will uncover and exploit toxic combinations."

Panaseer warns that because toxic combinations span multiple security domains, they don’t always take the same form and are very hard to detect and prioritize. Security teams often lack the time and tools needed to see how different combinations of risk overlap within their environments and are therefore ill-equipped to address areas of vulnerability or prioritize remediation effectively.

To tackle this challenge and help shine a light on toxic combinations, Panaseer has launched a new Compound Risk Metrics (CRMs) feature. These CRMs deliver actionable insights into the specific assets and relationships driving toxic combinations. This helps eliminate manual effort while ensuring consistent, reliable access to validated and verified data from across the business – far more than just a number or single line of data. Designed to address toxic combinations of risks across security domains, CRMs enable organizations to create complex, threat-driven risk profiles by identifying previously hidden or unknown vulnerabilities, prioritizing response, and mitigating risk.

“It’s tough for security teams to identify toxic combinations, as it requires piecing together information from multiple security tools, attack chain analysis, and vulnerability scans. Even then, you’re working blind because there’s no clear view of how different assets connect,” explains Marc Möesse, Chief Product Officer at Panaseer.

“Cybersecurity leaders are already feeling the pain of toxic combinations, as identifying them requires combining data from multiple security tools, security domains, and across asset relationships, to uncover hidden risks, which is difficult with a typical security stack,” says Marc Möesse, Chief Product Officer at Panaseer. “Our new Compound Risk Metrics help teams save time and resources with reliable data, giving them a clear, continuous view of threats, and where they overlap.”

This is a unique solution available today that integrates data from multiple sources, including vulnerability, endpoint, Configuration Management Database (CMDB), user awareness, and Privileged Access Management (PAM) tooling, to spotlight hidden attack paths and devices at risk. Panaseer’s CRMs are uniquely automated and ready to deploy within hours, making it easy for users to start creating dashboards and getting insights from their data.

You can read more in our latest blog on toxic combinations and why it's a concern in 2025.

Download the ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Peer Report on our website today.