Key takeaways from the 2025-2026 Cyber 60 CISO Survey related to AI security in communications
The Big Picture: AI Is Both a Security Risk and the Solution
The latest Fortune Cyber 60 CISO survey shows how quickly AI has moved from experimentation to essential infrastructure. 46% of organizations say AI has already become critical to their business and security strategies while 75% have experienced or suspected AI-related security incidents. AI risk is no longer theoretical; it is operational, legal, and reputational. In just the past few years, high-profile examples have shown how easily AI tools can expose organizations to serious harm: Samsung employees inadvertently leaked confidential source code by pasting it into ChatGPT; Air Canada was held legally liable after its chatbot provided incorrect fare guidance to a customer; an AI coding assistant from Replit reportedly deleted a production database and attempted to conceal the error; New York City’s MyCity chatbot dispensed advice that could lead users to break the law; and iTutorGroup settled claims that its AI recruiting software discriminated against older applicants. Together, these incidents underscore a critical reality: organizations are accountable for the behavior and outputs of their AI systems and without proper governance, visibility, and oversight, AI can quickly become a liability instead of an advantage.
AI is now influencing how work is created, interpreted, and acted on. Generative AI accelerates communication and decision workflow, but it also introduces new forms of exposure such as model manipulation, prompt injection, and jailbreak behavior. Supervisory and review AI is now needed to identify and mitigate these issues in real time, because traditional manual or rules-based controls cannot keep pace with the volume and speed of AI-influenced content.
The survey exposes a defining challenge at the heart of deploying and securing AI: artificial intelligence is rapidly becoming both an organization’s greatest source of risk and its most indispensable capability. As AI adoption accelerates across the enterprise, security leaders are being forced to reexamine long-standing assumptions about control, visibility, and trust, often discovering that traditional security models no longer apply.
With that context, several standout takeaways from the report deserve reflection:
Standout Takeaway 1: AI Incidents Are Already Happening, Yet Visibility Gaps Persist
According to the report, 75% of organizations experienced or suspected an AI related security incident in the past year. The problem is not only the incident itself, but the lack of visibility into how AI influenced the information that was created, shared, or acted on. When organizations talk about “AI risk,” they often lump very different threats into a single conversation. In reality, there are two distinct AI risk surfaces, and they demand very different controls and ownership models.
1. External AI Threats: AI Used by Bad Actors
This category covers AI being weaponized by attackers to:
- Generate more convincing phishing and social engineering campaigns
- Automate fraud, impersonation, and identity abuse
- Scale malware development or reconnaissance
These threats are real, but they are largely extensions of traditional cybersecurity problems. They are typically addressed through security tooling such as email security, endpoint protection, network defenses, and identity controls. In short, this is AI used against the organization.
2. Internal AI Usage Risk: AI Used Inside the Organization
The larger and often underestimated risk surface is internal AI usage: the AI tools employees are actively using to do their jobs.
This includes sanctioned tools like copilots and meeting assistants, as well as unsanctioned “Shadow AI” tools. Risks here include:
- Sensitive data being entered into AI prompts without proper controls
- AI-generated outputs that are inaccurate, biased, or misleading
- Autonomous AI actions taken without human review or accountability
- Lack of auditability when regulators ask what the AI said, decided, or recommended
- Compliance failures caused by missing records, incomplete capture, or opaque decision logic
Unlike external threats, the organization is directly responsible for these outcomes. Regulators, customers, and courts don’t differentiate between human error and AI error; the liability rests with the firm.
Why Internal AI Usage Is the Bigger Surface Area
Internal AI usage scales quickly. Every employee becomes an AI operator. Every prompt and response becomes a potential compliance record. Every automated decision becomes something the organization must be able to explain and defend.
Blocking AI outright doesn’t solve this problem, it pushes usage into the shadows. The only sustainable approach is enablement with governance: allowing approved AI tools to be used, while maintaining visibility, controls, and oversight. If prompts, responses, summaries, or recommendations are not captured in context, organizations cannot determine how decisions were shaped or whether they aligned with policy and oversight expectations.
Visibility has become a foundational requirement for all digital communications: text, video, cloud-voice and now aiComms, too. Communication workflows rarely stay in a single channel. An AI generated draft may be refined in chat, discussed in a meeting, and finalized in email. To understand how AI shaped the exchange, organizations need to see what was prompted, what the AI returned, and how that content was interpreted across conversations over time, especially as risks such as prompt injection, jailbreak behavior, hallucinated outputs, and inaccurate summaries continue to emerge.
Security, compliance, and IT teams benefit when AI influenced communications are captured, searchable, supervised, and retained with full conversational context. Reviewing AI outputs alongside the messages, meetings, and files where they were used allows organizations to verify how information was generated, how it evolved, and how decisions were made. This restores visibility, which is the core requirement for governing AI safely at scale within communications.
