AI Can Build a Dossier on Your CEO in Ten Minutes. Most Companies Have No Answer for That.
Artificial intelligence tools have turned the slow, skilled work of researching a target executive into a task anyone with a browser can do. Security teams have not caught up.

Key points
- A security consultant built a detailed profile of a financial services CEO using AI tools in under ten minutes, gathering career history, personal interests, and negotiating tendencies from public sources.
- The 2023 MGM Resorts breach reportedly began when criminals found an executive on LinkedIn and used that public information to impersonate them in a phone call to IT support, obtaining login credentials within minutes.
- AI tools do not just find information: they connect it, producing a ready-to-use summary rather than a pile of raw search results.
- The Verizon Data Breach Investigations Report consistently finds that human manipulation, tricking employees rather than breaking software, is present in the majority of confirmed breaches each year.
- Executives whose family members overshare online are also exposed: attackers who cannot pressure a CEO directly may target a spouse or child instead.
A security consultant sits down with a general-purpose AI chatbot, types a senior executive's name, and in under ten minutes receives a structured summary of that person's career, public opinions, charitable interests, and professional relationships. Nothing in the output was secret. All of it was pulled from press releases, conference talks, and social media posts that the executive had approved. But assembled into a single, readable profile, it handed any motivated stranger a detailed map for manipulating that person.
That is the scenario described in a piece first reported by CSO Online, and it captures a shift in risk that most corporate security programmes have not yet addressed.
How did this become a problem so quickly?
Traditional OSINT, meaning open-source intelligence gathering, the practice of building a picture of a target using only publicly available information, used to take days of careful, skilled work. An analyst would comb through search engines, company filings, archived news stories, and social platforms. The time cost was a genuine barrier. AI tools demolished it.
The speed is striking. The synthesis is the real danger. A search engine hands you documents. An AI tool hands you conclusions: "this person cares about climate policy," "this person is close to these three board members," "this person's schedule is visible through their public speaking calendar." That is exactly the kind of detail a criminal needs before calling a company's IT helpdesk and pretending to be the CEO.
The MGM Resorts incident from 2023 made the principle visible at scale. Criminals reportedly found an executive on LinkedIn, used the public profile to sound convincing on a phone call to IT support, and walked away with access credentials. The manipulation took minutes. The information required was free.
AI tools have made that kind of preparation faster, more thorough, and available to people who lack the traditional research skills to do it manually. That last point matters. Attacks that once required a trained analyst now require only someone with a grievance and an internet connection.
Family members are a consistent blind spot. If an executive's spouse or child routinely posts about their location, school, or daily routine, that information feeds the same profiles. Attackers who cannot reach an executive directly will sometimes look for pressure points nearby.
What should organisations actually do?
Security teams should run structured AI queries on their own executives regularly, not once a year, but on a genuine schedule, treating what comes back the way they would treat a software vulnerability: something to be assessed, prioritised, and acted on. Assign a named person who is accountable, give them a security mandate rather than a PR mandate, and include AI exposure in the organisation's formal risk register.
Showing executives their own AI-generated profile in a live briefing works better than any abstract warning. The reaction is reliably the same: surprise, discomfort, and immediate engagement.
If you are an executive or a family member of one, treat your public digital footprint as something with real consequences. Old conference biographies, personal posts about travel patterns, and connection lists on professional networks all feed these profiles. Audit what is out there, remove what serves no business purpose, and be deliberate about what goes up in future.



