Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Cybersecurity Risk Management > AI Risk Finds Its Budget Line—Finally

AI Risk Finds Its Budget Line—Finally

by Patrick Spencer updated March 12, 2026 Cybersecurity Risk Management
Reading Time: 8 minutes

There is a particular kind of organizational confidence that comes from not knowing what you do not know. In cybersecurity, that confidence is expensive. The 2026 Thales Data Threat Report—drawn from a survey of 3,120 respondents across 20 countries—does the uncomfortable work of illuminating exactly how much remains in the dark.

Key Takeaways

  1. AI Security Is Finally Earning Its Own Budget Line. The 2026 Thales Data Threat Report found 30% of organizations now maintain a dedicated AI security budget, up from 20% the year prior. That shift matters because 59% of those same organizations experienced deepfake attacks, and 48% suffered reputational damage from AI-generated misinformation. Funding AI risk through general security budgets leaves organizations without the dedicated resources or clear ownership needed to respond when AI-specific incidents hit.
  2. Cloud Is Not Just Part of the Attack Surface—It Is the Attack Surface. According to the Thales report, cloud-based storage, cloud-delivered applications, and cloud management infrastructure hold the top three spots among reported attack targets at 35%, 34%, and 32% respectively. The average organization runs across 2.26 cloud providers and 89 SaaS applications. That footprint is not shrinking. Neither is the number of credentials, integrations, and access pathways that attackers can exploit within it.
  3. Encryption Coverage Is Moving in the Wrong Direction. The Thales report found only 47% of sensitive cloud data was encrypted in 2026, down from 51% the prior year. As cloud footprints expand, encryption governance is not keeping pace. The gap between what is sensitive and what is actually protected is widening—quietly, and without most organizations noticing until something goes wrong.
  4. Tool Sprawl Is the Enemy of Visibility. The Thales report found 77% of organizations use five or more data protection tools. Nearly half operate five or more key management systems. The result is fragmented telemetry, inconsistent policy enforcement, and an environment where misconfiguration—the leading cause of breaches at 28%—is structurally more likely. More tools does not mean better security. It often means more gaps with no one accountable for them.
  5. The Quantum Clock Is Already Running. The Thales report found 61% of respondents identify “harvest now, decrypt later” as their top quantum-related concern—and they are right to. Adversaries are collecting encrypted data today with the intent to decrypt it when quantum capabilities mature. Organizations that have not begun evaluating post-quantum cryptographic algorithms are not ahead of this problem. They are already behind it.

For the past several years, AI security has been a passenger in someone else’s car. Organizations funded AI initiatives from existing security allocations, which kept risk management tethered to whatever priorities already owned the budget. That is beginning to change. Thirty percent of respondents now maintain a dedicated AI security budget, up from 20% the year prior. That ten-point jump is not just a budget line moving. It signals that leadership is beginning to treat AI risk as a distinct discipline rather than a footnote in the broader cyber program.

The pressure driving that shift is real. Fifty-nine percent of respondents report experiencing deepfake attacks. Nearly half—48%—have encountered reputational damage linked to AI-generated misinformation. These are not theoretical scenarios being stress-tested in tabletop exercises. They are happening to real organizations, affecting real reputations, and creating very real legal exposure.

The remaining 70% of organizations still funding AI risk through general security budgets face a structural disadvantage: When AI-related incidents occur, there is no dedicated resource baseline to draw from, no clear ownership, and no budget flexibility that is not already spoken for. The organizations building dedicated AI security programs now are also the ones more likely to have structured approaches to data pipeline integrity, model access controls, and the authentication frameworks that govern who interacts with those systems.

Cloud Is the Attack Surface. The Numbers Make It Clear.

Cloud security conversations often get framed around misconfiguration and privilege management. Those are real concerns. But the 2026 Thales report situates them within a broader reality: Cloud assets are not just a risk vector—they are the primary attack surface. Cloud-based storage tops the list of reported attack targets at 35%. Cloud-delivered applications follow at 34%. Cloud management infrastructure—the control plane that governs access to everything else—sits at 32%. These three categories hold the top three positions. On-premises infrastructure does not appear until further down the list.

