Across both cyber maturity and AI risk maturity, organizations are significantly better at identifying and governing risks than taking action to reduce them, according to Cye’s 2026 Global AI and Cyber Maturity Report. The pattern was consistent across both maturity assessments. The lowest scores were concentrated in the functions responsible for putting risk management into practice, highlighting a persistent gap between risk awareness and risk reduction.
"AI is inheriting cybersecurity's oldest problem: the gap between policy and action," says Reuven Aronashvili, founder and CEO of Cye. "The challenge is no longer understanding the risks. It's about accurately identifying which risks may disrupt the business or operations, and determining the specific action to take. That requires operationalizing controls and processes, remediating when needed and at times deciding to do nothing. As AI adoption accelerates, addressing that gap between policy and action will become a defining factor in organizational resilience."
Key takeaways:
· The gap between AI governance and operational control is emerging as a defining challenge of enterprise security in 2026.
- While govern was the highest-scoring AI RMF function, manage ranked lowest at 2.22, highlighting a growing gap between AI governance efforts and the controls, response capabilities and oversight needed to reduce AI-related risk.
- Shadow AI exposure remains high across many sectors, reaching 71% in transportation and 62% in energy, compared with just 5% in financial services.
- The lowest maturity scores in both frameworks were concentrated in the functions responsible for reducing risk in practice, revealing a common gap between risk awareness and risk reduction that is now being amplified by AI adoption.
- Switzerland recorded the largest year-over-year maturity improvement following the implementation of new cyber reporting and operational resilience requirements. Similar gains in the United States, U.K. and Spain suggest that enforceable regulatory deadlines are accelerating cybersecurity maturity across regulated markets.
- Financial services led overall maturity rankings, yet protect remained its weakest function, demonstrating that strong governance and regulatory oversight do not automatically translate into effective risk reduction.
