The State of AI Risk Management in 2026

Key findings

• US executives are more than four times as confident as their own practitioners that AI risk is under control, 29% to 7%. The UK gap runs the same direction, 18% to 11%. The board’s view and the team’s view aren’t the same view.
• ChatGPT sits in 7 in 10 IT estates and Microsoft Copilot in 6 to 7 in 10. Only around 4 in 10 teams say their security stack is ready for AI risk. Adoption has outrun control by roughly two to one.
• Visibility raises concern rather than calming it. Among UK teams with full visibility into AI use, 56% flag data leakage as a top concern, against 27% of teams with none. Seeing the problem isn’t the same as containing it.
• Nearly three-quarters of IT teams lose at least a quarter of their week to repetitive, low-value work, and around one in three lose more than half. The people accountable for AI risk are the ones with no time to manage it.
• The most overloaded teams are the most hopeful that AI will rescue them, 59% in the US and 55% in the UK. Procurement under that kind of pressure produces accepted vendor claims, not tested ones.

1. Executives say AI is under control. The teams running the estate don’t.

The further a seat sits from the keyboard, the more confident the read on AI risk. Executives see a tidy dashboard and a quarterly summary.

The people one and two levels below them see the prompt logs, touch the permissions, and field the alert when something goes wrong, and they’re far less sure anything’s under control.

The same split runs through visibility, which is the more telling of the two. Confidence is a feeling. Visibility is a claim about what you can actually see, and the two groups don’t agree on that either.

The picture the board hears and the picture the SOC sees are not the same picture, and the gap holds in both markets.

What this means for IT leaders

2. AI is everywhere in IT. The controls aren’t.

Most teams aren’t choosing between these tools.

They’re running several at once, which means the surface to govern is wider than any single rollout decision implies.

The largest single group in the survey is the one that’s worried and unequipped at the same time, 48% in the UK and 43% in the US, and between 73% and 78% of respondents are at least moderately concerned about unmanaged AI.

The teams furthest along the curve feel it most.

Heavy adopters are nearly twice as likely as light ones to be very concerned, and also the most likely to say their tools are ready.

Experience hasn’t dissolved the worry. It’s sharpened it.

The Salesloft and Drift breach in August 2025 shows the surface in practice.

Attackers stole OAuth tokens for Drift’s AI chatbot integration with Salesforce and used them to pull data from more than 700 corporate Salesforce instances, Cloudflare, Palo Alto Networks, and Zscaler among them.

Drift was the AI tool. Salesforce held the data.

Most of the affected teams had never personally provisioned Drift. A third-party AI chatbot, plugged in through an OAuth grant few had recently reviewed, became the way in.

What this means for IT leaders

Treat AI as part of the estate, which means inventory it, control who can reach it, and govern it like any other infrastructure.

Keep a live list of which AI tools you’ve sanctioned, which are in use without sanction, and which OAuth and API grants are active across your SaaS estate, paying particular attention to anything that links an AI vendor to your CRM, your email, or your file store, and audit those grants before the next AI rollout rather than after it.

Apply the same supplier rigour to AI vendors as to any other SaaS supplier. That’s procurement review, contractual data-handling terms, and a clear answer on where your data sits when an AI tool processes it.

3. Seeing AI isn’t the same as containing it.

Visibility is supposed to be reassuring, and the data says the opposite, because visibility is the diagnosis, not the treatment.

Teams that can see what ChatGPT, Copilot, and the long tail of unsanctioned tools are doing can also see what those tools are taking out, so the teams who can see most worry most.

That isn’t a failure of visibility. It’s what visibility is for.

The CISA case shows the gap in sharp relief.

The agency’s Acting Director uploaded “For Official Use Only” documents to public ChatGPT between mid-July and early August 2025, disclosed in January 2026, and the agency’s automated sensors flagged the activity within a week.

Visibility worked. What failed was containment.

The exception that authorised him to use ChatGPT didn’t stop him reaching for the public version of it.

If an acceptable-use policy couldn’t hold the head of the US cyber agency, no mid-market policy holds without technical enforcement underneath it.

What this means for IT leaders

Decide what you’ll do about shadow AI before you buy the tool that shows it to you, because a dashboard that surfaces shadow AI without containing it is a record of failures, not a control.

Inventory the AI tools already in use, decide what each one is allowed to touch, then put data leakage prevention in front of the data you can’t afford to lose, with the AI endpoints recognised as endpoints in their own right.

More than 6 in 10 teams in both markets name data leakage prevention as the capability they want most, regardless of how much AI they can currently see.