The attack techniques targeting cloud management infrastructure are instructive. Credential theft and compromise—including misappropriated secrets—is cited by 67% of respondents as a leading technique. Third-party vulnerabilities and API exposures follow. The pattern is consistent: Attackers are not brute-forcing their way into cloud environments. They are walking in through legitimate access pathways, using credentials that were poorly managed, over-provisioned, or never rotated.

This matters because the average organization operates across 2.26 cloud providers and 89 SaaS applications. Every application is an identity surface. Every integration is a potential exposure point. The attack surface is not a single perimeter to defend—it is a distributed, constantly expanding mesh of interfaces, credentials, and data flows that requires ongoing visibility and governance to manage.

And then there is the encryption picture. Forty-seven percent of sensitive cloud data is encrypted in 2026, down from 51% in 2025. That four-point decline is not dramatic in isolation. But the direction matters. As cloud footprints expand and sensitive data migrates to more environments, encryption coverage is moving in the wrong direction. The gap between what is sensitive and what is protected is widening, not narrowing.

Too Many Tools, Too Little Visibility

There is a version of data protection that looks, from the outside, like a mature program. Multiple platforms, layered controls, a roster of security vendors. The 2026 Thales report takes a closer look at that picture and finds something less reassuring underneath. Seventy-seven percent of respondents use five or more data protection tools. Nearly half use five or more key management systems. These are not indicators of a robust security posture. They are indicators of accumulated point solutions—each solving a specific problem, none providing a unified view of the environment.

The downstream effects of tool sprawl are predictable. Policy enforcement becomes inconsistent because different tools apply different rules to different environments. Telemetry is fragmented, which means security teams cannot build a coherent picture of what is happening across the estate. Incident response slows because analysts are correlating signals from multiple disconnected systems rather than working from a single source of truth.

Visibility into data location compounds the problem. Only 34% of respondents report complete knowledge of where their data is stored. Sixty-six percent are operating with partial inventories, uneven classification, and significant gaps in their understanding of where sensitive information actually lives. You cannot protect what you cannot see. You cannot classify what you have not found. And misconfiguration—the leading cause of breaches at 28%—becomes structurally more likely when governance is distributed across dozens of disconnected tools, each with its own configuration model and access controls.

Executives See a Different Breach Landscape Than Everyone Else

The 2026 Thales report surfaces a gap with direct implications for how organizations prioritize investment and communicate risk: Executives and the broader workforce do not share the same understanding of their organization’s breach history. Seventy-eight percent of CEOs, presidents, and managing directors report no experience with an on-premises breach. Among the broader survey population, that figure drops to 58%. For cloud breaches, 62% of executives report no prior incident history, compared to 54% overall.

There are a few ways to read this divergence. One possibility is that executives are sheltered from breach disclosures—that incidents are resolved at operational levels without reaching the C-suite. Another is that executives apply a different definitional threshold for what constitutes a breach. Whatever the cause, the implication is consistent: If executive leadership does not share the same threat landscape perception as the security teams responsible for day-to-day defense, the conversations about investment, risk tolerance, and incident response authority will be misaligned. That misalignment has consequences—in budget cycles, in response timelines, and in the organizational authority available to security teams when incidents occur.

Closing this gap requires more than better reporting. It requires a shared language for risk—one that translates technical exposure into business consequence, and that gives executives the context they need to make decisions that match the threat environment their organizations actually face.

Sovereignty and the Quantum Clock

Data sovereignty is no longer a regulatory abstraction. It is an architectural constraint reshaping how organizations think about where their data lives, who controls it, and what they do when the regulatory landscape shifts. Forty-five percent of respondents cite portability as the primary driver of their sovereignty initiatives. Thirty-four percent want full control over software and data. And 49% indicate that the physical location of cloud infrastructure matters for some or all of their workloads. These are not compliance checkbox responses. They reflect genuine strategic pressure to maintain control over data as regulatory environments evolve and geopolitical considerations influence technology procurement.

