86% of organizations say they have a complete inventory of the AI tools their teams use.
59% of those same organizations also admit that shadow AI is present and ungoverned.
AI security in 2026 is all about this gap.
If you're trying to understand the state of AI security in 2026, and what the major reports say about where the risks are heading, this is the most current picture available.
What the 2026 AI security research agrees on
The research published this year comes from different organizations surveying different populations.
IBM tracked 600 companies.
Gartner surveyed IT leaders.
Darktrace polled 1,500 security professionals.
Cisco sampled industrial deployments.
But the underlying finding is consistent across all of them. AI adoption is outpacing governance by a lot.
And the teams able to manage AI risks in 2026 are not the ones that banned the tools. They're the ones that built visibility and policy before any incident forced the conversation.
Data breach costs: what the IBM report actually shows
IBM's 2025 Cost of a Data Breach Report found that the global average breach cost dropped to $4.44 million. It's good news — the first decline in five years.
But.
Organizations with high shadow AI exposure, meaning employees using unapproved personal AI accounts for work, paid an extra $670,000 per breach on average. Shadow AI was a contributing factor in 20% of all breaches IBM tracked.
The reason the headline number dropped at all is that organizations using AI and automation throughout their security operations saved an average of $1.9 million per breach.
AI is both a risk factor and a cost-reduction tool. Which one it is for your organization depends entirely on whether you have governance in place.
13% of organizations in the IBM study also reported breaches of AI models or applications directly. Among those, 97% lacked proper AI access controls at the time of the breach.
These were not sophisticated attacks on hardened systems. They were gaps that were obvious in retrospect.
Where your team's AI usage is actually happening
Gartner surveyed 175 employees between May and November 2025. Over 57% reported using personal GenAI accounts for work. And 33% admitted to entering sensitive information into unapproved tools.
That tracks with what LayerX Security found too. Their Enterprise AI and SaaS Data Security Report found that 78% of ChatGPT usage within enterprise environments comes from personal, free-tier accounts. 18% of employees paste data into GenAI tools regularly. More than half of that pasted data includes corporate information.
The pattern is the same across every study. Your approved AI tools are probably covering a minority of what your team actually uses.
The personal account is what makes this hard. When an employee uses their own ChatGPT account for work, they're using a tool with default data-sharing settings, no enterprise data retention limits, and no visibility for anyone in a management role.
The data leaves the building, and you have no record that it did.
For a practical framework on finding and measuring shadow AI usage, Shadow AI in Teams: How to Find It, Measure It, and Fix It covers the full audit process from discovery through remediation.
The AI agent risk most teams are not ready for
The 2025 story in AI security was employees pasting data into chatbots.
The 2026 story is AI agents doing it without anyone initiating the action.
Darktrace's State of AI Cybersecurity 2026 report found that 76% of security professionals are concerned about the security implications of AI agents in their organization. 92% are concerned about AI agent usage across their workforce more broadly.
Only 37% have a formal policy for securely deploying AI agents. That number dropped 8 percentage points from the previous year, even as agent adoption accelerated.
88% of organizations reported confirmed or suspected AI agent security incidents in the last year, according to the CSA's 2026 survey. In healthcare, that number reaches 92.7%.
The risk profile for agents is different from chatbots. When an employee pastes data into ChatGPT, the action is at least visible in principle.
An AI agent operating inside your systems, connected to files and APIs, can access and move sensitive data without anyone initiating the request.
The governance questions for agents are also different from what most teams are used to asking.
Which data can the agent access?
Which actions can it take autonomously?
Who reviews that access after setup?
Most teams deploying agents in 2026 have not answered these questions.
The spending gap that explains the readiness problem
Gartner's 2026 security forecast found that enterprises spend 17 times more on AI tools than on securing AI itself.
Stay on top of your AI security.
Tips to secure your workflow — delivered every week. No fluff.
That ratio captures the problem more precisely than any threat headline.
The gap exists because AI adoption is a business decision, and AI security is a risk decision. They get made by different teams, on different timelines, with different budgets.
The result is the confidence gap the CSA data describes: organizations believe they have visibility they don't actually have.
Darktrace found that 87% of security leaders say AI is significantly increasing the number of threats their teams must address. And 77% of those teams now have generative AI embedded in their security stack.
Using AI defensively is the only way to keep pace with AI-enabled attacks. But that requires the same governance discipline that most organizations are still building.
