AI is Everywhere, But CISOs are Still Securing It with Yesterday's Skills and Tools, Study Finds

AI is Everywhere, But CISOs are Still Securing It with Yesterday's Skills and Tools, Study Finds The Hacker NewsMar 17, 2026Artificial Intelligence / Security Leadership A majority of security leaders are struggling to defend AI systems with tools and skills that are not fit for the challenge, according to the AI and Adversarial Testing Benchmark Report 2026 from Pentera. The report, based on a survey of 300 US CISOs and senior security leaders, examines how organizations are securing AI infrastructure and highlights critical gaps tied to skills shortages and reliance on security controls not designed for the AI era. AI adoption is outpacing security visibility AI systems are rarely deployed in isolation. They are layered across and integrated into existing corporate technology, from cloud platforms and identity systems to applications and data pipelines. With ownership spread across disparate teams, effective centralized oversight has collapsed. As a result, 67 percent of CISOs reported limited visibility into how AI is being used across their organization. None of the respondents indicated they have full visibility; rather, they acknowledge being aware of or accepting some form of unmanaged or unsanctioned AI usage. Without a clear view of where AI systems operate or what resources they can access, security teams struggle to assess risk effectively. Basic questions, such as which identities AI systems rely on, what data they can reach, or how they behave when controls fail, often remain unanswered. Skills, not budget, are the primary barrier Although AI security is now a regular topic in boardrooms and executive discussions, the study shows that the biggest challenges are not financial. CISOs identified the following as their top obstacles to securing AI infrastructure: Lack of internal expertise (50 percent) Limited visibility into AI usage (48 percent) Insufficient security tools designed specifically for AI systems (36 percent) Only 17 percent cited budget constraints as a primary concern. This suggests that many organizations are willing to invest in AI security, but do not yet have the specialized skills needed to evaluate AI-related risks in real environments. AI systems introduce behaviors that security teams are still learning to assess, including autonomous decision-making, indirect access paths, and privileged interaction between systems. Without the right expertise and active testing, it becomes difficult to evaluate whether existing controls are effective as intended. Legacy controls are carrying most of the load In the absence of AI-specific best practices, skills, and tooling, most enterprises are extending existing security controls to cover AI infrastructure. The study found that 75 percent of CISOs rely on legacy security controls, such as endpoint, application, cloud, or API security tools, to protect AI systems. Only 11 percent reported having security tools designed specifically to secure AI infrastructure. This approach reflects a familiar pattern seen during previous technology shifts, where organizations initially adapt existing defenses before more tailored security practices emerge. While this can provide basic coverage, controls built for traditional systems may not account for how AI changes access patterns and expands potential attack paths. A familiar challenge, now applied to AI Taken together, the findings show that AI security challenges stem from foundational gaps rather than a lack of awareness or intent. As AI becomes a core part of enterprise infrastructure, the report suggests that organizations will need to focus on building expertise and improving how they validate security controls across environments where AI is already operating. To explore the full findings, download the AI and Adversarial Testing Benchmark Report 2026 for a deeper discussion of the data and key takeaways. Note: This article was written by Ryan Dory, Director, Technical Advisors at Pentera.  Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, Cloud security, cybersecurity, data security, enterprise security, Security Leadership, threat detection Trending News Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps