A new report warns that artificial intelligence is quickly becoming what it calls the “new insider threat,” and many companies are not ready.
According to the 2026 Thales Data Threat Report, nearly half of sensitive cloud data, 47%, remains unencrypted, even as AI systems gain broader access to corporate information.
AI ranked as top data security risk in 2026 report
The study, conducted by S&P Global 451 Research, surveyed 3,120 security and IT professionals worldwide. It found that 70% of organizations now rank AI as their top data security risk. The concern is less about rogue AI systems and more about how much trust companies are placing in them.
“Insider risk is no longer just about people. It is also about automated systems that have been trusted too quickly. When identity governance, access policies, or encryption are weak, AI can amplify those weaknesses across environments far faster than any human ever could,” said Sébastien Cano, senior vice president of cyber security products at Thales.
As AI tools move into workflows, analytics, and customer service systems, they are often given wide access to enterprise data, sometimes with fewer controls than human employees.
Nearly half of sensitive cloud data remains unencrypted
The report highlights significant blind spots in basic data management. Only 34% of organizations say they know where all their data resides, and just 39% can fully classify it.
At the same time, encryption coverage remains inconsistent.
Thales found that 47% of sensitive cloud data is still unencrypted. That leaves companies relying heavily on access controls in environments where data can be copied and processed at scale.
Identity systems are now a prime target. Credential theft was cited by 67% of respondents as the leading attack technique against cloud infrastructure.
Meanwhile, 52% identified identity and access management as their most pressing security discipline.
Deepfakes, AI impersonation fuel rising cyber incidents
The report also shows attackers are using AI just as aggressively. Nearly 60% of companies report experiencing deepfake-driven incidents, and 48% report reputational damage from AI-generated misinformation or impersonation campaigns.
Human error continues to play a role, contributing to 28% of breaches. With automation layered on top, small mistakes can spread more quickly and widely.
Most organizations lack dedicated AI security budgets
While the threats are evolving at machine speed, the money is moving at a crawl. Only 30% of companies have a dedicated budget for AI security.
The majority (53%) are still trying to fight 2026’s automated threats with old-school security programs designed for human users and office perimeters.
“As AI becomes deeply embedded into enterprise operations, continuous data visibility and protection are no longer optional,” said Eric Hanselman, chief analyst at S&P Global 451 Research. “Organizations must treat data security strategy as foundational to innovation, not separate from it.”
The report concludes that AI is not replacing existing threats; it is accelerating them. And unless companies strengthen encryption, identity governance, and data visibility, the newest trusted systems within the enterprise may become its most powerful risk multipliers.