They’re not asking for another dashboard. They’re asking for something that stops the leak.

4. The people accountable for AI risk have no time to manage it.

Operational overload is the rule, not the exception.

Tool fragmentation, visibility gaps, skills shortage, alert fatigue, and manual investigation all sit in the 3 to 4 in 10 range as a top operational pain, and the people formally accountable for AI risk are the same people running yesterday’s incident queue, today’s patching backlog, and a stack of tools that don’t talk to each other.

The load isn’t spread evenly.

In the UK, security specialists carry the heaviest repetitive burden, with more than 8 in 10 losing at least a quarter of their time to low-value work.

In the US, DevOps reports the highest alert fatigue of any role while shipping AI into pipelines faster than anyone else, and the share of teams losing more than three-quarters of the week to low-value work is more than double the UK rate.

That’s the ground AI controls are being asked to stand on. Governance built on a backlog inherits the backlog.

What this means for IT leaders

Fix the workload before you add anything else to the queue, because AI controls won’t hold on top of a team with no time to run the controls already in place, and there’s an order to it.

First, consolidate the tools in your stack that overlap most, since two products generating the same alert produce twice the noise, not twice the coverage, and if you can’t say what each tool does that the others don’t, you have a consolidation problem before you have an AI problem.

Second, automate the repetitive work that’s already costing a quarter to half the week, the triage, the enrichment, the low-priority alert handling, and pull headcount back onto the decisions only people can make.

Then, and only then, bring in AI-specific controls, because governance built on top of a team with time to think has a chance and governance built on top of a backlog doesn’t.

5. The most overloaded teams are betting hardest on AI.

The more time a team loses to ticket triage, manual investigation, and repetitive admin, the more confident it is that AI will pull it out of the hole, and that’s not naive optimism.

It’s hope held by people who’ve run out of other options.

The same teams are honest about the gap: 44% in the US and 41% in the UK are optimistic about AI and admit their tools aren’t fully ready in the same breath, and what they want is automation that drops in cleanly, not a re-skilling programme, with reducing manual work the most-wanted capability by a clear margin.

The risk is the obvious one. A team with no time to evaluate a tool buys on vendor promise.

The Replit incident at SaaStr in July 2025 is the cautionary tale.

An AI coding agent ignored explicit instructions not to make changes, deleted more than 1,200 executive records and around 1,196 company records, and produced misleading status messages about what it had done.

Anthropic’s disclosure of an AI-orchestrated espionage campaign, GTG-1002, shows the same automation patterns turning up in attacker tooling.

What this means for IT leaders

Buy AI deliberately, and pressure-test what vendors tell you now, while your team still has the time to do it.

Before signing anything for an agentic AI tool, ask the vendor what happens when the agent ignores an instruction, then ask for the rollback procedure in writing, because the Replit pattern isn’t exotic, it’s how agents behave at the edges.

Don’t let the most overloaded team in the business pick the tool that’s meant to fix it, since procurement under pressure produces accepted vendor claims, not tested ones, and get someone outside the queue to run the evaluation.

Set the limits before deployment, not after.

The teams that come through agentic AI rollouts intact are the ones that decided in advance what the agent isn’t allowed to do, and put controls in place to enforce it.

6. What good looks like

Four control layers, four AI risk patterns. Access, execution, action chain, and privilege. All available today through the existing Heimdal stack.

The capability teams want most, across every level of visibility, is data leakage containment.

That’s the request, and the answer starts with what already ships.

Four control layers sit inside the Heimdal platform today, each matched to one of the four AI risk patterns the survey surfaces.

1. CASB and DNS Security control access to AI services.
2. App Control governs what can run.
3. AppFencing breaks the action chain.
4. PEDM removes silent privilege escalation.

Two more AI capabilities are already live in production alongside them. That’s Predictive DNS for pre-signature threat prevention, and AI-powered email fraud prevention.

AI Wingman Assist is available across the Heimdal dashboard today, surfacing the right actions and recommending best-practice settings, and AI Scripting, which turns natural language into actions an administrator can run inside the platform, is live now.

That’s the floor.

On top of it, AI acceleration arrives in waves.

AI Wingman Triage, included with TAC, uses multi-agent systems to assess suspicious indicators, validate incidents, and accelerate triage.

AI Wingman SOC, included with TAC and MXDR, brings that acceleration into Heimdal’s managed SOC.

Inside the modules, AI/ML Patch Sequencing prioritises remediation impact within limited service windows, and PEDM Post-Elevation AI/ML Assessment checks whether privileged activity stays aligned to what was requested.

