Key Takeaways
- 76 % of organizations have suffered a security incident involving AI applications or models in the past two years.
- 27 % of those incidents cost more than $1 million, highlighting the financial impact of weak AI‑related defenses.
- Higher cyber‑maturity dramatically reduces risk: only 54 % of very mature organizations experienced an AI incident, versus 89 % of those with very low maturity, and 46 % of the most mature reported zero AI‑related incidents.
Overview of Kroll’s Cyber Resilience Research
Kroll, the independent global provider of financial and risk advisory services, released a comprehensive study that surveyed 1,000 cybersecurity decision‑makers from firms with annual revenues ranging from $50 million to over $5 billion across ten countries. Conducted in November–December 2025 by independent research firm Sapio Research, the study examined how rapid AI adoption aligns—or fails to align—with existing security governance, controls, and incident‑response readiness. The findings reveal a widening gap between the speed at which enterprises embed AI into operations and the maturity of the security foundations needed to protect those investments.
The Prevalence and Cost of AI‑Related Security Incidents
According to the report, three‑quarters of respondents (76 %) acknowledged experiencing at least one security incident tied to AI applications or models within the last two years. Nearly one‑third of those incidents (27 %) inflicted financial damages exceeding $1 million, underscoring that AI‑centric breaches are not merely technical nuisances but significant business‑impacting events. These statistics illustrate that, while AI promises efficiency and innovation, its deployment without adequate safeguards exposes organizations to costly vulnerabilities.
Barriers to Investing in AI Security
Despite recognizing the risks, 90 % of respondents cited obstacles that hinder greater investment in AI security. The most frequently mentioned barriers—lack of clear return on investment, insufficient executive comprehension of AI‑specific threats, and a prevailing belief that existing controls are sufficient—account for roughly 40 % of the total impediments. This perception gap suggests that many leaders view AI security as an optional add‑on rather than an integral component of AI adoption, hvilket perpetuates under‑investment and leaves critical defenses unaddressed.
The Innovation‑Security Trade‑Off
The research highlights a stark disparity between AI spending and security testing. On average, organizations allocate only 13 % of their AI initiative budgets to using AI for testing security controls or validating the models themselves. In contrast, firms with highly mature security practices are six times more likely to devote over 20 % of their AI budgets to such testing activities. This imbalance reveals a fundamental disconnect: while enthusiasm for AI‑driven innovation runs high, the corresponding investment in verifying that those innovations are secure remains lagging, leaving sizable gaps in the overall AI security posture.
Governance Gaps Expand the Attack Surface
Almost half of the surveyed organizations (48 %) reported having little to no formal governance overseeing the adoption of AI tools and services. The absence of centralized policies, inventory management, and risk‑assessment processes means that AI technologies can be procured, deployed, and integrated ad hoc, dramatically enlarging the organization’s attack surface beyond its traditional perimeter. Without governance, shadow AI proliferates, making it difficult for security teams to maintain visibility, enforce controls, or respond swiftly to incidents involving unauthorized or poorly vetted AI components.
Maturity Matters: Foundational Security Reduces AI Risk
A clear correlation emerges between organizational cyber maturity and the likelihood of experiencing an AI‑related security incident. Organizations classified as having very low cyber maturity reported an incident rate of 89 %, whereas those with very high maturity saw that figure drop to 54 %. Moreover, 46 % of the most mature respondents noted zero AI‑related cyber incidents over the two‑year window, demonstrating that robust security foundations directly translate into AI security resilience. Supporting this trend, 69 % of high‑maturity firms maintain a centralized AI platform strategy equipped with security controls, compared to only 39 % of low‑maturity peers.
Expert Perspectives on Secure AI Adoption
Dave Burg, Global Group Head of Cyber and Data Resilience at Kroll, emphasized that the pressure to harness AI for faster, more precise threat response must not come at the expense of basic prevention, detection, and response capabilities. He warned that enthusiasm for AI integration without first securing the fundamentals creates a dangerous “security debt.” Burg noted that AI itself is not inherently risky; rather, it amplifies existing weaknesses when foundational safeguards are absent. He pointed to Kroll’s participation in CrowdStrike’s Charlotte AI AgentWorks Ecosystem as an example of how operationalizing AI within managed detection and response can help organizations build tailored agents that speed investigations and remediation.
Quiessence Philips, Head of Security Architecture and Engineering at Kroll, echoed the sentiment that AI’s productivity gains are undeniable but cautioned against pursuing them without concurrent investment in security foundations. She described the agentic AI ecosystem as the fastest‑growing enterprise attack surface, noting that organizationsmost at risk are those chasing AI opportunities while neglecting to build security alongside innovation. Philips argued that secure architecture, identity management, incident response, and a strong security culture are not impediments to innovation; they are the enablers that make AI‑driven innovation sustainable over the long term.
Methodology and Scope
The study’s methodology involved an online questionnaire distributed to senior cybersecurity professionals responsible for strategy, operations, and risk management. Participants represented a diverse set of industries and geographies, ensuring that findings reflect a broad, global perspective on AI security challenges. By focusing on organizations with revenues between $50 million and $5 billion, the research captured both mid‑market players and large multinational corporations, offering insights applicable across the enterprise spectrum.
About Kroll
Kroll leverages nearly a century of expertise in risk, governance, transactions, and valuation to help clients anticipate and navigate complex financial and risk challenges. With a workforce of more than 6,500 professionals worldwide, the firm combines deep industry knowledge, proprietary data, and advanced technology to deliver actionable intelligence. Kroll’s commitment to independence and rigorous analysis positions it as a trusted advisor for organizations seeking to strengthen resilience in an era of rapid technological change, including the accelerating adoption of artificial intelligence.
Accessing the Full Report
The complete findings, detailed charts, and supplemental analyses are available on the Kroll website. Interested parties can also register for an upcoming webinar where Kroll experts will discuss the results in depth, offer practical recommendations, and answer questions about building secure AI programs that align innovation with robust security posture.
By aligning AI ambition with mature security governance, testing investment, and foundational controls, organizations can close the current gap, mitigate costly incidents, and harness AI’s transformative potential without sacrificing resilience.