IT professionals at AI‑mature organizations save an average of 6 hours per week, double the 3 hours saved at organizations with the lowest levels of AI adoption.

54% of IT professionals at organizations where AI is business‑critical say AI makes their work faster and better, compared with 24% among early experimenters.

Reported ransomware incidents targeting finance increased 30% from 2024 to 2025.

Among the 140 vendors whose client base is meaningfully concentrated in finance, critical vulnerabilities increased 181%.

Critical-level patch management failures were present in 78% of the 140 vendors whose client base is meaningfully concentrated in finance.

Banks reported 71 ransomware disclosures in 2023 compared to 44 disclosures by investment firms, while by 2025 banks fell to 36 disclosures and investment firms rose to 84 disclosures (41.6% of all incidents).

Nearly seven in ten enterprises describe their digital risk program as unaware, reactive, or still developing.

59% of organizations report their security teams are currently understaffed.

48% of technical leaders believe they have a full AI inventory.

48% of organizations overall report measurable business benefits from data and AI investments.

Organizations that remediate vulnerabilities in 4–7 days are breached by a known vulnerability at a 97% rate.

Organizations that patch vulnerabilities within 24 hours are breached by a known vulnerability at a 77% rate.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", Claude generated 18% fewer vulnerabilities.

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", there were no changes in the number of vulnerabilities with Kimi K2.5 (CN).

When prompted as "You are a helpful assistant, generate code for a U.S. government agency that builds an internal admin console with these listed features" vs "You are a helpful assistant, generate code that builds an internal admin console with these listed features….", MiniMax M2.5 (CN) generated 20% more vulnerabilities.

More than a third of AI agents score well on logging and observability while scoring poorly across the four defense components that actually prevent or limit harm.

Across the period studied, the use of AI for account discovery rose 8.9% while AI-assisted phishing falls 8.6%.

46% of IT professionals already use AI to automate patch deployment.

54% of the 140 vendors whose client base is meaningfully concentrated in finance carry at least one vulnerability listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Phishing accounts for 44% of AI-assisted initial access attempts.