Key Takeaways
- Lack of Formal AI Policies: Four in ten security practitioners report that their organization has no formal policy governing AI adoption.
- Limited Visibility: More than six of ten practitioners say they cannot see where AI models are deployed or what data those models might expose.
- Governance Role vs. Framework Gap: Although about 75 % of practitioners hold a governance‑related responsibility for enterprise AI, over half say there are no established frameworks for auditing AI systems.
- Perception Disconnect Between Leaders and Practitioners: Half of senior security leaders claim a formal AI risk‑management program exists, while only 36 % of frontline practitioners agree—a 14‑point gap indicating differing views on actual guardrails.
- Survey Basis: The findings stem from a SANS Institute survey of 536 global cybersecurity and IT practitioners, supplemented by a dedicated module of 57 senior security leaders (CISOs, CSOs, security VPs).
- Broader Risk Implications: S&P has warned that weak AI governance could jeopardize corporate credit ratings, underscoring the financial stakes of inadequate oversight.
- Evolving Use of AI in Security: Six in ten practitioners now employ AI for red‑teaming activities, up from roughly one‑third in the previous year’s survey, showing rapid operational adoption despite governance lag.
Governance Policies Lag Behind AI Adoption
Enterprise security teams are integrating artificial intelligence into their defenses at an unprecedented pace, yet the policies meant to govern that integration remain sparse. According to the SANS Institute report, 40 % of surveyed security practitioners indicated that their organization lacks any formal policy for AI adoption. This absence of documented guidance leaves teams to navigate AI deployment on an ad‑hoc basis, increasing the risk of inconsistent controls, uncontrolled data exposure, and compliance challenges. The data suggest that while technology moves quickly, the procedural scaffolding required to keep it secure is still being built in many organizations.
Visibility Into AI Model Usage Is Scarce
Closely tied to the policy deficit is a pronounced lack of visibility into where AI models are actually operating and what information they might be handling. More than 60 % of practitioners reported that they have no clear view of AI model deployment within their environments or of the specific data sets those models access. Without such visibility, security teams cannot effectively monitor for data leakage, model drift, or adversarial manipulation, leaving blind spots that threat actors could exploit. The gap underscores a need for inventory‑type capabilities—such as model registries and data‑flow mapping—to provide the transparency essential for risk management.
Governance Responsibilities Exist, But Audit Frameworks Do Not
Interestingly, a substantial majority—approximately 75 %—of respondents said they hold a governance‑related role concerning enterprise AI, indicating that organizations are assigning accountability for AI oversight. However, more than half of those same practitioners noted that there are no established frameworks for conducting AI audits. An audit framework would typically define criteria for evaluating model integrity, data provenance, bias mitigation, and compliance with internal or external standards. The absence of such structures means that even when responsibility is assigned, practitioners lack the concrete tools and processes needed to verify that AI systems meet security and regulatory expectations.
Perception Gap Between Security Leaders and Frontline Practitioners
The report highlights a notable divergence in how senior security leaders versus frontline practitioners view the state of AI risk management. About 50 % of security leaders (CISOs, CSOs, VPs) asserted that their organization has a formal AI risk‑management program, whereas only 36 % of practitioners agreed with that statement—a 14‑point difference. Matt Bromiley, a SANS certified instructor and the report’s author, characterized this discrepancy as a “perception problem”: leaders may believe governance is in place, but those who operate the tools daily do not see the corresponding guardrails on the ground. This misalignment can lead to overconfidence among executives and insufficient resourcing or attention to practical security measures.
Survey Methodology Provides a Robust Global View
The insights presented are drawn from a comprehensive SANS Institute survey that included 536 cybersecurity and IT practitioners from around the world. To capture leadership perspectives, the study also incorporated a dedicated module of 57 senior security leaders, encompassing chief information security officers, chief security officers, and security vice presidents. This dual‑layer approach allows the report to contrast strategic viewpoints with operational realities, offering a nuanced picture of how AI governance is perceived and experienced across different organizational tiers. The global scope further enhances the relevance of the findings, suggesting that the observed gaps are not confined to a single region or industry sector.
Broader Financial and Reputational Risks Emphasized by Rating Agencies
Beyond technical concerns, the report notes that inadequate AI governance could have tangible financial repercussions. S&P Global has previously warned that companies failing to strengthen their security governance—including oversight of AI‑driven systems—risk jeopardizing their credit ratings. Such warnings reflect growing recognition among rating agencies that cybersecurity weaknesses, particularly those stemming from rapidly adopted technologies like AI, can materially affect an organization’s risk profile. Consequently, enterprises that neglect to establish clear AI policies, visibility mechanisms, and audit frameworks may face not only heightened breach likelihood but also potential downgrades that increase borrowing costs and erode investor confidence.
AI Is Rapidly Reshaping Security Practices, Particularly Red‑Teaming
Despite the governance shortcomings, AI is already reshaping how security teams operate. The survey revealed that six out of ten practitioners now employ AI for red‑teaming—simulated attacks designed to test defenses—compared with just one‑third in the previous year’s survey. This sharp increase indicates that organizations are leveraging AI’s speed and pattern‑recognition abilities to enhance offensive security exercises, thereby improving threat detection and response readiness. However, the accelerated adoption of AI in‑vivo use of AI for red‑teaming also amplifies the need for robust governance; without proper oversight, AI‑driven testing tools could inadvertently expose sensitive data, generate false positives, or be subverted by adversaries, turning an asset into a liability.
Overall, the SANS Institute findings illustrate a classic scenario of technology outpacing policy: while security teams are eagerly applying AI to bolster defenses—especially in areas like red‑teaming—the underlying governance structures, visibility controls, and audit frameworks remain insufficient. Closing the perception gap between leaders and practitioners, instituting formal AI policies, implementing model inventories, and adopting standardized audit practices are essential steps to ensure that AI’s benefits are realized without compromising data security, regulatory compliance, or financial stability.

