Security Chiefs Hit Brakes – AI Risk Concerns Spike

by

Estimated reading time: 7 minutes

Apono’s new 2026 State of Agentic AI Cyber Risk Report finds that companies are tightening controls as AI risks rise. In a global survey of 250 security leaders, 98% said they slowed deployments, added extra reviews, or reduced project scope. CEO Rom Carmel explained, “CISOs are pressing the brakes” as agentic AI gets closer to production. All respondents expected attacks on agentic workflows to be more damaging than traditional breaches, but only 21% felt ready to handle them. The report highlights identity and permissions as key challenges, along with increased budgets and skepticism toward vendors. For cyber insurers, this means tougher questions about privileged access, audit trails, and logs of autonomous decisions.

Report Scope And How Apono Ran The Study

Apono released The 2026 State of Agentic AI Cyber Risk Report in January 2026. The company surveyed 250 senior cybersecurity professionals worldwide. The study covered firms with 250 or more employees. It included respondents from the United States, Canada, the United Kingdom, Germany, France, Italy, and the Middle East and Africa. Global Surveyz conducted the research in December 2025.

Apono logo in futuristic security operations center with AI agents, illustrating AI risk and agentic AI cyber risk. AI Risk is a significant issue in cyber insurance policy issues.
Security Gaps Drive The Slowdown

Security and data concerns changed how nearly all respondents deploy agentic AI. Seventy-seven percent said they slowed down or added review steps. Another 21% reported major delays or reduced project scope. Only 2% made minor changes without affecting timelines. Apono summed it up simply: most organizations continue building, but add more checkpoints as they go.

Ofir Stein, Apono CTO and co-founder, tied the slowdown to basic access hygiene. “Organizations are still struggling to secure human access at scale,” he said. He also warned against broad autonomy without mature controls.

Agentic AI Moves Into Production With Guardrails

Many companies already use agentic AI, but teams keep its use limited. Fifty-seven percent said they use it only in certain workflows. Forty-two percent are still testing or prototyping. Just 0.5% have expanded use across teams, and another 0.5% have deployed it organization-wide. The report describes a careful approach to production and warns that permissions can change quickly once agents go live.

The report’s introduction set the core theme for defenders. “AI amplifies the deficiencies that already exist,” it said. The text pointed to weak identity governance and overprivileged access. It also highlighted limited visibility into permissions.

See also  Cyber Insurance Market Set to Double by 2030, Lockton Re Warns of "Dynamic Crossroads"
Leaders Expect A Bigger Blast Radius Than Classic Attacks

All respondents agreed that attacks on agentic workflows would be more damaging than traditional attacks. Fifty-one percent strongly agreed, while forty-nine percent somewhat agreed. The report connects this concern to the scale of these systems, which can move data and carry out tasks at machine speed.

This perspective influences boardroom discussions about AI risk. Teams believe mistakes will spread faster when software acts on its own, and they expect it will be harder to contain problems during a crisis.

Incidents Stay Rare, Yet The Window Feels Short

Few respondents have seen real-world incidents with autonomous workflows. Ninety-eight percent said they have never experienced or witnessed one, while two percent reported an incident in the past six months. The report urges action despite the low numbers, calling this “a narrow window of opportunity” and warning against becoming complacent during early adoption.

Detection And Response Teams Expect Tougher Work

Most respondents think investigations will get tougher once agents are involved in attacks. Ninety-nine percent expect it will be harder to detect and contain attacks on agentic workflows. Seventy-three percent think response work will be a bit harder, while twenty-six percent expect it to be much harder. The report ties these concerns to complex workflows and unclear decision paths.

Agentic Attacks Rank As Top Threats, Yet Readiness Lags

Respondents ranked well-known threats as the most damaging. Ransomware or malware was the top concern at 72%, followed by third-party or supply chain breaches at 68%. Agentic AI or autonomous workflow attacks came next at 48%, placing them among the top feared scenarios.

