41% of internal audit leaders are concerned about the use of AI to insert malicious code.

46% of internal audit leaders cite limited financial budget as a barrier to AI-specific risk management efforts.

Encryption-based extortion declined by 15% compared to the previous year.

Many organizations run 50 or more security products.

Nearly 48% of incidents include browser-based activity.

In the fastest cases, attackers moved from initial access to data exfiltration in 72 minutes, four times faster than the previous year.

Identity weaknesses play a material role in nearly 90% of investigated incidents.

Attackers leverage third-party SaaS applications in 23% of incidents.

Misconfigurations or gaps in security coverage materially enable attacks in over 90% of incidents.

87% of intrusions involve activity across multiple attack surfaces.

85% of security leaders are concerned about AI-related infrastructure risk.

59% of security leaders report having experienced or strongly suspect an AI-related security incident.

70% of security leaders say AI systems have more access than a human in the same role.

Enterprises deploying AI systems with excessive permissions experience 4.5x more security incidents than enterprises that enforce least-privilege controls.

Organizations with over-privileged AI systems have a 76% incident rate, compared to a 17% incident rate for organizations that limit AI to only the privileges needed for the task.

43% of organizations say AI makes infrastructure changes without human oversight at least monthly.

79% of organizations are evaluating or deploying agentic AI, yet only 13% of organizations feel highly prepared for it.

67% of organizations rely on static credentials for AI systems.

Only 3% of organizations have automated, machine-speed controls governing AI behavior.

92% of organizations have near-term AI initiatives in production infrastructure.