Zscaler recently released the ThreatLabz 2026 AI Security Report, offering insight into the state of security amid the AI explosion. The growth of AI usage is becoming exponential as more and more organizations adopt AI tools, with the finance, insurance, technology, and education industries leading the charge. The problem with AI security is not in the adoption itself, but in the fact that security, risk, and compliance frameworks are still operating on human timelines while AI operates at machine speed.
From Shadow IT to Shadow AI
Organizations have already spent years wrestling with the complexity and risk of unsanctioned software-as-a-service (SaaS) and shadow IT issues. Sprawling environments without comprehensive visibility and oversight can hinder the effectiveness of security tools and enable severe, persistent threats. Many organizations lack full insight into and understanding of all of the software and systems in their employ, creating major gaps in security.
The introduction of AI enhancements to the ecosystem only serves to magnify these problems. Newly implemented AI tools are often granted sweeping permissions to access and even manage sensitive systems and data. With thousands of applications embedding AI features, it becomes difficult for many enterprises to answer simple questions about where AI is running and what data it touches.
AI as an Attack Surface Multiplier
The integration of AI features leads to a broader attack surface and creates new risks that many organizations are not equipped to defend against. AI not only enables quicker threats on the attacker side, but also makes it more difficult for organizations to maintain visibility and security across all systems. “AI-driven expansion is now outpacing the ability of traditional, human-dependent defenses to respond in real-time,” says Ram Varadarajan, CEO at Acalvio, a Santa Clara, Calif.-based leader in cyber deception technology.
Findings in the ThreatLabz report show critical vulnerabilities in every enterprise AI system analyzed, with 90% of systems able to be compromised in under 90 minutes, and a median time of 16 minutes to the first critical failure. One of the analyzed system defenses was bypassed in just one second, emphasizing the critical nature of the risk. In these environments, AI systems don’t just expand the attack surface, but compress the time defenders have to react.
Data Gravity Shifts Toward AI Platforms
The explosive growth of AI usage for personal and business matters alike means that individuals and organizations are sharing their data with AI platforms at unprecedented volumes. ThreatLabz found a 93% surge in enterprise data transfers to AI and ML applications in 2025, surpassing a total of 18,000 terabytes. This is an immense amount of information handed over to platforms like Grammarly and ChatGPT, rapidly transforming AI into one of the highest-volume conduits for sensitive data.
This amount of data sharing makes AI applications an irresistible target for attackers, especially as security measures lag while AI adoption grows. “To be able to scale with the attackers, AI-first cloud security has to shift from reactive blocking to AI-driven preemptive defense,” according to Varadarajan. It is crucial to advance security methods to match sophisticated attacks and complex, AI-enhanced environments.
Governance Becomes a Board-Level Issue
When AI usage grows faster than visibility, governance can no longer remain a technical afterthought. The immense surge in AI popularity has created an environment where data and systems are vulnerable to a wide range of attacks with the potential to compromise sprawling architectures.
It is more important than ever for experts and boards to prioritize governance to ensure the protection of highly sensitive data and enterprise systems. Security measures like inventorying models, understanding embedded AI features, and enforcing data controls are no longer optional—they’re foundational.
Rethinking Security for an AI-Driven Enterprise
In the age of rapid AI expansion, it is crucial for organizations to shift their approach to security. While traditional security assumptions may have been effective in the past, they tend to break down in AI-rich environments. AI permissions, lack of visibility, and massive volumes of data turn traditional security on its head and enhance risk in enterprise environments that rely on traditional security measures. To adequately secure AI operations, organizations must shift from reactive controls to continuous visibility, policy enforcement, and zero-trust principles that extend to AI systems themselves.
The Real Question: Speed vs. Control
The issues introduced and amplified by AI usage present a significant issue of balance. AI promises benefits like speed, scale, and efficiency, but without oversight to match, it also delivers risk at unprecedented velocity. Successful enterprises going forward will be those that prioritize AI governance as a core capability for operations, not a cleanup task.
