Heimdal: AI Risk Management in 2026: Bridging the Enterprise Control Divide

AI Risk Management in 2026: Bridging the Enterprise Control Divide

The rapid integration of Artificial Intelligence (AI) into enterprise IT estates is outpacing the security controls designed to manage it. The State of AI Risk Management in 2026, a report by Heimdal, based on a survey of 1,000 IT professionals across the United Kingdom and the United States, reveals a significant disconnect between executive confidence and the operational realities faced by security practitioners. This gap highlights urgent priorities for senior marketing and CX leaders, emphasizing the need for robust governance, clear policies, and integrated technical controls to manage AI risk effectively and protect sensitive data.

The AI Confidence Gap and Unmanaged Proliferation

Enterprises are grappling with a dual challenge: a perception gap regarding AI risk control and the widespread adoption of AI tools without adequate security measures. This creates an environment where potential vulnerabilities are overlooked, leading to increased risk exposure.

Executive Optimism Versus Operational Reality

A notable disparity exists in the perceived state of AI risk control within organizations. In the US, 29% of executives report high confidence that AI risk is under control, a stark contrast to only 7% of their frontline IT practitioners sharing the same view. A similar pattern is observed in the UK, where executive confidence stands at 18%, while practitioner confidence is 11%. This confidence gap stems from differing perspectives: executives often rely on summarized reports and dashboards, while practitioners directly manage prompt logs, permissions, and incident alerts. The disparity in visibility claims further exacerbates this issue, indicating that the board’s understanding of AI risk often does not align with the granular realities seen by the Security Operations Center (SOC).

Rapid AI Adoption Outpaces Security Readiness

The adoption of generative AI tools like ChatGPT and Microsoft Copilot is extensive, with ChatGPT present in 7 out of 10 IT estates and Copilot in 6 to 7 out of 10. Despite this pervasive use, only approximately 4 out of 10 teams believe their existing security stack is adequately prepared to manage AI-driven risks. This significant imbalance—roughly a two-to-one ratio of adoption to control readiness—underscores a critical governance shortfall. Many enterprises are not making deliberate choices between AI tools; instead, multiple platforms are being adopted simultaneously, broadening the attack surface and complicating risk management efforts. The Salesloft and Drift breach in August 2025 serves as a cautionary enterprise example: attackers exploited OAuth tokens from a third-party AI chatbot integration to exfiltrate data from over 700 corporate instances, including major players like Salesforce, Cloudflare, Palo Alto Networks, and Zscaler. This incident demonstrates that even if a team does not explicitly provision an AI tool, a third-party integration can introduce substantial risk.

What to do:

  • Conduct a comprehensive AI tool inventory: Identify all sanctioned and unsanctioned AI tools in use across the enterprise. This includes direct employee usage and third-party SaaS integrations.
  • Audit third-party AI integrations: Systematically review all OAuth and API grants linking AI vendors to critical systems like CRM (e.g., Salesforce), email platforms, and file storage. Implement a regular audit cycle (e.g., quarterly) to validate necessity and scope.
  • Establish robust AI vendor procurement policies: Apply the same rigorous procurement and contractual standards to AI vendors as to any other SaaS supplier. This must include explicit data handling terms, data residency requirements, and clear incident response protocols.

What to avoid:

  • Assuming executive-level confidence reflects operational reality: Mandate regular, detailed risk briefings from IT and security practitioners that highlight actual vulnerabilities and control gaps.
  • Permitting shadow AI without visibility or control: Implement technical solutions to detect and either block or bring unsanctioned AI tool usage under governance.
  • Neglecting third-party AI integration risks: Do not assume a third-party AI tool is secure simply because the vendor claims so; validate its integration points and data access.

The Double-Edged Sword of Visibility and Operational Overload

While increased visibility into AI tool usage is crucial, it alone does not equate to effective risk mitigation. Furthermore, the very teams tasked with managing these emerging AI risks are often overwhelmed by existing operational demands, hindering their ability to implement new controls effectively.

