For over a century, the security of physical assets—ranging from office towers to energy grids—relied on a fundamental friction: the high cost of impersonation. Historically, to convincingly masquerade as an executive or vendor required elaborate resources, professional actors, or insider access. That economic barrier has been dismantled by generative AI, turning voice and video cloning into a trivial, accessible, and scalable tool for bad actors. The implicit assumption that we can trust our eyes and ears on a video call is now functionally dead.

This reality was starkly illustrated when an employee at Arup, a global engineering powerhouse, authorized $25 million in wire transfers after being deceived by a hyper-realistic deepfake video call involving his own colleagues. No traditional network breach occurred; no firewall was bypassed. Instead, the attackers exploited the human element of the trust chain, demonstrating that the weakest link in our modern, hyper-connected infrastructure is the person holding the access credentials. This is not a isolated incident but a sign of a structural shift in the threat landscape.

The vulnerability is particularly acute for industries that own and operate the physical world, such as hospitality, real estate, and warehousing. These sectors often rely on a hybrid of legacy IT networks and operational technology (OT) systems that control physical access, elevators, and temperature controls. As these OT systems increasingly connect to IP networks, they become reachable from the outside. A deepfaked phone call or video conference can now serve as the wedge to gain entry into these critical systems, turning a simple social engineering attack into a pathway for physical disruption or massive financial theft.

The core challenge is a failure of organizational design. In most large enterprises, physical security and cybersecurity remain distinct silos, often reporting to different leaders with separate budgets. This separation, which might have made sense in the pre-AI era, is now a massive, exploitable vulnerability. Attackers are effectively moving laterally between these domains because the companies themselves do not view them as a single, unified attack surface. The industries that own our physical infrastructure must immediately merge these disciplines, establishing unified incident response playbooks that treat physical and digital threats as two sides of the same coin.

Solving this is not merely a matter of purchasing more advanced detection software. Instead, it requires a fundamental re-engineering of the verification layer. Enterprises must move toward a zero-trust model for all high-stakes approvals, requiring out-of-band verification—such as pre-agreed code phrases or callbacks on verified, secondary channels—for any movement of assets or access to critical systems. While this may reintroduce some of the friction that AI helped us eliminate, it is the only viable path to restoring security in an era where synthetic media is indistinguishable from reality.

For over a century, the security of physical assets—ranging from office towers to energy grids—relied on a fundamental friction: the high cost of impersonation. Historically, to convincingly masquerade as an executive or vendor required elaborate resources, professional actors, or insider access. That economic barrier has been dismantled by generative AI, turning voice and video cloning into a trivial, accessible, and scalable tool for bad actors. The implicit assumption that we can trust our eyes and ears on a video call is now functionally dead.

This reality was starkly illustrated when an employee at Arup, a global engineering powerhouse, authorized $25 million in wire transfers after being deceived by a hyper-realistic deepfake video call involving his own colleagues. No traditional network breach occurred; no firewall was bypassed. Instead, the attackers exploited the human element of the trust chain, demonstrating that the weakest link in our modern, hyper-connected infrastructure is the person holding the access credentials. This is not a isolated incident but a sign of a structural shift in the threat landscape.

The vulnerability is particularly acute for industries that own and operate the physical world, such as hospitality, real estate, and warehousing. These sectors often rely on a hybrid of legacy IT networks and operational technology (OT) systems that control physical access, elevators, and temperature controls. As these OT systems increasingly connect to IP networks, they become reachable from the outside. A deepfaked phone call or video conference can now serve as the wedge to gain entry into these critical systems, turning a simple social engineering attack into a pathway for physical disruption or massive financial theft.

The core challenge is a failure of organizational design. In most large enterprises, physical security and cybersecurity remain distinct silos, often reporting to different leaders with separate budgets. This separation, which might have made sense in the pre-AI era, is now a massive, exploitable vulnerability. Attackers are effectively moving laterally between these domains because the companies themselves do not view them as a single, unified attack surface. The industries that own our physical infrastructure must immediately merge these disciplines, establishing unified incident response playbooks that treat physical and digital threats as two sides of the same coin.

Solving this is not merely a matter of purchasing more advanced detection software. Instead, it requires a fundamental re-engineering of the verification layer. Enterprises must move toward a zero-trust model for all high-stakes approvals, requiring out-of-band verification—such as pre-agreed code phrases or callbacks on verified, secondary channels—for any movement of assets or access to critical systems. While this may reintroduce some of the friction that AI helped us eliminate, it is the only viable path to restoring security in an era where synthetic media is indistinguishable from reality.