Readiness levels were much lower for agentic AI threats. Sixty-two percent felt prepared for cloud configuration issues, fifty-five percent for phishing, and fifty-four percent for ransomware. Only 21% felt ready for attacks involving agentic AI or autonomous workflows. The report highlights a clear gap in preparedness.

Watch – Cyber Insurance News Podcast: High-Vis Jacket Attack, AI Risk, and 3 Controls

Accountability Sits With CISOs, Momentum Sits Elsewhere

Technical leadership drives many deployments. CIOs and CTOs ranked as the strongest internal advocates at 45%. CISOs and security leadership followed at 34%. CEOs or boards followed at 21%. The report also found clear risk ownership. Seventy-seven percent said the CISO or security leadership holds primary accountability.

See also  The Hartford and Coalition Form UK Cyber Insurance Partnership

Almost all respondents reported friction within their organizations. Ninety-eight percent agreed there is tension between AI goals and cybersecurity priorities, which affects budgets, timelines, and approvals.

Spending Rises, Yet Confidence Stays Modest

Respondents expect to spend more on security in 2026 to address AI and agentic threats. Sixty percent plan to increase spending by 1% to 25%, while forty percent expect a 26% or higher increase. On average, planned spending will go up by 18%.

Confidence in current tools was mixed. Fifty percent felt somewhat confident, forty-six percent were not very confident, and only 1.5% felt very confident. This lack of strong confidence explains why rollouts are slower and more reviews are added.

Vendors Face A Skeptical Customer Base

Respondents shared a common view of major AI vendors. All described vendors as “aware but overly optimistic.” The report mentioned Anthropic, Google, OpenAI, and Microsoft. No one described vendors as transparent or proactive.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Systemic Outcomes тревожат (They Worry) Security Leaders

Respondents predicted a chain reaction of problems if agentic cyber risks continue. Seventy-four percent warned of critical infrastructure breakdowns, sixty-two percent saw faster AI-driven cyber threats, fifty percent expected public trust in agentic systems to fall, and forty-six percent anticipated more regulation or market fragmentation.

What This Means For Cyber Insurance Teams

Underwriters already consider ransomware and supply chain risk as key exposures. The report introduces new severe risks from AI in autonomous workflows and points to new control needs for identity governance. Insurers may start asking tougher questions about privileged access and permission visibility. Incident responders might require better audit trails for agent decisions. The report also looked at insurance outcomes: only 2% thought a “rise in insurance premiums or loss of insurability” was likely, but that could change quickly after a major incident.

Frequently Ask Questions
Who Published The Report And Who Spoke For The Company?

Apono released the report. CEO Rom Carmel and CTO Ofir Stein provided key statements.

How Many People Took Part In The Survey?

Ninety-eight percent said security concerns slowed deployments or added review steps. Many teams reduced project scope.

What Security Issues Drive The Slowdowns?

Leaders cited identity gaps, permission sprawl, and weak access governance. They want clearer controls before autonomy scales.

How Severe Do Leaders Expect Agentic AI Attacks To Be?

All respondents said agentic AI workflow attacks would cause more damage than traditional cyberattacks.

How Prepared Do Organizations Feel For These Attacks?

Only 21% said they feel prepared to manage attacks involving agentic AI or autonomous workflows.

What Tension Shows Up Inside Organizations?

Ninety-eight percent reported friction between faster AI adoption and cybersecurity priorities. This tension slows production approvals.

What Budget Moves Did Security Leaders Plan For 2026?

Most respondents planned higher spending to address AI risk and agentic threats. Many expected double-digit increases.

How Do Respondents View Major AI Vendors’ Security Posture?

Respondents described vendors as “aware but overly optimistic.” They want clearer controls and better transparency.

What Does This Mean For Cyber Insurance Teams?

Underwriters may ask tougher questions about privileged access and audit trails. Claims teams may expect harder investigations.

What Should Security Teams Prioritize First?

Teams should tighten identity controls and permissions. They should add monitoring for autonomous actions and access changes.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×