in the AI era
Enterprise risk leaders are heading into 2026 facing a more volatile world than ever before. Geopolitical instability, economic uncertainty, and regulatory pressure are reshaping how organizations operate. But one force is accelerating how all these risks surface and compound: AI.
According to the ServiceNow 2026 Risk and Security Outlook, unpredictability and technology, particularly AI, have become the dominant drivers of enterprisewide risk.
They aren’t introducing entirely new threats. Instead, they’re accelerating the speed, scale, and interconnection of existing risks. As a result, even small failures can ripple quickly across systems, suppliers, and markets.
For our inaugural Risk & Security Outlook, we surveyed 1,000 senior executives across 11 industries worldwide. Nearly half of organizations (47%) report low to moderate confidence in their risk posture over the next 12 months—leaving them poorly positioned if risks intensify in 2026, as many executives expect.
“AI is collapsing the distance between risk and response,” says Ben de Bont, chief information security officer at ServiceNow. “When systems, identities, and workflows are deeply interconnected, disruption doesn’t stay contained; it cascades across the business at machine speed. That means leaders have less margin for error—and less time to respond.
This shift reflects how deeply AI has become embedded across the enterprise—and how tightly those systems are connected to other partners, platforms, and third parties. In such dense ecosystems, disruptions rarely stay local.
Executives overwhelmingly expect AI to intensify cyber risk over the next 12 months. The sharpest increases are expected in phishing and social engineering, insider threats, and data/IP theft, as adversaries use AI to automate reconnaissance, personalize attacks, and exploit weaknesses at scale.
Concern is also rising around disinformation, cloud misconfigurations, and denial-of-service attacks, particularly in cloud and SaaS environments, where missteps can go undetected until damage is done.
These trends are especially pronounced in sectors such as healthcare, nonprofits, and life sciences. Financial services and technology organizations report higher confidence—but remain far from immune. (Read AI security built for tomorrow with ServiceNow CISO Ben de Bont for more information.)
More than 80% of organizations are using generative and agentic AI, often across core business and risk workflows. But adoption is outpacing confidence—and, in many cases, governance.
Across every major risk dimension, many executives report low to moderate confidence in their ability to manage the downsides of these systems. The biggest concerns cluster around biased or unfair outputs, loss of human oversight, and sustainability impact from the energy required to power AI workloads.
Additional concerns include model drift and unintentional exposure of sensitive data. These are not edge cases. Rather, they are structural risks tied to how AI systems learn, act, and evolve over time.
The takeaway: Advanced AI rewards experience, discipline and sound governance. Organizations that move fast without governance accumulate risk. Over time, that risk will compound. Those that pair AI adoption with checks, governance, and deep oversight are far better positioned to capture value without amplifying exposure.
More than 80% of organizations are using generative and agentic AI, often across core business and risk workflows. But adoption is outpacing confidence—and, in many cases, governance.
Across every major risk dimension, many executives report low to moderate confidence in their ability to manage the downsides of these systems. The biggest concerns cluster around biased or unfair outputs, loss of human oversight, and sustainability impact from the energy required to power AI workloads.
Additional concerns include model drift and unintentional exposure of sensitive data. These are not edge cases. Rather, they are structural risks tied to how AI systems learn, act, and evolve over time.
The takeaway: Advanced AI rewards experience, discipline and sound governance. Organizations that move fast without governance accumulate risk. Over time, that risk will compound. Those that pair AI adoption with checks, governance, and deep oversight are far better positioned to capture value without amplifying exposure.
While risk priorities vary across industries and regions, AI consistently emerges as the factor accelerating exposure. Financial services, healthcare, and insurance face heightened risk due to sensitive data and regulatory scrutiny. Automotive, telecoms, and technology organizations face elevated operational and safety risks driven by software-defined products and global supply chains.
Across regions, executives describe different pressure points—but a shared concern that AI is amplifying both opportunity and vulnerability.
In North America, executives focus more heavily on AI-enabled cybercrime, cloud misconfigurations, and insider risk as digital complexity grows. In Europe, regulatory change and data governance loom larger, with AI risk closely tied to compliance and cross-border accountability. Across the Asia Pacific region, rapid innovation and geopolitical volatility heighten concern about how quickly AI-driven risks can emerge and cascade.
To prepare for these myriad threats, more than half of the organizations we surveyed are planning to significantly increase their cloud security and operational risk investments over the next budget cycle. At the same time, more than 60% do not forecast significant spending increases in foundational areas such as supplier risk management, identity governance, and AI-driven threat detection—widening the resilience gap.
Leading organizations are shifting from static controls to workflow-based governance, embedding risk management directly into how work gets done and using AI not just to drive efficiency—but to strengthen defense.
AI will continue to expand both opportunity and risk. The organizations that succeed will use it not only to drive efficiency, but to surface risk earlier and act faster as conditions change.
As threat velocity accelerates and systems grow more interconnected, even small gaps in governance or visibility can escalate into enterprisewide disruptions. Organizations that adopt AI faster than they govern it accumulate risk. Those that pair AI adoption with shared visibility, strong controls, and workflow-based governance are better positioned to respond at scale. The difference is not ambition, but operational discipline.
“We’re just getting started with what AI can do for defense,” says de Bont. “Yes, attackers tend to adopt new technology first. But those same tools give organizations the ability to move faster, see more clearly, and respond at scale.”
Get more insights in the complete 2026 Risk and Security Outlook report.
