EY Study: Cyber Leaders Invest in AI to Counter Rising Threats

• As AI-linked cyber incidents rise, the share of cybersecurity budgets allocated to AI solutions is expected to significantly increase
  
  

• Leaders expect agentic AI to become more central in cyber defense over the next two years, with AI governance emerging as a key driver of cyber resilience

Cybersecurity leaders are at a critical crossroads as artificial intelligence (AI) redefines both the threat landscape and defensive capabilities, according to findings from the new EY Cybersecurity Roadmap Study of 500 senior corporate security leaders.

The study uncovered that a staggering 96% of senior security leaders say AI-enabled cybersecurity attacks are a significant threat to their organization, with about half (48%) estimating that of all the cybersecurity incidents their organization had experienced in the past year, at least a quarter were enabled by AI. At the same time, less than half of senior security leaders are strongly confident in their organization’s ability to defend against a major security breach enabled by AI.

Catch more IT Insights: Why Retail and E-commerce Leaders Are Investing in Domain-Specific Language Models

“Security leaders have been rapidly bolting on AI solutions to stay ahead of AI-driven cyber threats, but their lack of confidence in defenses signals a need for reimagining security architecture with AI at the core,” says Ganesh Devarajan, EY Americas Consulting Cyber Risk Practice Leader. “Cyber leaders can’t just automate yesterday’s defenses; they must move toward an AI-native posture that embeds cyber as a foundational layer of trust across enterprise AI.”

Investments in cyber and AI defenses set for growth

Security leaders are responding to the increased threats by moving aggressively toward autonomous defenses with virtually every respondent confident that the strategic use of AI will transform their organization’s proactive (99%) and defensive (99%) cybersecurity strategies. But a majority (85%) of senior security leaders who are using AI in cybersecurity say that their current cybersecurity budget is insufficient to meet AI-enabled threats.

That is set for a dramatic shift as respondents say their AI defense spending will rapidly increase. The number of organizations dedicating at least a quarter of their total cybersecurity budget to AI solutions for cybersecurity is set to roughly quintuple, jumping from only 9% of organizations spending at that level today to 48% in two years.

“Budget increases create the opportunity for cyber leaders to strategically invest to move from automating simple tasks to advanced agentic AI systems that can undertake complex, multi-step actions across products and ecosystems simulating human responses to attacks,” says Devarajan.

Agentic AI set to take center stage

Nearly all senior security leaders (97%) agree that their organization’s competitive advantage in the next two years will be directly tied to the maturity of their agentic AI cybersecurity defenses. In fact, the number of senior security leaders saying the following areas will be largely run with agentic AI is set to roughly double in two years:

• Advanced persistent threat (APT) detection: from 30% currently to 62% in two years
• Real-time fraud detection: from 32% currently to 58%
• Identity and access management (IAM): from 23% currently to 51%
• Third-party risk management: from 25% currently to 50%
• Data privacy and compliance: from 27% currently to 48%
• Deep fake and impersonation defense: from 23% currently to 42%

AI governance maturity gap

Structured governance has emerged as the essential bridge between risk and resilience as organizations race to adopt AI and autonomous systems. Virtually all senior security leaders report having an AI cybersecurity governance framework in place, and, among those, 98% agree that framework has proven essential for ensuring the responsible use of AI.

Catch more IT Insights: RAG vs Domain-Specific Language Models: Which Is Better for Enterprises?

But a significant gap remains between policy and full adoption and enforcement of frameworks: currently only 20% of organizations have successfully optimized these frameworks and embedded them into their organizational culture. The majority have less mature adoption: 51% of senior security leaders report having a defined AI cybersecurity governance framework that is implemented and embedded in key processes and 26% report their framework is fully rolled out and integrated across relevant business units.

“The proliferation of AI cyber threats is an operational reality that puts the limitations of legacy frameworks on full display,” says Devarajan. “Organizations must move beyond standalone cyber defenses and risk management toward a system of architecting trust across governance, compliance and ethics that turns AI from a risk into a competitive advantage.”

Write to us [⁠wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.