Global Research Reveals Confidence Gap in AI Security: 90% of Organizations Claim Visibility into AI, yet 59% Admit Shadow AI Exists

RSAC 2026 — The Purple Book Community (PBC), a global community of senior security leaders, in partnership with ArmorCode, today released the State of AI Risk Management 2026. Based on a survey of more than 650 senior enterprise cybersecurity leaders across North America and Europe, the report reveals a widening gap between perceived AI security readiness and the operational blind spots created by shadow AI and newly introduced vulnerabilities from AI-driven development. According to the research, 90% of enterprises say they have visibility into their AI footprint, yet 59% have confirmed or suspect the presence of shadow AI within their environments. The findings suggest that employees are operating unsanctioned AI tools or deploying agentic AI systems outside established monitoring and governance processes.

This research comes at a critical moment, as enterprises rapidly operationalize AI across development and business workflows, often faster than security and governance frameworks can adapt.

The study also found that 70% of organizations have confirmed or suspected vulnerabilities introduced by AI-generated code in their production systems. This highlights how the speed of AI-assisted development is outpacing traditional security review cycles.

This gap between visibility and control is one of the most critical challenges in enterprise AI security today.

“The greatest AI security threat isn’t what organizations can’t see — it’s what they can see but can’t govern fast enough to stop. The PBC State of AI Risk Management 2026 report underscores just how urgent this governance gap has become,” said Sangram Dash, PBC Charter Member and CISO and VP of IT at Sisense.

Key Findings from the Report

The research identifies several systemic trends shaping enterprise AI security today:

• Shadow AI is Becoming the Norm: More than 59% of security leaders confirm or suspect employees are using AI tools that IT or security teams have not approved, indicating that decentralized AI adoption is outpacing governance processes.
• AI-Generated Code is Accelerating Risk Exposure: Nearly three-quarters (73%) of organizations say AI-assisted development is increasing software velocity beyond the pace security teams can review, contributing to the widespread presence of AI-generated vulnerabilities in production.
• Tool Fragmentation is Weakening Security Posture: More than half (51%) of enterprises use 11 or more security scanning and vulnerability management tools, creating siloed insights and operational complexity that make it harder for teams to prioritize the greatest risk to their business.
• Security Teams are Drowning in Noise: Nearly half (46%) of respondents also said they spend significant time triaging vulnerabilities that ultimately do not matter, while critical issues remain buried across disconnected tools.

Together, these dynamics create what the report calls the “confidence gap,” the widening distance between perceived AI security readiness and the operational reality of governing AI at enterprise scale.

“What struck me most about this research is not any single statistic, but the pattern. Across every dimension we measured, security leaders expressed high confidence in their AI governance while simultaneously reporting outcomes that contradict that confidence,” said LingRaj Patil, Executive Chair of The Purple Book Community. “This is the defining challenge of AI risk management in 2026: closing the gap between perception and reality. We’re proud to bring this data to the industry, and we urge security leaders to use it as a mirror, not a scorecard.”

AI Adoption Surges While Governance Struggles to Keep Pace

The research confirms that AI-assisted development has already become mainstream across enterprise software teams. Nearly three-quarters (73%) of organizations report extensive AI usage in their development processes, while 78% say they are piloting or deploying agentic AI systems capable of taking autonomous action.

As AI systems expand to agents acting on behalf of organizations, the governance challenge will grow significantly. Without stronger oversight and unified visibility into risk across applications, cloud, infrastructure, and AI systems, enterprises risk further widening the gap between vulnerability awareness and control.

“These findings show that the real challenge is not AI adoption itself, but the governance required to manage it responsibly at enterprise scale,” said Karthik Swarnam, Chief Security and Trust Officer at ArmorCode and Purple Book Community member. “Across the industry, visibility into AI is improving, but the volume and speed of change are outpacing how teams actually operate. Signals are coming from everywhere, and without clear ownership and action, things slip through. That’s why many organizations are ending up with more unsanctioned AI than sanctioned, and risk in places they didn’t expect.”

Research Methodology

The State of AI Risk Management 2026 surveyed more than 650 cybersecurity decision-makers, including CISOs, VPs of Security, and security directors across industries such as software, financial services, healthcare, manufacturing, and retail. Respondents represent organizations with 1,000 to more than 20,000 employees across North America and Europe.

The commissioned research was conducted by The Purple Book Community between December 2025 and February 2026. As with all survey-based research, findings reflect respondent perceptions at a point in time and may not fully represent all organizational environments.

About The Purple Book Community

The Purple Book Community (PBC) is a global network of 1,000+ cybersecurity leaders and practitioners united by a mission to democratize software security and tackle its ever-evolving challenges in the AI-powered world through the power of peer knowledge and collaboration.

In the 5 years since its founding, PBC has grown into one of the most respected and trusted groups in the industry. The Community brings together CISOs; leaders and practitioners across application, product, infrastructure, and AI security; and academics, analysts, and innovators from across the globe.

Community members meet virtually each month to discuss key topics ranging from secure AI adoption to regulatory compliance, building security program maturity, professional development, and more. For those looking to turn dialogue into action, PBC's Centers of Excellence bring together focus groups of senior leaders to raise challenge awareness, define best practices, and create free resources for the benefit of the cybersecurity world. Through PBC Connect, its flagship in-person event series held alongside industry conferences, the Community enables ideas-sharing, networking, and problem-solving in a private space where security professionals can openly communicate with others experiencing similar challenges.

To learn more, join the dialogue, or access resources, visit: www.thepurplebook.club.

About ArmorCode

ArmorCode's Agentic AI Platform helps enterprises manage security risk across today's heterogeneous environments. Powered by Anya, the industry's first agentic AI framework for enterprise security, it unifies exposure management across ASPM, Vulnerability Management, Software Supply Chain Security, and AI Exposure Management, delivering visibility, insight, and control without replacing existing tools.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260323081582/en/