AI security in enterprises is poorly governed and fragmented, leaving the most critical risks unmanaged and AI-related incidents seen as inevitable, according to Acuvity AI’s 2025 State of AI Security report.
“AI is changing the nature of risk itself, forcing leaders to confront incidents they admit they aren’t ready to manage,” says Satyam Sinha, co-founder and CEO of Acuvity AI. “This report gives them the evidence and benchmarks to prioritize AI governance and runtime security now.”
Key takeaways:
· The survey reveals 50% expect data loss through generative AI tools in the next year, 49% anticipate Shadow AI incidents, and 41% are concerned about AI-driven insider threats. At the same time, 70% admit they lack optimized AI governance. The results show that major security incidents are expected, and both AI governance and runtime enforcement remain inadequate to contain them.
· This report also finds that AI security breaks from typical ownership models. CIOs lead in 29% of enterprises, followed by chief data officers (17%) and infrastructure teams (15%), while CISOs rank fourth at 14.5%. This marks a departure from other security domains, where the CISO usually holds primary responsibility.
· On the budget front, AI supply chain security is the leading investment priority, with 31% of organizations selecting it as their primary focus in the next 12 months. This reflects recognition that risk spans the entire AI ecosystem, not just one component.
· 70% report they have not reached optimized AI governance, which would include board-level oversight, automated monitoring, and regularly updated policies. 39% do not have managed or optimized AI governance.
· 50% expect data leakage through generative AI tools in the next 12 months, highlighting data exposure as the most likely near-term impact of AI adoption.
· 49% expect a Shadow AI incident in the next 12 months, and 23% say it is one of the areas where they are least prepared. Top concerns include the use of standalone generative AI tools without IT approval (21%) and AI features embedded in SaaS applications (18%).
· 31% rank AI supply chain security as their leading investment over the next 12 months, ahead of all other categories. Respondents most often cited risks in datasets, APIs, and embedded AI features, highlighting concern with exposures that occur at runtime.
· CIOs rank first in AI security ownership at 29%, ahead of chief data officers (17%) and infrastructure teams (15%). CISOs are in fourth place at 14.5% — a sharp departure from other security domains where security leadership usually holds primary responsibility.
· Runtime ranks No. 1 as the most vulnerable phase (38%) and No. 1 as the least prepared area (27%). Pre-deployment issues such as dataset integrity (13%) and model provenance (12%) rank far lower, underscoring that traditional “shift-left” security approaches do not match where AI risks are concentrated.
