As artificial intelligence rapidly transforms corporate environments, a deeply concerning security gap is emerging: Organizations are eagerly welcoming automated systems into their internal networks without knowing where their sensitive information is hidden. According to the newly released Thales 2026 Data Threat Report, only 34% of organizations know where all their data resides, setting the stage for a massive security crisis as AI is given free rein to wander through enterprise systems.
The extensive research, conducted by S&P Global’s 451 Research and commissioned by Thales—a global technology leader in cybersecurity—highlights a troubling disconnect between rapid AI adoption and foundational data control. Across vital markets, including the automotive, energy, finance, and retail industries, businesses say the rapid pace of AI-driven transformation has become their greatest security challenge. As enterprises actively embed AI into their development pipelines, analytics, and customer service workflows, these automated systems are being granted broad access to enterprise data, frequently with fewer controls than those applied to human workers. Consequently, 61% of organizations now explicitly cite AI as their top data security risk.
The report comes after a week when a second viral essay about the dire consequences of AI that is a bit too autonomous has rattled markets. Citrini Research’s essay on a 2028 hellscape of “ghost GDP,” in which radical deflation from AI results in 10% unemployment and a 30%-plus stock correction, followed hot on the heels of AI executive Matt Shumer’s prediction that “something big” was happening in AI and the workforce wasn’t prepared. Although economists and even industry executives cautioned that this was excessive, software stocks have largely continued their selloff.
The core of the problem identified in the Thales report aligns with these fears, at least in part. It’s not necessarily about the threat of rogue, malicious AI born from external actors, but rather the unprecedented level of internal access being granted to these systems as they transition from mere external tools to highly trusted corporate insiders. Enterprises are eagerly embedding AI into their daily workflows, but as they do so, these automated systems are being granted broad access to vast troves of enterprise data, frequently operating with fewer security controls than those traditionally applied to human employees in a standard corporate environment.
Sébastien Cano, senior vice president of cybersecurity products at Thales, emphasized this alarming shift in corporate environments. “Insider risk is no longer just about people. It is also about automated systems that have been trusted too quickly,” Cano explained. He warned that when basic security measures like identity governance, access policies, or encryption are weak, “AI can amplify those weaknesses across corporate environments far faster than any human ever could.”
The research, based on a global survey of 3,120 respondents, was aimed at professionals in security and IT management, excluding respondents with companies having less thatn $100 million in annual revenue. They reported widening data visibility gaps across cloud infrastructures, with only 39% of companies having the ability to fully classify data, and nearly half (47%) of all sensitive cloud data remaining entirely unencrypted. Because these AI systems continuously ingest and act upon information across sprawling cloud and SaaS environments, it becomes incredibly difficult to enforce “least-privilege access”—the practice of granting only strictly necessary access rights to a system. If a machine’s credentials are compromised by a malicious actor, the resulting data exposure could be devastating.
Attackers are already exploiting these exact vulnerabilities. Credential theft is now the leading attack technique against cloud management infrastructure, cited by 67% of organizations that have experienced cloud attacks. Simultaneously, 50% of organizations rank secrets management as a top application security challenge, illustrating the immense, growing difficulty of governing machine identities, tokens, and API keys at scale.
Deepfakes, misinformation, and human error
While companies struggle to rein in their own internal AI systems, malicious actors are leveraging the same technology to launch increasingly sophisticated external attacks. Nearly 60% of companies report experiencing deepfake-driven incidents, and 48% have suffered reputational damage tied to AI-generated misinformation or impersonation campaigns. Furthermore, human error continues to contribute to 28% of data breaches; adding rapid automation into the mix means that small, everyday mistakes can now scale and spread wider than ever before.
Despite these escalating, automated threats, security investments are struggling to keep up with the pace of AI-driven access. Only 30% of companies surveyed have dedicated AI security budgets. The majority of organizations (53%) are still relying on traditional security budgets and programs built primarily for human users and perimeter-based defenses.
Industry experts emphasize that a fundamental paradigm shift is urgently required. “As AI becomes deeply embedded into enterprise operations, continuous data visibility and protection are no longer optional,” stated Eric Hanselman, chief analyst at S&P Global 451 Research. For businesses to innovate securely and prevent AI from becoming their newest and most dangerous insider threat, they must fundamentally rethink identity, encryption, and data visibility as the core foundation of their security infrastructure.
For this story, Fortune journalists used generative AI as a research tool. An editor verified the accuracy of the information before publishing.
