State of AI Risk Management 2026 report

The Purple Book Community surveyed 650+ senior cybersecurity leaders across seven industries and two continents to identify the friction between AI adoption and enterprise control. This research documents “The Confidence Gap” – the measurable distance between what security leaders believe about their AI programs and what the data reveals about operational reality. By mapping these blind spots, this report provides a detailed blueprint for closing the gap before it becomes a breach.

Key findings:

• The Shadow AI Paradox: 86% of organizations claim a complete AI inventory, yet 59% admit shadow AI is present and ungoverned.
• The Detection Delusion: 92% of leaders trust their tools to find AI-code vulnerabilities, yet 70% have already seen those vulnerabilities reach production.
• The Prioritization Crisis: 82% of security professionals say tool sprawl is actively hurting their ability to remediate the risks that actually matter.

According to the research,

“Security leaders aren’t lacking awareness. They’re lacking the ability  to convert that awareness into governed action at the pace AI demands.”

Download the full report to master the shift from “visibility” to “control” and bridge the gap between AI velocity and enterprise security.

---

Executive Summary

AI has crossed the threshold from experimentation to enterprise standard, and security leaders believe they have it under control. The data suggests otherwise with 90% of organizations claiming full visibility into their AI footprint, while 59% simultaneously confirm shadow AI is present and ungoverned. If you can see it, why can’t you control it?

The Purple Book Community surveyed 650+ senior cybersecurity leaders across seven industries and two continents. The leaders in this survey are not junior practitioners or early-career managers. They are CISOs, VPs, Directors, and Security Architects with direct operational responsibility for enterprise security programs. What they believe about their AI governance posture matters, and so does what the data reveals about the gap between that belief and operational reality.

What emerged is a portrait of confident governance layered over persistent, structural blind spots: a pattern we call “The Confidence Gap.“

The Claim

The numbers suggest a mature posture. 86% of security leaders claim to maintain a complete AI inventory. Nearly 90% believe they have visibility into AI data flows. And 83% say their existing security tools effectively detect vulnerabilities in AI-generated code.

The Reality

The outcomes tell a different story. Nearly six in ten of those same leaders admit to the presence of shadow AI. 70% report confirmed or suspected vulnerabilities introduced by AI-generated code. 73% admit the pace of AI-accelerated development has made it harder for security to keep up.

• The cross-tabulations make the gap concrete. 57% of organizations that claim a complete AI inventory also admit shadow AI is present in their organization.
• The code vulnerability data is equally striking. 92% of organizations with confirmed AI code vulnerabilities in production say their security tools effectively detect those vulnerabilities. If the tools work, how are the vulnerabilities reaching production? If the inventory is complete, where is the shadow AI coming from?

The Consequence

Security leaders aren’t lacking awareness. They’re lacking the ability to convert that awareness into governed action at the pace AI demands. The result is a widening gap between what teams know and what they can control. As AI adoption scales, this gap between awareness and action is becoming a critical operational liability.

This report maps The Confidence Gap across four core dimensions: Shadow AI and Data Exposure, AI Inventory and Governance, AI-Generated Code and Detection, and Tool Fragmentation and Prioritization. These findings come from the practitioners on the front lines, the leaders who must close the gap before it becomes a breach.