Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It

New research from cybersecurity company Heimdal finds 29% of US executives say AI risk is under control, against 7% of the practitioners running it day-to-day. Across 1,000 IT professionals in the UK and US, AI adoption has outpaced security controls by roughly two to one.

Heimdal today published The State of AI Risk Management in 2026, a survey of 1,000 IT professionals across the United Kingdom and the United States.

The report’s headline finding is a divide inside the same organizations: the closer a person sits to the day-to-day running of AI, the less confident they are that the risk is contained. In the US, 29% of C-suite and VP respondents say their organization has AI risk under control, against 7% of the mid-level practitioners managing it.

In the UK, the gap runs the same way, 18% to 11%. Both gaps are statistically significant.

AI tools are already present across most IT estates, and most teams run several at once.

The controls have not kept pace. Across both markets, the report finds adoption has outrun security controls by roughly two to one.

The survey also records a counterintuitive pattern: the teams that see their AI use most clearly are the most concerned about it, not the least.

Heimdal’s report describes visibility as the diagnosis rather than the cure.

In an incident publicly disclosed in January 2026, the acting director of CISA, the United States cybersecurity agency, uploaded documents marked “For Official Use Only” to public ChatGPT in mid-2025.

The agency’s own monitoring flagged the activity within a week, but the use policy had not prevented it.

“Misplaced confidence is one of the most dangerous things in security. This data shows executives are far more confident that AI risk is under control than the evidence supports. Most of the conversation right now is about productivity, when the bigger question is how AI can be turned against the business. The report shows the gap between how secure leaders feel and how secure they actually are,” said Adam Pilton, Cybersecurity Advisor at Heimdal.

Independent security researcher Rafay Baloch, CEO and Founder of REDSECLABS, added: “The risk that concerns me most is not AI itself but the blind spots it can create. When teams use AI tools without clear oversight, sensitive information, intellectual property, and business data can end up in places leaders never intended. Many organizations believe having an AI policy means they are prepared, but a policy alone does not create visibility. The companies seeing the best results are not the ones trying to restrict AI. They are the o