Half of enterprises expect data loss, 49% anticipate Shadow AI incidents, 70% lack optimized AI governance, and AI supply chain security emerges as the top investment focus.

Acuvity AI today released its annual 2025 State of AI Security report. The study finds that AI security in enterprises is poorly governed and fragmented, leaving the most critical risks unmanaged and AI-related incidents seen as inevitable.

The survey reveals 50% expect data loss through generative AI tools in the next year, 49% anticipate Shadow AI incidents, and 41% are concerned about AI-driven insider threats. At the same time, 70% admit they lack optimized AI governance. The results show that major security incidents are expected, and both AI governance and runtime enforcement remain inadequate to contain them.

This report also finds that AI security breaks from typical ownership models. CIOs now lead AI security in enterprises (29%), followed by Chief Data Officers (17%) and infrastructure teams (15%), while CISOs rank fourth at 14.5%. This marks a departure from other security domains, where the CISO usually holds primary responsibility.

On the budget front, AI supply chain security is the leading investment priority, with 31% of organizations selecting it as their primary focus in the next 12 months. This reflects recognition that risk spans the entire AI ecosystem, not just one component.

“AI is changing the nature of risk itself, forcing leaders to confront incidents they admit they aren’t ready to manage,” said Satyam Sinha, co-founder and CEO of Acuvity AI. “This report gives them the evidence and benchmarks to prioritize AI governance and runtime security now.”

Key Findings from the Report

1. AI Governance Remains Immature Across Enterprises: 70% report they have not reached optimized AI governance, which would include board-level oversight, automated monitoring, and regularly updated policies. 39% do not have managed or optimized AI governance.
2. Data Loss Emerges as the Top Anticipated AI Risk: 50% expect data leakage through generative AI tools in the next 12 months, highlighting data exposure as the most likely near-term impact of AI adoption.
3. Enterprises Anticipate Major Security Incidents from Shadow AI: 49% expect a Shadow AI incident in the next 12 months, and 23% say it is one of the areas where they are least prepared. Top concerns include the use of standalone generative AI tools without IT approval (21%) and AI features embedded in SaaS applications (18%).
4. AI Supply Chain Security Named Top Budget Priority: 31% rank AI supply chain security as their leading investment over the next 12 months, ahead of all other categories. Respondents most often cited risks in datasets, APIs, and embedded AI features, highlighting concern with exposures that occur at runtime.
5. AI Security Ownership Breaks from Typical Models: CIOs rank first in AI security ownership at 29%, ahead of Chief Data Officers (17%) and infrastructure teams (15%). CISOs are in fourth place at 14.5% — a sharp departure from other security domains where security leadership usually holds primary responsibility.
6. Runtime Security Ranked #1 for Risk and Lack of Readiness: Runtime ranks #1 as the most vulnerable phase (38%) and #1 as the least prepared area (27%). Pre-deployment issues such as dataset integrity (13%) and model provenance (12%) rank far lower, underscoring that traditional “shift-left” security approaches do not match where AI risks are concentrated.

Download the complete 2025 State of AI Security report to access detailed findings.

Research Methodology

The 2025 State of AI Security survey reflects input from 275 executives at enterprises ranging from 500 to over 10,000 employees, including VPs and directors in security, IT, risk, and compliance, as well as CIOs, CISOs, and Chief Data Officers.

About Acuvity

Acuvity is the purpose-built AI security platform that protects enterprise AI ecosystems. The company provides AI governance and runtime enforcement to give organizations visibility and control over AI use across their environments. With Acuvity, enterprises can secure and monitor AI interactions, users, applications, agents, APIs, and data to ensure compliance and reduce risk. To learn more, visit www.acuvity.ai.

View source version on businesswire.com: https://www.businesswire.com/news/home/20251007675598/en/

The study finds that AI security in enterprises is poorly governed and fragmented, leaving critical risks unmanaged and AI-related incidents seen as inevitable.