The number of organizations that have implemented methods for identifying security risks in the AI tools they use has almost doubled in the space of a year.
Nearly two-thirds (64 percent) of all business leaders who participated in the World Economic Forum’s (WEF) Global Cybersecurity Outlook 2026 said that they assessed AI tools’ security risks before deploying them.
The finding represents a steep rise compared with last year’s 37 percent figure, and underlines how much of a priority AI security has become for organizations worldwide.
Nearly all respondents (94 percent) said that AI will be the most significant driver of cybersecurity change in 2026, and 87 percent believe that the associated vulnerabilities have increased – more than any other type of threat.
It’s true that The Reg was busy last year covering AI vulnerabilities. Prompt injections were the main culprits – there were lots of them – while AI code assistants were seen making expert devs worse, and in December, Google was called in to fix the security issues created by Gemini.
The WEF’s findings, published a week before its annual Davos meeting, offer a more positive view on the state of AI security across the world than the show of hands suggested at the NCSC’s annual conference in May.
In a room full of roughly 200 security professionals, not a single one could claim that they had a strong grasp of the security of their organization’s AI systems.
For leaders, the most common fear concerning AI right now is data leaks, the WEF survey noted. Coming in just behind is the advancement of adversarial capabilities, which makes sense given that the report also found that geopolitically motivated attacks were the most common feature of leaders’ risk strategies.
Sixty-four percent of organizations reported that geopolitical matters played the biggest role in shaping their cyber risk strategies, topping the list for consecutive years.
Geopolitics was far more of a concern for larger organizations, those with more than 100,000 employees, with 91 percent reporting that their security plans changed as a result, compared to just 59 percent for those with fewer than 1,000 staffers.
Gartner reached similar conclusions after surveying European CIOs and other IT leaders in 2025, finding that many were considering opting for a local cloud provider as data sovereignty fears escalate.
Geopolitics most commonly influences cybersecurity and cybercrime when it comes to the conflicts between major adversaries.
It is not uncommon for UK or US organizations to be pelted with DDoS attacks from Russian cyber troublemakers, for example.
Russia also has a history of targeting major sporting events, so organizations in the US may be preparing for politically-motivated cyberattacks later this year, as the world’s eyes will be on the FIFA World Cup this summer.
For CEOs, however, the threat from hacktivists is not even on their radars. Cyber-enabled fraud, such as phishing and social engineering, is the number-one concern, followed by AI vulnerabilities and exploits of software flaws.
Ransomware was the chief worry of 2025, and supply chain disruptions were third on the list last year, but both dropped out of the top three in 2026.
Ransomware remains the prime fear for CISOs, though. Both ransomware and supply chain attacks remain at ranks one and two, respectively, in security chiefs’ lists of nightmares.
The key to preventing the worst outcomes is for all organizations to pursue a heightened state of cyber resilience.
“Cyber resilience” is a phrase that’s repeated time and again by national security authorities for a good reason. It refers to an organization’s ability to minimize the impact of a cyberattack, should one penetrate its systems.
The majority of respondents to the WEF’s survey (64 percent) claimed that they met the minimum requirements for cyber resilience, while only 19 percent believed that they are exceeding those baseline standards.
Major attacks, such as those on JLR and M&S, high-profile events that led to extensive and costly periods of downtime for both businesses, illustrate the issues with minimizing cyberattacks that organizations continue to face. ®