Only 22% of organizations running AI today can identify within minutes which data the AI system used.

48% of organizations overall report measurable business benefits from data and AI investments.

Only 25% of organizations offer approved alternatives to unauthorized AI use.

Organizations that remediate vulnerabilities in 4–7 days are breached by a known vulnerability at a 97% rate.

Organizations that patch vulnerabilities within 24 hours are breached by a known vulnerability at a 77% rate.

92% of organizations prioritizing risk identification before deployment experience a known-vulnerability incident in the past year.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", Claude generated 18% fewer vulnerabilities.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", there were no changes in the number of vulnerabilities with Kimi K2.5 (CN).

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", MiniMax M2.5 (CN) generated 20% more vulnerabilities.

More than a third of AI agents score well on logging and observability while scoring poorly across the four defense components that actually prevent or limit harm.

Across the period studied, the use of AI for account discovery rose 8.9% while AI-assisted phishing falls 8.6%.

46% of IT professionals already use AI to automate patch deployment.

54% of the 140 vendors whose client base is meaningfully concentrated in finance carry at least one vulnerability listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Phishing accounts for 44% of AI-assisted initial access attempts.

Only 31% of organizations operate a centralized, highly automated security ecosystem.

91% of organizations that report being "very confident" in their AppSec strategy still experience a production incident that bypasses pre-production controls.

67% of organizations report that AI coding assistants are now widely adopted across development teams.

Only 7% of organizations are truly AI-ready.

Only 17% of AI agent assigned defense credits are backed by public evidence — published research, inspectable code, or documented compliance.

96% of enterprises have no automated way to stop a hijacked AI agent.