A new global cybersecurity maturity study suggests that the biggest AI security problem facing enterprises isn't a lack of awareness, but a lack of execution.
According to Cye's 2026 Global Cybersecurity Maturity Report, organizations have largely accepted that AI introduces new forms of cyber risk. Boards are discussing it. Policies are being written. Governance programs are emerging. Yet the controls required to manage those risks in production environments continue to lag behind.
Read the full report:
The report analyzed more than 2,400 assessments across 21 countries and 16 industries, measuring both traditional cybersecurity maturity and AI risk maturity against NIST frameworks. The conclusion is difficult to ignore: organizations are significantly better at identifying AI risk than they are at reducing it.
Related:
George V. Hulme
George V. Hulme
Governance Is Winning. Security Is Not.
The report identifies what it calls an "AI maturity gap" — the growing distance between AI adoption and AI risk management.
While AI use has become mainstream across enterprises, average AI risk maturity remains stuck at what the report classifies as a reactive level. Organizations score highest in governance activities such as policy creation, oversight, and risk awareness. They score lowest in the functions associated with enforcement, response, and operational management.
That pattern should sound familiar to cybersecurity professionals.
For years, security leaders have argued that awareness alone does not reduce risk. Knowing about vulnerabilities, asset exposure, or supply-chain dependencies means little without the ability to act quickly and consistently. The report argues that AI is simply inheriting that same problem and accelerating it.
The concern becomes more urgent when viewed through the lens of modern offensive AI. As AI systems improve at discovering vulnerabilities, chaining exploits, and automating attacks, the time between exposure and exploitation continues to shrink. The report notes that attackers and defenders increasingly have access to the same AI capabilities, creating an environment where execution speed matters more than ever.
Shadow AI Is Already a Critical Infrastructure Problem
Perhaps the report's most alarming finding is the extent of Shadow AI.
Much like Shadow IT before it, employees and business units are adopting AI tools faster than organizations can discover, inventory, or govern them. These systems often gain access to sensitive business data, source code, customer information, and operational processes long before security teams understand where they are being used.
The exposure is particularly severe in critical infrastructure sectors.
Transportation organizations showed the highest levels of Shadow AI exposure, followed closely by energy. By contrast, financial services reported dramatically lower exposure levels. The difference appears less related to technology sophistication and more related to regulatory pressure and governance discipline.
The report also identified 134 active AI-related findings in production environments, with infrastructure misconfigurations, identity and access weaknesses, and monitoring gaps appearing most frequently. These are not hypothetical future risks. They are present-day security issues tied directly to operational AI deployments.
Compounding the challenge is the growing dependence on third-party AI ecosystems. Models, APIs, plugins, and external services have effectively created a new supply-chain problem that many vendor risk management programs were never designed to assess.
More Spending Isn't Fixing the Problem
The report challenges another common assumption: that increasing security budgets automatically improves security outcomes.
Global cybersecurity spending reached record levels in 2026, yet organizational maturity remains clustered in what the report describes as a "managed" state rather than a truly mature or optimized one. At the same time, nearly one-third of organizations reported feeling less secure than they did a year ago.
The reason may be surprisingly simple.
The most common security findings were not advanced AI attacks or sophisticated nation-state techniques. They were familiar issues: outdated technologies, exposed administrative interfaces, missing security controls, and insufficient monitoring. In other words, the same basic hygiene problems security teams have been discussing for years.
The report ultimately points to a lesson the cybersecurity industry keeps relearning: risk does not accumulate in the gap between technology and attackers. It accumulates in the gap between awareness and action.
AI may be transforming how organizations operate. But unless enterprises learn how to operationalize governance, enforce controls, and gain visibility into what AI is actually doing inside their environments, the technology could end up magnifying the very weaknesses cybersecurity has spent decades trying to solve.