Alongside sovereignty, quantum risk is moving from theoretical concern to active program planning. Sixty-one percent of respondents identify “harvest now, decrypt later” as their top quantum-related concern. This is not a future threat. It is a present one. Adversaries are collecting encrypted data today with the intent to decrypt it once quantum computing capabilities reach sufficient scale. The data being captured now may still be sensitive years from now. Organizations handling regulated, long-lived, or strategically sensitive data cannot treat this as a future-state problem.

Fifty-nine percent of respondents report prototyping and evaluating post-quantum cryptographic algorithms. That figure is encouraging as a signal of awareness, but it also means roughly 40% of organizations have not yet begun evaluating what a cryptographic transition would require. The window for orderly migration is finite. Cryptographic agility—the ability to update encryption mechanisms without wholesale infrastructure replacement—is increasingly central to how mature security programs approach this challenge. Organizations that build that agility in now will have options that organizations starting later will not.

What This Means for Your Program

The 2026 Thales Data Threat Report does not describe a new kind of threat environment. It describes the same environment—cloud sprawl, credential abuse, fragmented tooling, regulatory pressure—at a more advanced stage of complexity. The organizations that struggle in this environment are not the ones without security programs. They are the ones whose programs have not scaled to match the pace of their infrastructure expansion.

The gap between how organizations think they manage data and how they actually do is not closing on its own. It requires deliberate effort: better data classification, tighter identity governance, consolidated tooling, and executive-level visibility into the actual breach landscape. It requires treating cryptographic planning as a present-tense project rather than a future consideration. And it requires honest accounting of where encryption actually covers sensitive data—and where it does not.

The organizations that close that gap in 2026 will not just be more secure. They will be better positioned to operate across the regulatory environments, cloud architectures, and threat conditions that define the next several years of enterprise security. The ones that do not will keep discovering those gaps the hard way—one incident at a time.

Frequently Asked Questions

Organizations that fund AI risk through general security budgets lack dedicated resources and clear ownership when AI-specific incidents occur. The 2026 Thales Data Threat Report found dedicated AI security budgets rose from 20% to 30% of organizations year-over-year—driven by the fact that 59% experienced deepfake attacks and 48% suffered AI-generated misinformation damage. Without a dedicated budget, those incidents compete for resources already committed elsewhere.

According to the 2026 Thales Data Threat Report, cloud-based storage (35%), cloud-delivered applications (34%), and cloud management infrastructure (32%) are the top three attack targets. Sixty-seven percent of attacks against cloud management infrastructure involve credential theft or compromise. With the average organization running 2.26 cloud providers and 89 SaaS applications, identity governance across every access pathway is the highest-leverage defense available.

Tool sprawl—which affects 77% of organizations using five or more data protection tools per the Thales report—fragments visibility, creates inconsistent policy enforcement, and slows incident response. The report ties this directly to misconfiguration, the leading cause of data breaches at 28%. When governance is distributed across disconnected point solutions, each with its own configuration model, the probability of control gaps does not decrease—it multiplies.

The executive visibility gap is significant and directly affects security investment. The Thales report found 78% of C-suite leaders report no on-premises breach experience, versus 58% of the broader workforce. When executive and practitioner threat perceptions diverge, budget decisions, risk tolerance, and incident response authority are all misaligned—meaning security teams often lack the organizational backing they need to act decisively when incidents occur.

The time to start is now. The Thales report found 61% of organizations cite “harvest now, decrypt later” as their top quantum concern—meaning adversaries are collecting encrypted data today to decrypt it when quantum capabilities mature. The data you are generating now may still be sensitive years from now. With 59% of organizations already prototyping post-quantum algorithms, the roughly 40% that have not started are already at a planning disadvantage.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks