Lagging Security, Excessive AI Access Prevalent in 2 Cybersecurity Surveys

Businesses may recognize the need for cybersecurity, but their actions may still leave them vulnerable. Nearly three-quarters of surveyed organizations (72%) have a gap between cybersecurity strategy and business priorities, according to a recently published report by risk and financial advisory firm Kroll Inc., “Bridging the Cyber Resiliency Gap: Why Aligning Cybersecurity Priorities Is Critical for Business Resilience.”

Of the group experiencing mismatched priorities, common issues included differing risk tolerance (cited by 51%), executives lacking digital literacy (43%), budget constraints (42%) and poor communication from cybersecurity teams (36%).

Although 99% of responding organizations had a response plan for digital security incidents and 80% had increased their cybersecurity budgets, Kroll also found overconfidence among respondents. Asked how quickly their cybersecurity team could respond to a threat, 72% of respondents said their cybersecurity team could respond to a threat in between one to 24 hours, and only 19% said a response would take fewer than 60 minutes. Kroll quoted the “CrowdStrike 2026 Global Threat Report” that the average digital crime in 2025 took place just 29 minutes after an intruder’s initial access—a 65% increase in speed from 2024.

The most common area of increased security spending—cited by 59% of respondents—was cloud and third-party security, but 67% of cyberattacks experienced by respondents at work involved humans, such as through phishing and compromised email. Cloud and third-party security were involved in only 32% of cyberattacks experienced at work.

Artificial Intelligence Concerns

Kroll’s respondents also showed an apparent disconnect in regulation of artificial intelligence, as 76% had security issues involving AI apps in the past 12 months, but 48% said their organization had little-to-no governance on AI tool and service adoption. Apart from overall cybersecurity concerns, a recently published study by the nonprofit Cloud Security Alliance also found businesses lagging in identity and access management policies for AI agents.

Nearly three-quarters (74%) of surveyed information technology and security professionals said AI agents had more information access than necessary, and 79% said AI agents created new access pathways that were difficult to monitor. Nevertheless, 85% of respondents said they were using AI agents in production environments, with 50% saying they used AI for security or monitoring.

Asked how AI agents received access, 52% said AI received access intended for humans or other systems, 43% of respondents used shared service accounts, and 31% allowed AI agents to operate under human user identities.

According to the CSA report, 57% of its respondents reported having moderate or high confidence in their control of access, but only 22% said access frameworks were applied consistently to AI agents. Moreover, 68% of respondents said they could not clearly distinguish between human and AI agent activity.

“AI agents are inheriting human permissions, operating under shared accounts and expanding the attack surface in ways that existing IAM tools weren’t designed to handle,” said David Goldschlag, co-founder and CEO of Aembit, which sponsored the CSA’s study, in a statement. “The survey makes the stakes clear: Agentic autonomy without identity-level access controls is a risk organizations can’t afford to ignore.”

Both surveys suggested companies could improve real-time security responses. Just 33% of CSA respondents removed or modified access policies in real time. Only 3% of Kroll respondents said they updated their incident response plans after an attack, while 52% said they updated response plans quarterly.

Kroll surveyed 1,000 cybersecurity decisionmakers in 10 countries, including 450 in the U.S., in November and December 2025. Cloud Security Alliance surveyed 228 IT and security professionals in January 2026.