Those last two are coming next, not shipping today, and the report says so.

What this means for IT leaders

The findings above give you the questions to take into any AI-control conversation, internal or vendor.

Three sharpen here.

First, can the platform stop the leak and find the tap, in that order?

Buyers ask for data leakage containment first and AI discovery second, which is backwards from how you’d architect it, but right for how the risk actually shows up. The platform you choose should do both.

Second, where does the control sit?

Visibility tools that report but can’t enforce are a half-deployment. The four layers above operate at the network edge, the endpoint, the browser entry point, and the privilege boundary, so action is possible at every step a third-party AI service touches your estate.

Third, what’s live today, what’s coming soon, and what’s coming later?

In a category running dozens of AI SOC vendors at any given show floor, the difference between shipping today and on the roadmap is the one your board will ask about first. The status column in the table above carries our answer in writing.

Available today means available today. Coming soon means coming soon. Coming 2026 means coming 2026.

We’ve labelled them as such, because they are.

7. Methodology

This report is based on a survey of 1,000 IT professionals across the United Kingdom and the United States, commissioned by Heimdal and conducted in 2026.

Sample. 1,000 respondents in total. 500 in the UK, 500 in the US. Quotas applied to country, role, and seniority.

Seniority mix. Six tiers from entry-level through executive (C-level / VP). The executive-versus-practitioner cuts referenced in this report (Section 2) compare the executive tier and the mid-level individual contributor tier.

Role mix. IT and infrastructure, security and cybersecurity, DevOps and cloud, mixed IT responsibilities, and other.

Organisation size and sector. The survey did not screen respondents by organisation size or sector. The report is written for the mid-market IT leader, broadly defined as 250 to 2,500 employees, but the sample itself spans a wider range of organisation sizes and sectors.

Fieldwork. Conducted via Pollfish, an online survey platform that runs surveys through randomised mobile and desktop placements. Fieldwork ran from 1 May to 8 May 2026.

Weighting. Unweighted. Country, role, and seniority quotas were applied during fieldwork, so the responses report directly without post-fieldwork adjustment.

Statistical testing. Where this report describes a difference between groups as significant, the underlying cross-tabs include chi-square tests for categorical comparisons and two-proportion z-tests for percentage gaps. Significance thresholds are p<0.05 unless stated. The executive-versus-practitioner confidence gap referenced in Section 2 is significant at p<0.001 in the UK and p=0.029 in the US.

Rounding. Percentages are rounded to the nearest whole number. “Nearly three-quarters” means at least 70% and below 75%. “Around 4 in 10” means between 38% and 42%. Rounding differences may produce small inconsistencies between the digest, section text, and chart labels.

Definitions

Concerned about AI risk: Very or moderately concerned (Q3).

Tools not ready: Partially, no, or not sure (Q15).

Full visibility: “Yes, fully” to Q5 (“Do you currently have visibility into which AI tools are being accessed across your organisation?”).

Heavy adopter: Organisations running three or more named AI tools at Q4. Light adopter: zero or one.

Shadow AI: AI tools in use inside the organisation without explicit IT sanction.

Data leakage: Sensitive data exiting the controlled estate via an AI tool, sanctioned or otherwise.

What this survey cannot see

This survey records what 1,000 IT professionals say is happening inside their estates.

It does not measure what is actually flowing through their networks, sitting in their SaaS tenants, or being pasted into AI prompts.

It does not segment respondents by organisation size or sector, so findings should be read as a cross-industry picture of IT practitioner sentiment in the UK and US rather than a sized-and-sectored read of any single segment.

Where the report addresses mid-market IT leaders specifically, that’s the editorial framing of the report, not a sample constraint.

Where the data shows a gap between executive and practitioner readings (Section 2), the survey cannot resolve which read is closer to ground truth.

Where a respondent reports full visibility into AI tool use, the survey cannot verify that claim against telemetry. Self-reported visibility almost always overstates real visibility.

Treat the numbers as the inside view of practitioners and leaders, not as an audit.

Bylines. Written and edited by Danny Mitchell.

Press contact. Maria Popovici, Digital PR Manager, mpo@heimdalsecurity.com.

If you liked this report, follow us on LinkedIn, Reddit, X, Facebook, and Youtube for more cybersecurity news and topics.

Danny Mitchell

Head of Content at Heimdal. A journalist by trade who cares about helping MSPs and security teams make better decisions, enjoy their work, and see real results.