Half of Security Leaders Report an AI Risk Programme. Their Practitioners Cannot Find It
Ask a CISO whether their organisation runs a formal AI risk management programme and half will say yes. Ask the practitioners working inside those same organisations, using the same wording, and the figure falls to 36%. That 14-point drop is the sharpest divergence in the 2026 SANS AI Survey Insights report, published by the SANS Institute on 15 July, and the identical phrasing rules out the comfortable explanation. Nobody is misreading the question. The two groups are looking at the same organisation, and one of them cannot find the programme.
The survey drew on 536 cybersecurity and IT practitioners globally alongside a dedicated module completed by 57 CISOs, CSOs, and security vice presidents, which is what gives the gap its force. This is not one population contrasted against another. It is the same organisation, reported from two altitudes, and the reports do not reconcile.
"For two years now, we've asked security teams where they actually stand with AI," said Matt Bromiley, the report's author and a SANS Certified Instructor. "Both years, the honest answer has been some version of moving fast and working it out as we go. What's changed in 2026 is how much weight is now sitting behind that answer."
The programme that exists above the people running it
The gap does not actually require two groups to appear. It is visible inside the leadership responses alone, where 50% report a formal AI risk management and compliance programme and 44% describe their organisation as still in the early stages of writing AI governance policy. Some proportion of leaders are holding both positions at once, which tells you that the phrase carries a great deal of weight in the language of leadership and considerably less in the language of operations. A programme, at that altitude, can mean an intention that has been agreed to.
Down where the work happens, the picture has hardly moved in a year. The share of practitioners reporting a formal AI risk programme went from 35% in 2025 to 36% in 2026, a one-point increase, while the share of security teams holding a governance role for enterprise AI climbed from 68% to 76%. Responsibility grew by eight points. The apparatus for discharging it grew by one. That is not a governance programme maturing slowly; it is accountability arriving without the means to act on it.
What practitioners do under that mandate is mostly episodic. AI security assessments and penetration testing lead at 30%, then collaboration with IT and data teams on secure deployment at 26%, developing risk frameworks and policies at 19%, and monitoring for breaches at 16%. An assessment is a photograph. It does not watch model behaviour between evaluations, enforce policy inside a daily workflow, or notice output drifting three weeks after the reviewer signed off. The field has become comfortable running an evaluation and remains thin on the continuous oversight that governance was supposed to mean.
Somewhere in the open response fields, one respondent described their own governance role as drafting governance and providing advice for leadership to ignore. It is a single anonymous line, and it proves nothing on its own. It also names the mechanism that the rest of the data can only circle.
Governance that nobody can point to is not governing much
Give the perception gap its material basis, and it stops looking like a disagreement about definitions. Sixty-three per cent of practitioners cannot see where AI models are being used across their organisation or what those models expose, a figure that rose from 56% the year before. Fifty-four per cent say no established frameworks exist for auditing AI at all, which is where it sat in 2025 and where it has stayed. Neither of those closes with another assessment form. A leader reading a signed policy and a practitioner staring at an unmapped estate will both report honestly, and they will report different organisations, because they are describing different things, and only one of them is the thing that governs anything.
The channels compound it. Only 41% of organisations use generative AI for security work under strict policy, while 39% describe usage as informal with no policy whatsoever. That informal 39% is a great deal of AI activity running entirely outside organisational sight, and it is difficult to square with a formal programme under any definition that has operational meaning.
Chris Cochran, Field CISO and Vice President of AI Security at the SANS Institute, sees the same thing outside the survey data. "The pattern we see in the field, and in this data, is that organisations are adopting AI far faster than they're able to govern it," Cochran said. The most common mistake, he noted, is treating a blanket block policy as risk management, and he stated that telling people not to use AI simply drives usage into the shadows, where management is even tougher. His remedy is deliberately unglamorous: name an owner, inventory the AI tools, write a one-page policy, brief the team, reassess in 90 days. That sequence, he said, moves most organisations from Stage 1 to Stage 2 governance inside a quarter. "A small company at a real Stage 2 is in a stronger position than an enterprise claiming a Stage 3 that it can't prove," Cochran added.
Which is the perception gap restated as a competitive fact rather than a compliance one, and it points directly at half of the leaders reporting programmes their own teams cannot corroborate.
A defensive bet, placed while the offensive side was already inside
The leadership view diverges from the survey's own evidence in a second place, and this one runs counter to it. Asked whether their priority over the past year had moved toward using AI for defence or toward protecting against AI-enabled threats, 63% of leaders chose defence, and 22% of them chose protecting against AI-enabled threats. Sixteen per cent moved toward threat protection.
On its own, that is a reasonable allocation. AI delivers genuine leverage in detection, investigation, and response, and building that capability is a defensible call. What makes it uncomfortable is what sits beside it in the same survey: 78% of organisations reported confirmed or suspected AI-enabled attacks in the past year, 45% of them confirmed. Ninety-five per cent of respondents believe threat actors are already using AI, and 58% of them significantly. Nearly every leader in the room accepts that the adversary has AI. One in six has moved the priority to deal with it. Adversarial AI is not a horizon item in this data; it is a present operating condition in more than three-quarters of the organisations surveyed, and the exposure is arriving faster than the priority shift reflects.
