Most companies can't control their own AI, survey finds

Most large companies lack visibility and control over the artificial intelligence systems operating within their networks, according to recent findings from the 2026 CISO AI Risk Report by Cybersecurity Insiders.

The report, based on a survey of 235 CISOs (Chief Information Security Officers), CIOs (Chief Information Officers), and senior security leaders across the US and the UK, found that AI is often deployed without approval. 75% of organisations have discovered unapproved "Shadow AI" tools running in their systems, many with access to sensitive data. According to the data, 71% of CISOs confirm AI has access to core business systems, but only 16% govern that access effectively.

The survey highlights a critical visibility gap: 92% of organisations lack full oversight of their AI identities, and 95% doubt they could detect malicious activity by an AI agent. Only 5% feel confident they could contain a compromised AI system.

Security leaders cited the rapid, decentralised adoption of AI tools like copilots as a key challenge. These systems act autonomously, making them difficult to track with traditional security tools designed for human users. The report notes 86% of leaders do not enforce access policies for AI, and just 25% use monitoring controls built specifically for AI.