AI-first businesses are taking significantly longer to recover from cyberattacks, a delay that is driving up costs and exposing gaps in how companies secure artificial intelligence (AI) systems, according to a new report from Fastly Inc.
The company’s fourth annual Global Security Research Report found that organizations that build their operations around AI take nearly seven months, or about 210 days, to fully recover from cybersecurity incidents. That is roughly 80 days longer than companies that do not classify themselves as AI-first.
This extended recovery period, often described as an “AI Speed Tax,” comes with steep financial consequences. AI-first firms report costs that are more than 135% higher than their non-AI counterparts, driven by both longer downtime and more complex attack scenarios.
The growing use of AI as an attack vector is also causing this challenge. About 44% of AI-first organizations said AI was directly exploited in their most recent security incident, compared with just 6% of non-AI-first companies.
“The speed of AI adoption is reshaping security infrastructure almost overnight. For AI-first businesses, the priority is not to slow down innovation, but to modernize security at the same rate,” said Marshall Erwin, CISO at Fastly. “That means securing AI and inference infrastructure, monitoring unwanted AI crawler activity, anticipating shadow AI, and strengthening the outer perimeter.”
The risks are particularly pronounced in Southeast Asia, where 69% of respondents said AI tools or models contributed to their most recent cybersecurity incident. The report points to expanding attack surfaces as companies deploy AI across workflows, data pipelines, and customer-facing systems.
“AI is no longer a single tool. It is becoming an integral part of business operations,” said Rachel Ler, AVP of Asia at Fastly. “This creates new challenges for security teams, from tracking its deployment to understanding its impact during incident recovery. Companies that establish clear AI governance today will gain a decisive advantage tomorrow.”
Beyond direct attacks, AI-driven activity is also increasing operational costs. About 67% of Southeast Asian organizations said AI scraping has become a significant expense, with average annual infrastructure costs exceeding $372,000.
The impact goes beyond spending. Companies cited operational disruption (53%), higher infrastructure expenses (51%), data breaches (50%), and degraded website performance (35%) as the top issues linked to AI activity.
To address these risks, businesses are ramping up investments in web application firewalls, API security, and tools that monitor AI-driven processes. Still, concerns remain high. About 83% of respondents fear DDoS attacks targeting AI agents, while 61% said they lack the specialized expertise needed to secure AI systems.
“The challenge is no longer limited to isolated threats,” Erwin said. “Organizations are now managing rapidly expanding and often invisible infrastructure that requires a new approach to security.”