The defensive bet has not fully matured into protection either. Seventy-six per cent of leaders say their organisation is actively using AI for cybersecurity, near-identical to the 78% of practitioners, but among leaders using it, 44% call the deployment early production and 25% are still piloting. Twenty-eight per cent have reached mature production. SANS sets a single leader respondent describing AI as mission critical against the 11% of practitioners saying the same, a comparison resting on one answer in a 57-person module and worth treating as directional rather than conclusive, though the direction it points is consistent with everything else here: teams are running AI deeper in production than the leadership view registers.
The flat distribution is the finding
What adversaries are doing with AI turns out to matter less than the shape of it. Deepfake content edges ahead at 45%, AI-assisted vulnerability exploitation and AI-generated phishing follow at 44% each, adversarial attacks on AI models at 42%, automated reconnaissance at 40%, AI-powered brute forcing at 39%. Only AI-generated malware sits back, at 19%. Six techniques inside six points of each other is not a ranking. It is a distribution, and the flatness is the result: adversaries are threading AI through the entire attack life cycle rather than concentrating it anywhere, which means no single countermeasure covers the range of what organisations are already meeting.
The reach extends past the phishing-and-exploitation shorthand. Copilots and AI agents inherit the permissions of the users and service accounts behind them, so a compromised identity or a manipulated workflow reaches whatever sensitive data that identity was permitted to touch. What an attacker walks away with depends on how tightly access was scoped, which quietly makes least privilege an AI governance control rather than a separate identity and access management concern. Thirty-six per cent of practitioners already worry about sensitive data or company intellectual property leaking through employee use of AI tools, and the single most common adaptation organisations report planning, at 52%, is increasing visibility into where AI is being used at all.
One movement in the data cuts the other way and deserves care. Stated concern about AI-powered phishing fell from 83% in 2025 to 66% in 2026, and concern from 73% to 61%. The report reads this not as complacency but as arrival. A team countering AI phishing every week answers a question about what worries them differently from a team bracing for something it has not yet met. Falling concern, here, is the sound of a threat becoming routine.
Two altitudes, two problems
The divergence has one more layer, and it explains why the first two persist. Leaders look outward at the supply chain, ranking vendor efficacy and data responsibility as joint top concerns at 42% each, with the skills gap and the transparency problem tied behind at 33%. Practitioners look at the tools in their hands, naming transparency in AI decisions at 40% and efficacy of commercial vendor AI at 38%. Both are describing the same trust problem from different distances, and each is correct from where they stand.
The vendor number that should worry both of them sits elsewhere in the report. Sixty-nine per cent of organisations now run AI-specific third-party assessments, up from 57% in 2025. Inside that same pool, 47% also trust vendors to manage their own AI risk without auditing them, up from 27% a year earlier. Those two positions can only coexist if the assessment is a form being filled out rather than a question being asked. Unaudited vendor trust climbing 20 points while assessment activity also climbs describes a procurement ritual, not a control.
Trust in the tools themselves splits along a revealing line. Practitioners will let AI act unreviewed on threat classification at 49% and vulnerability prioritisation at 40%, and will not on behavioural anomaly detection at 29% or true identification at 30%. That tracks exactly where AI is strong, in structured classification, against where it is weak, in novel and context-dependent calls. The true positive figure is the one to watch, because confirming that a threat is real is the foundation on which everything downstream in response is built.
What closes the gap is operational, not declarative
None of this would matter much if the AI were reliably right. It is not, and increasingly, the people running it know it. Sixty-three per cent of practitioners report significant shortcomings when AI detects or responds to threats, up from 45% in 2025. Asked how often AI guidance had sent them the wrong way over 12 months, 32% said never, which leaves roughly two-thirds misled at least once: 23% between one and five times, 20% six to 10, 13% up to 20, and 9% more than 20 times. Teams that adopted AI to shed workload have, in many cases, acquired an error-checking workload alongside the one they already had.
Dave Shackleford, SANS Senior Instructor, reads that rise as exposure rather than decay. "What stands out to me is the jump from 45% to 63% of practitioners reporting real shortcomings in AI threat detection and response, and I don't read that as AI getting worse so much as teams finally running it at a scale where the cracks show," Shackleford said. The technology outpaces the discipline needed to run it well, he noted, and the gap sits there unnoticed until enough people depend on it. The skill worth building, he added, is not learning to prompt the tool well; it is knowing when to stop trusting what it gives you.
That is precisely what practitioners say works. Against AI-enabled threats, behavioural detection leads at 48%, user awareness training at 45%, human analyst review at 39%. AI-specific security controls sit at 23%. The top three answers are human and behavioural, which puts the workforce question underneath the governance question rather than beside it, and the load is already being felt: 73% of practitioners say AI changed their team's training requirements this year, up from 51%, a 22-point jump. Sixty-eight percent report AI-driven changes to their jobs, up from 54%, half of them describing traditional roles that now carry AI oversight duties. Sixty-four percent of organisations have an initiative to prepare their workforce for this, up modestly from 58%, which leaves more than a third with nothing.
"You can't fix these gaps without people who can catch what the tools miss," Bromiley said. "The teams that invest in upskilling now are also the ones positioned to get more out of the AI they have already bought, because the people running it know when to trust it and when to step in."
The report closes on three investments: validation infrastructure that tracks precision, recall, and continuous comparison rather than deployment volume; governance moved out of policy documents and into the operational controls practitioners actually use, with sensitive-data access and AI data exposure treated as core controls; and workforce development handled as an immediate operational need rather than a hiring goal parked in a future quarter. All three are versions of the same instruction. The thing leadership reports and the thing practitioners can point to should be the same thing. In half of the organisations surveyed, they are not, and the adversary is not waiting for them to agree.