Estimated reading time: 6 minutes
Nearly half of large enterprises lack full visibility into how their own employees use AI tools. That is the central finding of Protiviti’s fourth AI Pulse Survey. The report, titled “No Visibility, No Confidence,” surveyed 345 C-suite executives, board members, and IT leaders in February 2026. Its findings carry direct implications for cyber risk governance, insurance underwriting, and corporate liability. From shadow AI to embedded vendor tools to ungoverned third-party platforms, the AI risk is on the radar. It should be on the agenda.
The Scale Of The Blind Spot
The numbers tell a stark story. Among large organizations (those with more than $5 billion in revenue), 47% report they lack full visibility into employee AI tool usage. For mid-sized firms ($100 million to $5 billion in revenue), that figure rises to 68%. Two-thirds of all organizations report challenges with shadow AI, where systems run without proper oversight or approval. Only four in ten organizations have a formal AI governance framework in place. Even among the largest firms, one in three operates without one.
Shadow AI is a concern this publication has tracked closely. Earlier reporting on UpGuard’s State of Shadow AI showed the problem spreading to senior executives, not just frontline workers. The Protiviti data confirms that the trend has evolved into an enterprise-wide governance failure.
The Perception Gap Between IT And The C-Suite
The survey identifies a significant disconnect between IT leaders and senior executives. Forty-five percent of IT and operational security leaders say AI has increased cyber risk significantly. Only 30% of C-suite executives and board members share that view. That gap has consequences. When leadership underestimates the threat, organizations underfund detection and response. They delay control decisions. They overestimate how mature their AI controls actually are.
Across all respondents, 17% say AI has increased the threat level significantly. Another 42% say it has increased moderately. Only 13% believe AI is helping defense more than offense. Nearly one in three leaders reports they lack full confidence that security controls are keeping pace with AI-driven threats. That figure rises further as you move from the C-suite toward operational teams. Confidence does not grow with seniority. It shrinks.
Size Does Not Solve The Problem
More resources do not automatically produce better oversight. Large organizations face blind spots from redundant technology platforms, inconsistent compliance across business units, and the fragmented controls that follow merger and acquisition activity. The Protiviti data shows that even firms with dedicated security teams and significant budgets leave major gaps unaddressed.
Netskope’s 2026 Cloud Threat Report reached a similar conclusion. Generative AI use tripled across enterprises while policy violations doubled in the same period. Scale accelerates exposure. It does not contain it.
Why Formal Frameworks Change The Outcome
The survey finds a clear correlation between formal AI governance frameworks and stronger security outcomes. Where frameworks exist, leaders report greater visibility into AI tool usage, higher confidence in security controls, and sharper recognition of AI-driven threats at the board level. Among large organizations with a formal framework, only 21% report low confidence in their controls. Among small organizations without one, that figure rises to 39%.
Only 41% of all organizations surveyed have a formal AI governance framework in place. Another 43% say they are building one. A formal framework does not stop cyberattacks. It addresses a different problem: governing internal AI use with clear ownership, acceptable-use standards, and enforceable monitoring expectations. “Organizations can’t manage what they can’t see,” said Sameer Ansari, Global Lead, CISO Solutions at Protiviti. That statement is the practical standard against which boards and risk committees should measure their current AI governance posture.
Third-Party Embedded AI Is The Hardest Problem
Vendor-controlled AI sits inside most enterprise software stacks. It operates outside the oversight and scope limitations that internal tools carry. It updates without notice. And it processes data in ways that procurement and legal teams often cannot audit. This is where visibility breaks down most completely.
The survey asked leaders how they manage embedded AI risk in vendor software. Thirty-two percent of organizations cited tighter vendor security standards as their top priority. AI-specific training for executives and staff ranked second. Ensuring that corporate data does not train third-party models ranked third. Larger firms showed a rising emphasis on contractual controls and auditability requirements. Non-human identity exposure compounds this problem further. Vendor AI tools create machine-to-machine access pathways that most organizations have no mechanism to track.
Defensive AI Builds Confidence
The survey found that organizations combining defensive AI tools with robust staff training report stronger visibility into employee AI usage. That combination also correlates with higher leadership confidence in security controls. Among large organizations, 42% report significant use of AI in their security stacks. That compares with 21% of mid-sized firms and 15% of small ones.
A recent podcast conversation on cyber risk in 2026 addressed this dynamic directly. The speed advantage in modern cyberattacks now belongs to whoever has better AI tooling. Defenders relying on human-speed detection face a structural disadvantage against AI-accelerated offense. Defensive AI investment narrows that gap. Training sustains it.
Cyber Insurance Implications
The Protiviti findings translate directly into underwriting and coverage questions. Shadow AI creates untracked data flows, unapproved processing agreements, and potential regulatory exposure. Each of those conditions affects claims outcomes and policy terms. Cyber underwriters increasingly ask about AI governance posture during the application process. Identity security gaps add a further dimension. Unmonitored AI tools generate non-human identities that bypass standard access controls and expand the attack surface beyond what most policies anticipate.
For CFOs and General Counsel, the business case for governance investment is direct. Organizations with formal frameworks report better controls, stronger board confidence, and lower residual uncertainty. Those without frameworks carry unpriced liability across every AI-enabled process in their operation. Protiviti’s data makes the point clearly. Board-level AI governance is no longer an IT project. It is a corporate risk management obligation.
FAQ: Shadow AI Risk And The Protiviti AI Pulse Survey 2026
Shadow AI refers to the use of AI tools, models, or AI-enabled features inside an organization without formal approval, visibility, or governance controls. It creates untracked data exposure, policy gaps, and potential liability that standard cyber insurance policies may not cover.
Protiviti found that 47% of large organizations (those with more than $5 billion in revenue) lack full visibility into employee AI tool usage. Two-thirds of all organizations report shadow AI challenges. Only 64% of large organizations have a formal AI governance framework in place.
The survey found that 45% of IT leaders believe AI has significantly increased cyber risk, compared with only 30% of C-suite executives and board members. IT teams operate closer to day-to-day AI usage and identify gaps that executives often miss, including risks from vendor platforms and embedded AI tools.
According to the survey, 32% of organizations rank tighter vendor security standards as their top priority. AI-specific executive training ranks second. Ensuring that corporate data does not train third-party AI models ranks third.
Organizations with formal frameworks report stronger visibility into AI tool usage and higher confidence in security controls. Among large organizations with a formal framework, only 21% report low confidence in controls. Among small organizations without one, that figure rises to 39%.
Related Cyber Insurance Posts
- Markel Appoints Raphael Da Costa To Lead U.S. Cyber And Tech E&O
- New Podcast: Your Cyber Incident Response Plan Won’t Save You – Practice Will
- 70% of Leaked Secrets Remain Active for Years – GitGuardian Report Exposes Secrets Sprawl Cybersecurity Risk
- AI Cybercrime in 2025: A Dangerous Intersection
- Artificial Intelligence Report: Only 44% Ready to Support Secure AI, Delinea Finds(Opens in a new browser tab)
