KPMG Survey Finds CISOs Caught Between AI Ambition & Security Reality

KPMG Survey Finds CISOs Caught Between AI Ambition & Security Reality

By
Key Takeaways
  • Cyberattacks Continue to Rise: Eighty-three percent of surveyed organizations reported an increase in cyberattacks over the past year, with phishing, denial-of-service attacks, and ransomware remaining among the most common threats.
  • AI Adoption Remains Uneven: While organizations are investing heavily in AI, only 24% have fully integrated it into their cybersecurity programs, with trust, reliability, and explainability continuing to slow broader adoption.
  • Complexity Is Undermining Security: KPMG identifies fragmented security architectures and growing IT complexity as persistent obstacles, arguing that simplifying and unifying security environments may deliver greater resilience than adding more point solutions.
  • Boards Want Business Outcomes: Forty-two percent of security leaders struggle to demonstrate cybersecurity ROI to executives and boards, reflecting growing expectations that CISOs connect security investments to resilience, operational continuity, and business performance.
  • Identity Risk Is Expanding Beyond Humans: The rapid growth of nonhuman identities (including service accounts, API keys, machine credentials, and AI agents) is creating a larger attack surface and elevating identity governance as a strategic cybersecurity priority.
Deep Dive

For all the attention artificial intelligence receives in boardrooms, one number in KPMG's latest cybersecurity survey stands out because of how ordinary it is. Only 24% of large organizations say AI is fully integrated into their cybersecurity programs. The rest are somewhere in between, testing it in isolated functions, weighing its value, or waiting for confidence to catch up with capability.

That hesitation exists alongside another trend that is moving much faster. Eighty-three percent of security leaders report cyberattacks increased over the past year. Phishing remains stubbornly effective. Denial-of-service attacks continue to disrupt operations. Ransomware has hardly disappeared. AI has become part of the threat landscape, but it has not displaced the attacks security teams have been fighting for years. It has simply made them more complicated.

Those are among the findings from KPMG's 2026 Cybersecurity & Technology Risk Survey, which surveyed 310 security leaders at U.S. organizations with annual revenue exceeding $1 billion. The report examines how chief information security officers are responding to rising attack volumes, accelerating AI adoption, persistent skills shortages, and growing pressure to demonstrate that cybersecurity is more than a cost center.

What emerges is less a story about technology than one about execution. Most organizations understand where cyber risk is heading. The harder question is whether their operating models are changing quickly enough to meet it.

AI Is Expanding the Battlefield

The survey captures an uncomfortable reality that security leaders increasingly accept. Artificial intelligence has become both an offensive weapon and a defensive tool. Respondents identified generative and agentic AI as the emerging technologies most likely to reshape cyber risk, alongside cloud computing, Internet of Things deployments, operational technology, and quantum computing. Yet enthusiasm for AI is tempered by caution. Trust remains the dominant obstacle to wider adoption, particularly confidence that AI-generated outputs are accurate, reliable, and sufficiently explainable for security operations.

That helps explain why implementation remains uneven. While only about one-quarter of organizations describe AI as fully integrated into cybersecurity, another 53% report partial implementation focused on specific use cases. The report suggests that the most immediate value may not come from increasingly sophisticated detection models, but from something less glamorous. AI can help organizations identify unnecessary complexity inside their own environments, where sprawling infrastructure, disconnected tools, and inconsistent processes often create vulnerabilities long before an attacker arrives.

Matthew P. Miller, a principal in KPMG's Cybersecurity & Technology Risk practice, argues that reducing complexity itself has become a practical application for AI because complexity remains one of security's greatest adversaries.

More Spending Has Not Solved the Architecture Problem

Cybersecurity budgets continue to rise. Nearly 70% of respondents say more than 11% of their cybersecurity spending now goes toward AI-related initiatives. At the same time, 74% expect cybersecurity staffing to grow by more than 11%, suggesting organizations are investing simultaneously in technology and people rather than treating one as a substitute for the other.

Yet larger budgets have not eliminated an older problem. The survey repeatedly returns to fragmented security architectures and IT complexity as barriers to better performance. Organizations continue adding security products while struggling to connect them into a coherent operating model. More tools have not necessarily produced more visibility.

KPMG argues that progress increasingly depends on consolidation rather than expansion. Unifying security telemetry, inventories, and operational workflows gives organizations a more complete picture of enterprise risk while creating conditions where automation and AI can produce meaningful gains instead of adding another layer of complexity.

Managed service providers are becoming part of that equation. Fifty-five percent of respondents now rely on managed security providers for cyber threat intelligence, reflecting growing demand for external expertise as attack volumes rise and specialized talent remains difficult to recruit.

As Chris Crevits, principal of Cyber Managed Services at KPMG, notes in the report, the strongest providers increasingly distinguish themselves through automation and large-scale analysis rather than simply collecting information.

The Board Wants a Different Conversation

For many CISOs, the technical challenges are becoming familiar. The communication challenge is newer. Forty-two percent of respondents say they struggle to clearly demonstrate the return on cybersecurity investments to executive leadership and boards.

That statistic says something about expectations as much as performance. Boards are asking questions that cannot be answered with vulnerability counts or lists of completed security projects. They want to understand resilience, operational continuity, customer trust, and financial exposure. Cybersecurity has become another enterprise risk discussion, and the language increasingly resembles business strategy more than technology management.

The survey suggests organizations making the strongest progress are measuring outcomes rather than activity. Incident volume, vulnerability remediation rates, and mean time to detect have become core indicators because they illustrate whether security programs are becoming more effective over time instead of simply becoming busier.

Identity Is No Longer Just About People

The report also highlights a shift that receives less public attention than AI but may prove equally significant. Organizations now manage growing numbers of nonhuman identities, including service accounts, API keys, machine credentials, software tokens, and autonomous agents. These identities frequently fall outside the governance processes developed for employees, leaving ownership unclear and lifecycle management inconsistent.

The attack surface continues expanding as organizations automate more business functions and deploy AI across their operations.

KPMG argues that hybrid operating models are becoming an increasingly common response. Internal security teams are supplemented by managed security services, while automation helps offset persistent shortages of cybersecurity professionals and supports continuous monitoring across increasingly complex environments.

Fundamentals Still Matter Most

One figure near the end of the survey offers a useful reminder about priorities. Only 27% of respondents say their organizations are actively implementing post-quantum cryptography. Quantum risk remains firmly on the horizon. Today's operational weaknesses are not.

The report argues that organizations will gain little from sophisticated emerging technologies if foundational controls remain inconsistent. Data protection, identity governance, unified security architecture, and disciplined operating processes remain the building blocks of cyber resilience, regardless of how quickly AI capabilities evolve.

That conclusion feels almost unfashionable given the industry's current fascination with artificial intelligence. It is also difficult to dispute. The survey finds organizations investing heavily in AI while still wrestling with fragmented systems, governance gaps, and challenges demonstrating business value. New technology has not changed the fundamentals. It has simply made getting them right more important than ever.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong