Executive Perspective: Few technologies have generated as much opportunity — and simultaneous vulnerability — as artificial intelligence. By April 2026, AI and automation were driving productivity gains across industries. But this rapid adoption is creating a widening gap between AI enthusiasm and AI governance. Employees are feeding sensitive data into unsecured tools, threat actors are weaponizing AI for more potent attacks, and fundamental controls like identity management are being deprioritized precisely when they matter most. Bridging this gap is now among the most consequential leadership decisions in cybersecurity.

The governance gap: confidence vastly exceeds control. The RSM US Middle Market Business Index Cybersecurity Special Report 2026, surveying 501 U.S. and 101 Canadian middle-market executives (fielded January 6–30, 2026), reveals a stark disconnect. 96% of executives expressed confidence in their cybersecurity posture — yet only 35% reported using formal AI governance frameworks. In parallel, nearly one in four organizations reported a ransomware attack or demand in the past year, and 18% experienced a data breach. Companies are primarily relying on fragmented measures: staff training on responsible AI use (51%), data governance policies (46%), AI performance monitoring (46%), and defined roles for AI decision-making (44%). This patchwork contributes to the rise of “shadow AI” employees deploying unauthorized AI tools outside formal security and compliance frameworks. As RSM’s Daniel Gabriel stated: “Organizations are accelerating AI adoption, but many don’t yet have a clear destination or a governance model to guide them”.

Data exposure is materializing on a scale. Check Point Research found that in April 1 in every 28 GenAI prompts posed a high risk of sensitive data leakage, and 90% of organizations using GenAI tools regularly were impacted by this exposure. An additional 19% of prompts contained potentially sensitive information, while organizations used an average of 10 different GenAI tools with users generating approximately 77 prompts per month. Without centralized controls, organizations remain vulnerable to credential leakage, intellectual property exposure, and unintended third-party risk propagation. The WEF’s Global Cybersecurity Outlook 2026 quantifies the awareness gap from the other direction: while the share of organizations assessing the security of their AI tools nearly doubled from 37% in 2025 to 64% in 2026, roughly one-third still lack any process to validate AI security before deployment, leaving systemic exposures even as the race to adopt AI in defenses accelerates.

Attackers leveraging AI — and targeting AI platforms. Adversaries are treating enterprise AI adoption as a new attack surface. IBM X-Force researchers found more than 300,000 compromised ChatGPT credentials listed for sale on the dark web in 2025. The open-source AI agent platform OpenClaw gained notoriety as what IBM’s Dave McGinnis called “the most helpful insider threat” because AI agents require deep data access to function, creating a difficult balancing act between enabling benefits and ensuring security. IBM X-Force analyst Christopher Caridi noted that “while AI platforms themselves may become direct targets, the larger risk is the increased volume and sophistication of credential harvesting enabled by AI-assisted phishing and infostealer malware“. Organizations that “consistently enforce phishing-resistant MFA and apply strong identity management practices — such as conditional access, least-privilege access and continuous monitoring of authentication behavior” experience fewer credential-based incidents.

Identity: the critical blind spot. Perhaps the most alarming finding in the RSM report is that only 23% of organizations prioritize digital identity management — despite identity-based attacks remaining one of the most common entry points for ransomware and breaches, and a vital control point for securing AI-enabled platforms. “If identity controls are weak or poorly governed, AI will scale that risk instantly,” warned Omer Arshed of RSM Canada. “The middle market still has a window to mature identity controls now, before AI meaningfully expands the attack surface and drives higher cost, complexity and exposure”. Alden Hutchison of RSM reinforced this: “Most threat actors don’t break in. They log in. When identity controls and permissions are weak, attackers don’t need exploits”.

Budget headwinds complicate the challenge. While 81% of respondents still plan to increase cybersecurity spending, this represents a decline from 91% last year — suggesting economic pressure is beginning to temper investment growth even as threats intensify. Cybersecurity budget authority is shifting funding is now most managed by the CTO (43%), followed by the CFO (37%) and CISO (34%) reflecting cybersecurity’s growing integration into enterprise financial and technology decision-making, but with potential to become a competing line item within broader transformation initiatives. Meanwhile, the WEF found that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk over 2025, and CEOs specifically flagged data leaks (30%) and advancement of adversarial capabilities (28%) as their top GenAI security concerns.

AI as defender — real progress, real limits. The defensive side is advancing: the WEF reports that 77% of organizations have adopted AI for cybersecurity, primarily to enhance phishing detection (52%), intrusion and anomaly response (46%), and user-behavior analytics (40%). However, organizations consistently identify insufficient knowledge or skills (54%), the need for human oversight (41%), and uncertainty about risk (39%) as the main hurdles to deeper adoption. Additionally, the post-quantum threat is moving from theoretical to operational: 37% of WEF survey respondents believe quantum technologies will affect cybersecurity within the next 12 months. April’s emergence of the Kyber ransomware gang — which deployed post-quantum encryption techniques in real-world attacks on Windows and VMware ESXi environments — underscores that threat actors are already preparing for this transition.

Executive Takeaway: Achieving AI’s benefits without inviting new catastrophe requires deliberate leadership action. Establish formal AI governance now — do not let adoption outpace oversight. Implement risk assessment, data-usage rules, and clear accountability for AI projects, not just ad hoc training. Prioritize identity and access management as a first-order security investment — when only 23% of organizations focus here despite identity being the primary entry point for attacks, the gap is dangerously wide. Protect data fundamentals — mandate that sensitive information is not entered into any AI service unless explicitly approved through enterprise-grade platforms with auditability. And begin post-quantum cryptography migration planning — the threats are no longer theoretical. The organizations that will thrive are those that embrace AI boldly but deliberately, pairing each step forward with commensurate attention to security, identity governance, and risk management.