A new Bitdefender report has exposed a widening gap between what companies believe they can see inside their networks and what is actually happening across employee devices, cloud systems and artificial intelligence tools.
Key Findings: AI, Cloud And Breach Risk Move To The Centre Of Cybersecurity
Organisations are facing sharper pressure from Shadow AI, cloud exposure, breach secrecy, business email compromise and growing concern over where sensitive data is stored.
47.4%
Lack clear visibility into Shadow AI
Nearly half have only partial or no visibility into unsanctioned AI tools used for work.
45%
Rank internal AI systems as a top concern
AI systems and LLMs now sit ahead of most traditional security worries.
55.2%
Were told to keep incidents quiet
Breach suppression remains common despite reporting obligations and public risk.
41.8%
Reported cloud or app breaches
Cloud infrastructure and application breaches were the most common incident type.
35.9%
Experienced business email compromise
BEC remains a major pathway for financial loss and data exposure.
59.2%
Faced AI-driven social engineering
AI-enabled deception has shifted from speculation to operational reality.
76.1%
Would switch vendors over data sovereignty
Jurisdiction, foreign access and data location now influence cyber vendor selection.
55.9%
Rate self-mutating malware as high risk
AI-driven malware, LLM leaks, evasion and deepfake fraud are now mainstream concerns.
The 2026 Cybersecurity Assessment Report, released in Sydney on 1 July, suggests many organisations are now fighting cyber threats on two fronts:
Attackers using AI to sharpen scams and intrusion attempts, and employees quietly using unsanctioned AI tools that may be leaking sensitive business data.
The report is based on an independent survey of more than 1,200 IT and security professionals across France, Germany, Italy, Singapore, the United Kingdom and the United States.
Respondents included cybersecurity practitioners and decision-makers working in organisations with 500 or more employees.
One of the clearest warnings in the report is the rise of “Shadow AI”, where staff use personal or unauthorised AI tools for work without full oversight from security teams.
While 51.8% of respondents said their organisation had full visibility into sanctioned and unsanctioned AI use, 47.4% admitted they had only partial visibility or no visibility into individual Shadow AI tools or personal accounts being used for work.
The gap is sharper inside management ranks. Bitdefender found 57.8% of managers believed they had full visibility into AI usage, compared with only 45.9% of practitioners.
Just 0.5% of managers reported having no visibility, compared with 4.5% of practitioners, suggesting senior leaders may be underestimating how much AI activity is happening outside approved systems.
That matters because internal AI systems and large language models are now the leading security concern for the professionals surveyed.
Forty-five percent identified internal AI systems and LLMs as their top concern, narrowly ahead of cloud infrastructure and application environments at 44%. Identity and access management systems ranked third at 33.3%.
Yet the report also reveals a dangerous contradiction. Despite AI ranking as the top area of concern, 20.4% of respondents rated employees leaking sensitive data into public LLMs as a low or extremely low risk.
The findings point to a workplace reality that many companies are still struggling to govern: employees are already using generative AI, but security policies, monitoring and data controls have not kept pace.
The report also raises serious concerns about breach transparency. More than half of respondents who experienced a security incident or breach in the past 12 months said they were told to keep it confidential, even though they believed it should have been reported to authorities.
The figure stood at 55.2%, only slightly lower than 57.6% in 2025, but far above the 42% reported in 2023. Bitdefender said the pattern points to an entrenched culture of breach suppression across global organisations.
The United States recorded the highest level of reported pressure to stay silent, at 68.6%, followed by Germany and the United Kingdom at 57.2%. The issue cut across job levels, with 56.8% of managers and 53.5% of practitioners reporting similar pressure.
The most common incidents were cloud infrastructure or application breaches, reported by 41.8% of respondents. Business email compromise (BEC) resulting in financial or data loss followed at 35.9%, while ransomware was reported by 25.6%.
The United States stood out sharply on business email compromise, with 54.7% of organisations reporting BEC incidents, nearly 19 percentage points above the global average.