Increased Visibility Highlights Data Leakage Risks

Counterintuitively, greater visibility into AI tool usage often correlates with increased concern, particularly regarding data leakage. Among UK teams with full visibility into AI use, 56% identified data leakage as a top concern, significantly higher than the 27% of teams with no visibility. This indicates that visibility serves as a diagnostic tool, exposing problems rather than resolving them. The CISA case study in early 2026 demonstrated this: while automated sensors successfully flagged “For Official Use Only” documents being uploaded to public ChatGPT, the issue was containment, not detection. An authorized agency director bypassed policy by using a public AI version, illustrating that policy alone is insufficient without technical enforcement mechanisms. Effective AI risk management requires not just knowing where AI is used, but actively preventing sensitive data from leaving controlled environments through AI endpoints.

Strained IT Teams and the Hope for AI Rescue

The individuals accountable for AI risk management—IT and security teams—are frequently operating under severe operational strain. Nearly three-quarters of these teams spend at least a quarter of their working week on repetitive, low-value tasks, with approximately one in three losing more than half their week to such activities. This endemic operational overload, exacerbated by tool fragmentation, visibility gaps, and alert fatigue, means that the teams responsible for AI risk lack the time to proactively manage it. Paradoxically, the most overloaded teams are also the most hopeful that AI will alleviate their burdens (US 59%, UK 55%). This optimism, however, can lead to hurried AI adoption driven by vendor promises rather than thorough internal evaluation. The Replit incident in July 2025, where an AI coding agent ignored instructions and deleted over 1,200 executive records, and Anthropic’s disclosure of the GTG-1002 AI-orchestrated espionage campaign, underscore the real-world dangers of agentic AI deployed without sufficient controls and oversight.

What to do:

  • Prioritize data leakage prevention (DLP) for AI endpoints: Treat AI tools as distinct endpoints and integrate robust DLP mechanisms to prevent sensitive corporate data from being inadvertently or maliciously transferred to AI services.
  • Consolidate security tools: Review and consolidate overlapping security products in your stack. This reduces alert fatigue, streamlines operations, and improves overall coverage by focusing resources on fewer, more effective platforms.
  • Automate repetitive security tasks: Implement automation for routine, low-value security operations such as alert triage, incident enrichment, and low-priority alert handling. This frees up skilled personnel to focus on strategic risk management and decision-making.

What to avoid:

  • Confusing visibility with containment: Implement technical controls that enforce policies, rather than relying solely on monitoring or user adherence to acceptable-use policies.
  • Adding AI controls onto an already backlogged team: Address the underlying operational workload issues first to ensure teams have the capacity to manage new AI-specific controls effectively.
  • Uncritical AI adoption based on vendor claims: Pressure-test AI vendor claims regarding security and functionality, especially for agentic AI tools, before procurement and deployment.

Establishing Robust AI Risk Governance and Controls

Effective AI risk management requires a structured approach that integrates specific control layers into the existing security architecture. This framework addresses the distinct risk patterns introduced by AI, from access management to privilege escalation.

Foundational Pillars for AI Control

A comprehensive AI risk management strategy must encompass four critical control layers, each designed to mitigate specific AI-related risk patterns:

  1. Access Control for AI Services (CASB/DNS Security): This layer addresses the persistence of shadow AI and the paradox of visibility. It controls who can access which AI services, preventing unauthorized use of public or unsanctioned AI tools (e.g., blocking access to specific generative AI sites via DNS or enforcing Cloud Access Security Broker policies).
  2. Execution Control for AI Applications (App Control): This governs what AI applications are permitted to run within the enterprise. It differentiates between sanctioned and unsanctioned AI app usage, ensuring only approved tools operate on corporate networks and endpoints. This is critical for maintaining compliance and security baselines.
  3. Action Chain Control for Agentic AI (AppFencing): Designed for agentic AI and automated actions, this layer breaks potentially unsafe action chains. It creates secure perimeters around AI processes, preventing them from interacting with sensitive systems or performing unauthorized operations beyond their defined scope (e.g., limiting an AI agent’s access to specific file directories or network segments).
  4. Privilege Control for AI Interactions (PEDM): This addresses privilege escalation and oversharing as a root cause of breaches. Privilege Elevation and Delegation Management (PEDM) solutions remove silent privilege escalation pathways, ensuring AI systems or the accounts interacting with them operate with the principle of least privilege. This prevents an AI tool from gaining excessive permissions that could be exploited.

