Jul 16, 2026
Enterprise

SANS survey finds AI security use outpacing governance controls

Cybersecurity teams are adopting AI faster, but many lack policies, audit frameworks and visibility into model use, according to SANS Institute survey data.

Colin Brandt

By Colin Brandt · Enterprise Reporter

· 3 min read

SANS survey finds AI security use outpacing governance controls
Photo: CIO Dive

Enterprise security teams are putting AI into cyber defense programs at a rapid clip, with SANS Institute reporting that cybersecurity AI use rose to 78% from 50% in a year. The industry problem is less adoption than control: SANS found large gaps in formal policies, audit practices and visibility into where models are being used.

The findings come from a SANS Institute report released Monday, based on a global survey of 536 cybersecurity and IT practitioners. The study also included a separate module of 57 senior security leaders, including CISOs, CSOs and security vice presidents, according to SANS.

For vendors selling AI into the security stack, the report cuts both ways. Demand is clearly there, especially as teams use AI for tasks such as red teaming. But buyers appear to be deploying faster than their governance functions can absorb, which creates risk for CISOs and friction for procurement, compliance and board oversight.

Governance is lagging adoption

SANS said four in 10 security practitioners reported that their organizations have no formal policy for AI adoption. More than six in 10 said they lack visibility into where AI models are being used or what data may be exposed through those systems.

The audit gap is also material. Around three-quarters of security practitioners said they have some governance responsibility tied to enterprise AI, yet more than half said their organizations do not have established frameworks for AI audits, according to the report.

That is a difficult operating model: security staff are being assigned responsibility for AI risk without the policy, instrumentation or audit structure needed to manage it consistently. The report does not say whether the missing controls are concentrated in particular industries, company sizes or geographies.

Leaders and practitioners see different realities

SANS also found a gap between what senior security executives believe is in place and what front-line practitioners report seeing. Half of security leaders said their organizations have a formal AI risk management program, compared with 36% of practitioners.

Matt Bromiley, a certified instructor at SANS Institute and author of the report, told Cybersecurity Dive that the 14-point difference reflects a perception problem. Bromiley said leaders may believe governance exists while the people operating the tools do not see effective controls in daily use.

The divide matters because AI in security is no longer limited to experiments. SANS said six in 10 practitioners reported using AI for red teaming, up from roughly one-third in the prior-year survey. That shift means model use is reaching offensive security workflows, where oversight failures can create legal, data handling and operational issues.

The findings land as governance concerns around cyber risk are becoming more explicit in enterprise finance. S&P has previously warned that companies could put credit ratings at risk if they do not strengthen security governance, according to Cybersecurity Dive.

For security operators, the SANS data suggests the next budget cycle will be shaped by more than AI feature procurement. Buyers will need evidence of policy enforcement, auditability and data exposure controls. Vendors that cannot show where models run, what data they touch and how use is logged should expect harder questions from security teams that are now being asked to govern tools they may not fully see.

This story draws on original reporting from CIO Dive.

More from Enterprise

All Enterprise →