The 2025 New Generation of Risk Report

42% of companies globally do not have a policy in place to govern the use of AI by employees as of 2025.

45% of risk leaders reported that they can only assess and monitor their tier 1 tech partners.

In a comparison of executive roles, 34% of VP and C-level risk executives are not considering incorporating agentic AI into their operations, while only 20% of directors, managers, and below share this view, indicating a disconnect in AI adoption strategies.

Nearly two-thirds of risk leaders reported that their budgets have not changed at all this year.

The percentage of companies globally that felt very prepared to manage AI risks has remained relatively flat over the past three years, with 9% in 2023, 8% in 2024, and 12% in 2025.

16% of risk leaders admitted they cannot monitor and assess the risks of their critical third-party tech partners at all in 2024.

60% of companies globally now have a chief risk officer as of 2024, an increase from 52% over the past two years, indicating a growing recognition of risk management as a priority.

8% of risk leaders indicated they can assess and monitor their tier 1 partners, their suppliers, and their suppliers’ suppliers in 2024.

52% of risk leaders identify autonomous decisions that conflict with business goals, legal requirements, and/or long-term strategy as a significant risk from deploying agentic AI.

66% of risk leaders stated they have reviewed and updated their IT and cyber risk management strategy in response to major disruptions such as the Crowdstrike outage or MOVEit breach

85% of risk leaders globally reported having a business continuity and resilience plan in place to maintain operations during a major IT outage or cyber incident at one of their business-critical service providers.

68% of risk leaders foresee data privacy and security issues as the biggest risks from deploying agentic AI.

38% of risk leaders express concern over unintended actions from runaway processes, such as unauthorized transactions or incorrect pricing changes, as a risk from deploying agentic AI

15% of risk leaders are unaware if their organization is considering incorporating agentic AI into its operations or products.

In 2025, 40% of companies reported that they mostly or only use spreadsheets to manage risk, a decrease from 53% in 2024, indicating a significant shift towards software use in risk management.

30% of risk leaders claimed that third-party and nth-party risks are not having an impact or are only having a minimal impact on their business in 2024.

In 2024, 62% of companies were using or planned to use AI for risk management, which is projected to rise to 70% by 2025, reflecting a significant increase in AI adoption.

Thirty-nine percent of companies are not conducting worst-case scenario simulations, highlighting a critical gap in risk management practices that needs to be addressed.

32% of companies globally have formally trained or briefed the entire company on risks related to generative AI in 2025, up from 19% in 2024 and 17% in 2023.

Only 12% of companies globally feel very prepared to assess, manage, and recover from AI and AI governance risks in 2025, according to a recent study.

75% of companies globally report not having a dedicated plan to specifically address generative AI risks, including deepfakes and AI-driven fraud attacks in 2025.

Only 15% of companies globally have a budget specifically directed at mitigating AI-related risks in 2025, which is about the same percentage as last year.

26% of companies globally report having no policies, formal training, budgets, or dedicated plans to address AI risks in 2025.

Only 28% of risk leaders reported an increase in technology budgets in 2024, a figure that has remained unchanged over the past three years.

72% of companies globally do not have a policy for the use of generative AI by partners and suppliers as of 2025.

Only 10% of leaders expressed a lack of confidence in their risk management data in 2025, down from 16% in 2024, reflecting a six-point improvement in trust towards risk data.

23% of companies globally have a policy against using foreign AI models such as Deepseek in 2025.

Nearly 60% of risk leaders report that their companies are considering incorporating agentic AI solutions into their operations or products.