AI-driven social engineering has also moved from theoretical concern to operational reality.
The report points to a broader public security problem: companies are adopting AI faster than many can monitor it, while attackers are using the same technology to make fraud more convincing.
Bitdefender found 59.2% of respondents had experienced AI-driven social engineering attacks in the past 12 months, with criminals using more believable impersonation, sharper language patterns and better targeting.
The concern is no longer confined to security teams. When businesses lose visibility over workplace AI use, sensitive customer records, staff information and internal systems can be exposed through everyday behaviour, including the use of public AI tools, unauthorised accounts or poorly monitored software.
That loss of control is being made worse by the difficulty of reducing corporate attack surfaces.
Respondents cited the high overhead of maintaining hardening rules and exceptions as the leading barrier, at 38%, followed by fear of operational disruption at 35.4% and resource constraints at 34.6%. Legacy infrastructure remains another weak point, with 34.5% saying older systems are difficult to secure.
Visibility gaps becoming a serious operational risk.
Globally, 33.8% of respondents said organisations were unsure which legitimate tools were essential for each user, while in the United States the figure rose to 48.8%, suggesting even mature markets are struggling to keep pace with the spread of AI inside the workplace.
At the same time, data sovereignty has shifted from a procurement issue to a matter of public trust.
More than three-quarters of respondents, at 76.1%, said they would be likely to switch cybersecurity vendors over concerns about where data is stored, which laws apply, or whether foreign governments could gain access.
The concern was strongest in the United States, where 87% said they would be likely to switch vendors, followed by the United Kingdom at 85% and Germany at 77%.
Managers were also more likely than practitioners to raise the issue, at 79.4% compared with 72.8%, showing that control over security data is now reaching senior leadership.
For Australian organisations, the findings land at a time of tightening privacy and critical infrastructure obligations.
Reforms to the Privacy Act and the Security of Critical Infrastructure Act, alongside global rules such as NIS2 and DORA, are forcing businesses to answer harder questions about where security data is processed, who can access it and which legal jurisdiction governs it.
Cybersecurity vendors often handle sensitive telemetry, threat data and operational signals from the organisations they protect.
If that information is stored, processed or accessed under unclear legal arrangements, the consequences can extend well beyond one business to customers, employees, suppliers and essential services.
AI-related threats were rated as a high or extreme risk across every major category tested in the report. The leading concern was attackers using AI to generate self-mutating malware, cited by 55.9% of respondents, followed by employees leaking sensitive data into public LLMs at 53.5%.
Other risks were close behind, including AI-driven evasion techniques bypassing traditional endpoint detection and response signatures at 52.5%, and deepfakes or voice cloning used in fraud or business email compromise at 51.9%.
Bitdefender noted that while self-mutating malware ranked as the top concern, current threat intelligence suggests attackers are more commonly using AI to accelerate and refine existing attack methods rather than create entirely new categories of malware.
Agentic AI is now adding another layer to the risk. Concern about AI agents expanding the attack surface was especially high in Singapore at 64% and the United States at 61.6%, highlighting how quickly autonomous tools are becoming part of the global cybersecurity debate.
“The expanding attack surface, the rapid proliferation of AI-powered threats, and persistent operational pressures are forcing organisations to rethink how they approach security from the ground up,” said Andrei Florescu, president and general manager of Bitdefender Business Solutions Group.
“The findings in this report make clear that modern security strategies must go beyond reactive defences to continuously reduce risk, govern AI adoption, and ensure compliance across an environment where adversaries are faster, more adaptive, and increasingly automated.” said Florescu
Report shows cybersecurity teams are no longer dealing with isolated technical problems.
They are confronting a broader governance failure, where AI adoption is moving faster than oversight, breaches are still being kept quiet, and security leaders may not have a complete view of the risks already inside their own organisations.
For businesses, the message is blunt: AI has changed the speed and scale of cyber risk, but many organisations are still trying to manage it with visibility, reporting and control systems built for a slower threat environment.