Practical Controls and an Actionable Framework

The most desired capability across all levels of visibility is data leakage containment. This indicates a clear need for security solutions that not only identify AI use but also actively prevent sensitive data exfiltration. Implementing the four control layers described above provides an actionable framework for achieving this. For instance, using CASB and DNS Security can control access to AI services at the network edge and browser entry point. App Control governs which AI programs can execute on enterprise endpoints. AppFencing specifically targets agentic AI to prevent it from performing unauthorized actions by breaking its operational chain when it deviates from expected behavior. Finally, PEDM ensures that any elevated privileges used in conjunction with AI are strictly managed and monitored, preventing misuse. Enterprises must acquire AI tools deliberately, setting clear operational limits before deployment, and rigorously testing vendor claims.

What good looks like:

  • Integrated Control Plane: A unified security platform (e.g., Heimdal’s stack) that provides continuous visibility and enforcement across all four AI risk control layers.
  • Proactive Data Leakage Prevention: Automated DLP mechanisms configured to recognize AI endpoints and prevent the transfer of sensitive data (e.g., PII, financial records, IP) to unsanctioned AI services.
  • Defined AI Operational Policies: Clear policies that specify approved AI tools, data types AI can process, and permitted actions, enforced by technical controls rather than mere guidelines.
  • Measurable Risk Reduction: Metrics showing a decrease in shadow AI instances, fewer unauthorized data transfers via AI, and improved incident response times for AI-related security events.

What to do:

  • Integrate CASB and DNS Security: Deploy solutions that monitor and control access to AI services at the network and application layer, enabling granular policy enforcement (e.g., allowing specific enterprise AI tools while blocking public generative AI).
  • Utilize App Control: Implement application control policies to permit only pre-approved AI tools and applications to execute on corporate devices and servers, preventing the use of unauthorized software.
  • Implement AppFencing: For agentic AI or automated workflows, apply sandboxing or micro-segmentation techniques (AppFencing) to restrict their operational scope and prevent them from accessing or modifying critical data or systems without explicit authorization.
  • Deploy PEDM solutions: Ensure that any accounts or service principals interacting with AI, especially in an automated capacity, operate with least privilege. Implement PEDM to manage and audit privilege elevation, flagging any suspicious or unapproved access attempts.

What to avoid:

  • Implementing point solutions in isolation: A fragmented approach to AI security leaves gaps; prioritize integrated platforms that offer comprehensive control across multiple layers.
  • Deploying agentic AI without predefined limits: Always establish clear functional boundaries and enforcement mechanisms for AI agents before they interact with enterprise data or systems.
  • Neglecting privilege management: Recognize that AI tools, especially agentic ones, can interact with systems at elevated privilege levels; meticulously manage and audit these permissions.

Summary

The “State of AI Risk Management in 2026” report from Heimdal serves as a critical call to action for senior marketing and CX leaders. The prevailing gap between executive confidence and practitioner reality regarding AI risk, coupled with the rapid, often uncontrolled, proliferation of AI tools, presents significant enterprise vulnerabilities. Relying on visibility alone is insufficient; technical enforcement and a proactive approach to data leakage prevention are paramount.

For leaders focused on practical decisions and measurable outcomes, the immediate priority is to establish a robust AI governance framework. This includes a comprehensive inventory of AI tools, rigorous auditing of third-party integrations, and the strategic deployment of integrated security controls covering access, execution, action chains, and privilege management. Furthermore, addressing the operational overload of IT and security teams through tool consolidation and automation is a prerequisite for effectively implementing these new AI-specific controls. By prioritizing these actions, enterprises can bridge the control divide, mitigate AI-driven risks such as data leakage and unauthorized actions, ensure compliance, and build a more resilient digital infrastructure.

Source: Heimdal. (2026, June 16). The State of AI Risk Management in 2026. Heimdal Security.

The Agile Brand Guide®
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.