Key Findings
18% of organizations identify GenAI features embedded in SaaS applications as their second-highest Shadow AI concern.
27% of organizations say runtime is the least defended phase in their AI security.
Only 32% of organizations operate at a managed level with measured effectiveness and reporting in AI security governance.
Infrastructure teams are responsible for 15% of AI security within organizations.
38% of organizations identify runtime as their most vulnerable phase in AI supply chain security.
23% of organizations acknowledge inadequate preparation to address unapproved AI tools and services.
41% of organizations believe AI-driven insider threats are among the most likely AI incidents to impact their organization in the next 12 months.
31.2% of organizations expect AI Supply Chain Security to require the most new investment in AI security over the next 12 months.
16.0% of organizations expect Shadow AI management to require the most new investment in AI security over the next 12 months.
29% of organizations identify external APIs and SaaS-embedded AI features as their greatest AI supply chain risk.
17.4% of organizations adopting AI have Chief Data Officers holding primary responsibility for AI security.
15% of organizations adopting AI have infrastructure and operations teams controlling AI security.
13% of organizations adopting AI cite dataset integrity and contamination as an area where they are least prepared to address threats.
12% of organizations adopting AI point to model provenance and sourcing risk as an area where they are least prepared to address threats.
21% of organizations cite standalone GenAI tools (like ChatGPT, Claude, and image generators such as Midjourney) as their primary Shadow AI concern.
16% of organizations identify AI agents operating with user credentials as a Shadow AI concern.
31% of organizations identify data sources and embeddings as their greatest AI supply chain risk.
Other Shadow AI vectors, including personal accounts, third-party APIs, plugins, and local applications, each fall below 12% of organizations' concerns.
49% of organizations anticipate Shadow AI incidents.
25.0% of organizations expect AI agent security to require the most new investment in AI security over the next 12 months.
10.1% of organizations adopting AI report shared responsibility for AI security.
14.5% of organizations adopting AI have the CISO holding primary responsibility for AI security.
23% of organizations adopting AI identify Shadow AI and unapproved tools as an area where they are least prepared to address threats.
29% of organizations adopting AI have the CIO and IT org leading AI security.
3% of organizations adopting AI are unsure which area of AI security their organization is least prepared to address.
70% of organizations adopting AI are lacking optimized governance.
50% of enterprise security and business leaders say AI tools will cause the next data breach.
Over 31% of organizations are planning to allocate their security budgets to AI supply chain security over the next 12 months.
Only 13% of organizations rank model sourcing and provenance as concerns regarding AI supply chain risk.
14% of organizations identify orchestration frameworks as a Shadow AI concern.
23% of organizations adopting AI identify regulatory compliance as an area where they are least prepared to address threats.
11.0% of organizations expect Staff, skills, and training in AI security to require the most new investment over the next 12 months.
13.0% of organizations expect Runtime security to require the most new investment in AI security over the next 12 months.
27% of organizations view AI supply chain risks as spanning the entire AI supply chain from sourcing through runtime deployment.
16% of organizations rank plugins and extensions as their greatest AI supply chain risk.
Just 9% of organizations rank orchestration layers and agents as their greatest AI supply chain risk.
3% of organizations are unsure which aspect of the AI supply chain poses the greatest risk to their organization.
12.3% of organizations adopting AI have the CTO and Engineering organization holding primary responsibility for AI security.
6.0% of organizations expect Governance and compliance in AI security to require the most new investment over the next 12 months.
38% of organizations identify runtime as their most vulnerable phase for AI.
31% of organizations are redirecting their largest security investments toward AI supply chain security over the next 12 months.
39% of organizations operate with inadequate AI governance structures entirely, relying on inconsistent frameworks, ad hoc practices, or no AI-specific governance at all.