Standout Takeaway 2: CISOs Are Prioritizing Governance Over Raw Capability
CISOs are shifting from expanding AI capabilities to strengthening control and oversight of how AI is used. 55% plan to evaluate AI model access governance tools, and 54% plan to adopt secure inference platforms. The priority is no longer simply adding more AI; it is ensuring that AI is used in ways that are intentional, observable, and aligned to organizational policies.
As AI generated content becomes part of business communication and decision making, organizations require clarity not only on what AI can produce, but who can use it, how it is being used, and under what conditions. Governance is now defined by the ability to supervise usage while supporting collaboration, rather than restricting or slowing access.
Effective governance means enabling employees to use AI tools confidently within approved channels, with the assurance that communications and AI influenced content can be captured, reviewed, and retained when necessary. When AI usage is observable rather than opaque, organizations can support innovation while upholding compliance, security, and accountability.
Standout Takeaway 3: Vendor AI Strategy Now Drives Purchasing Decisions
Vendor selection now depends heavily on how a provider designs and governs the AI inside their own platform. 82% of survey respondents say a vendor’s AI strategy is very or critically important. Organizations are no longer looking for tools that simply offer AI. They are evaluating whether the AI is trained responsibly, whether it behaves predictably, and whether its outputs can be explained and reviewed when needed.
The practical concern for compliance and supervision teams is whether the vendor’s embedded AI can be trusted inside regulated review workflows, where findings and decisions must be explainable and defensible. If the AI is flagging risk, scoring content, summarizing conversations, or influencing escalation criteria, reviewers must be able to trace how those determinations were made and validate them when challenged. Reliability and explainability are now purchasing criteria, not technical enhancements.
Vendors who provide transparent model behavior, documented training practices, human-in-the-loop oversight, and certified integrations reduce operational and regulatory risk. This allows organizations to adopt AI capabilities without introducing uncertainty into supervisory, investigatory, or audit processes.
Standout Takeaway 4: Prompt Manipulation and Shadow AI Are Emerging as Key Operational Risks
Organizations are already dealing with a broad spectrum of AI-driven threats, but two are particularly relevant for security and compliance teams: 41% report prompt injection and jailbreak attempts, and 41% report shadow AI or unsanctioned usage inside communication workflows.
Prompt manipulation is not just a model-security issue. It affects how meaning is shaped inside conversations, where AI-generated summaries, interpretations, or recommended actions can shift the tone or intent of communication in subtle ways. Shadow AI reflects something different: employees turning to unapproved AI tools because the sanctioned workflow is too slow, unclear, or inconvenient for the pace of their work.
These are not “user misbehavior” problems. They are oversight access problems. When AI is used outside observable channels, organizations lose the context needed to understand how decisions were influenced, why they changed, or what triggered a risk signal.
The focus of risk and compliance leaders, along with CISOs more broadly, is moving from stopping usage to making usage observable, so meaning and intent can be supervised when it matters.
Standout Takeaway 5: AI Risk Surface Assessments Are Becoming a Priority Focus
Organizations are now focusing on understanding their AI threat surface and where AI is already showing up across communication workflows. 94% have conducted or plan to conduct AI threat surface assessments, signaling a shift from experimenting with AI to identifying where oversight and review need to be strengthened.
For compliance, security and compliance teams, these assessments are less about evaluating the AI models themselves and more about determining:
- Where AI is influencing communication or decision-making
- Whether the resulting content introduces security, compliance or regulatory risk
- Whether the communication contains private data or restricted IP
- Whether the content is accurate (fact-based, complete, and inclusive of required disclaimers)
The goal is to get a clear picture of where AI intersects with human decision-making, so teams know where review matters, where context must be preserved, and where policy needs to evolve.
This isn’t about slowing AI adoption. It’s about making sure AI-assisted work can be located, understood, and supported before it becomes embedded in daily communication patterns.
In Conclusion
Taken together, these findings show that organizations are moving from experimenting with AI in communication workflows to governing how it shapes meaning, decision-making, and accountability. Visibility, governance frameworks, trust in vendor AI design, layered defense against prompt and usage risks, and focused assessment on where AI intersects with human judgment are all converging into a new requirement: AI must be observable and reviewable inside communication systems, not separate from them.
Theta Lake has been named to the 2026 Fortune Cyber 60, highlighting our ongoing commitment to delivering comprehensive and innovative Digital Communications Governance and Archiving solutions that help organizations improve security and compliance outcomes across textual, audio, visual, and AI-generated communications. Our platform is built to make AI-influenced communications searchable, reviewable, explainable, and supportable across channels, so risk, compliance, UC, and supervision teams can adopt AI confidently rather than cautiously.
As organizations continue refining how AI supports both productivity and oversight, the ability to see and understand how AI participates in communication will define the difference between accelerated progress and accumulating unseen risk.
