62% of security teams say keeping up with increased engineering delivery is getting harder.

67% of General Counsels report spending more time on enterprise-wide risk and compliance than a year ago.

General Counsels cite these top drivers of risk: geopolitical conflicts 52%, regulatory changes 48%, AI-related risks 39%, cyber threats 39%, and supply chain disruptions 33%.

52% of senior legal leaders report significant or measurable efficiency improvements from AI tools in the last six months, while 48% report no meaningful improvement.

A quarter of legal leaders spend up to 60% of their time on enterprise-wide risk and compliance.

43% of enterprises report operational disruption from AI agent-related incidents.

29% of enterprises prioritize risk management, 28% prioritize monitoring, and 19% prioritize permission control for AI agents.

41% of enterprises say discovery of unknown AI agents happened multiple times in the past year.

47% of unknown AI agents emerge in LLM platforms, including custom tools, assistants, and plugins.

33% of IT and security leaders have only partial control over the use of agentic AI in their organizations.

Restoration of identity systems is tested four times less often than restoration of productivity systems.

Top-performing organizations have a high-risk finding half-life of 10 days, while bottom-tier organizations have a 249-day half-life—an eight-month gap in exposure.

The typical organization ultimately resolves 86% of its high-risk findings, but only 52% of high-risk findings are remediated within a five-year time frame.

59% of IT professionals say AI has added the responsibility of interpreting data and AI-driven insights.

61% of frontline managers say formal training is the most critical element for building AI skills.

97% of financial organizations affected by AI-related breaches lack adequate access controls.

In 2025, 90% of breaches affecting financial institutions were financially motivated.

Claim frequency rose 7% year-over-year to the highest rate At-Bay has recorded since 2021.

Companies with under $25M in revenue saw a 26% increase in average claim severity, the steepest jump of any segment and part of a three-year upward trend.

Akira, a Ransomware-as-a-Service operation that has run since 2023, drove a 53% increase in ransomware frequency in the second half of 2025.