What good AI security governance actually looks like in 2026
The organizations that show up in the research as handling this well are not running the most complex security programs. They share a few practices that most teams could implement without a dedicated security team.
A complete, accurate AI tool inventory.
Not just the list of approved tools, but the complete list of tools actually in use. The difference between those two lists is where unmanaged exposure lives. And this requires active discovery, not self-reporting.
Account-level controls, not just tool-level.
Approving "Claude" is not the same as requiring that your team use Claude Team or Enterprise accounts with data retention disabled.
If you are using an approved tool on a personal free account, then that's an unapproved tool from a data governance perspective.
Pre-submission detection for sensitive data categories.
Policies communicate what not to share. Detection catches what actually gets shared. The IBM data is clear that organizations relying only on policies pay more when incidents happen.
Documented agent access controls before deployment, not after.
This is the practice most organizations are skipping. The Darktrace data shows only 37% have formal policies for agent deployment. Building that framework before an agent goes live is a different problem than trying to audit it after.
For the full framework that covers each of these areas, AI Security Best Practices: The 2026 Guide for Growing Teams is the most practical reference available.
Three incidents from 2025 and 2026
The statistics matter more when they connect to real situations.
McDonald's AI chatbot exposure (2025)
More than 64 million job applicants had personal information exposed through a security flaw in McDonald's AI-powered hiring chatbot.
According to news reports at the time, the chatbot's admin panel was accessible with the password "123456."
The data exposed included names, contact information, and application details. This was not a sophisticated attack. It was a simple deployment without basic access controls, and the personal data of 64 million people was the consequence.
Vercel breach (2025)
One Vercel employee granted broad workspace permissions to a third-party AI integration tool.
That permission created a trust path that attackers used to access customer environments across more than 700 organizations.
The breach was not discovered internally. According to reporting at the time, it was discovered when the attacker chose to monetize the access publicly. The cause was an AI tool integration with permissions that were never reviewed after initial setup.
OpenAI/Mixpanel data exposure (November 2025)
OpenAI confirmed that a breach of third-party analytics provider Mixpanel exposed limited user data associated with OpenAI's API platform.
No chat content, API keys, or payment details were compromised. However, the incident illustrated the pattern the IBM data describes: AI platforms face the same third-party vendor risk as any software company, and that risk compounds when the platform holds sensitive business data.
For more documented cases and what they cost the companies involved, 5 Real ChatGPT Data Leaks That Cost Companies Millions covers the landmark incidents in detail.
Where AI security is heading
The research trajectory is consistent.
Gartner projects that by 2028, 25% of enterprise GenAI applications will experience at least five minor security incidents per year, up from 9% in 2025.
AI applications are projected to account for 50% of cybersecurity incident response efforts by that same year.
Gartner also predicts that by 2028, more than 50% of enterprises will be using AI security platforms to manage third-party AI usage, up from less than 10% today.
AI adoption will keep accelerating, and governance will keep lagging. AI agent deployments will introduce access and permission risks that current security policies do not cover. Breach costs tied to shadow AI will remain elevated for organizations that have not built governance frameworks.
The organizations that navigate this well are the ones acting on the data now, before the incident that makes action mandatory. For a full framework covering the specific controls that matter most, AI Security for Teams: The Complete 2026 Protection Guide covers each area in detail.
Where to start
Reading the 2026 data is useful. Doing something with it is what changes your exposure.
The sequence that matches what the research shows matters most:
Get visibility into what AI tools your team actually uses. The gap between the AI tools you've approved and the ones your team uses is where most unmanaged risk lives. The Sequirly free audit tool scans for AI usage patterns and surfaces shadow AI exposure in minutes.
Close the personal account gap. Personal free-tier accounts with default data-sharing settings are where the LayerX and Gartner data converge. Getting your team onto approved accounts with data retention controls is a high-impact, low-complexity step.
Add pre-submission protection for sensitive data. A policy tells people what not to share. Prevention stops the data before it leaves the browser. Sequirly sits between your team's browsers and every AI tool they use, catching sensitive data before it reaches any external system. It runs locally in the browser, installs in under two minutes, and does not require an IT team.
If you want to see what it catches in your specific environment before committing to anything, try Sequirly free.
The 2026 data is clear on what the risks are. The only variable is when your organization decides to act on it.