First-of-its-kind global assessment of AI and cybersecurity maturity finds organizations consistently score highest in identifying risks and lowest in taking action to reduce them across both NIST CSF 2.0 and AI RMF 1.0.
[Herzliya, Israel] — June 9, 2026 — Cye, a leader in cyber exposure management, today released its 2026 Global AI and Cyber Maturity Report. As AI rapidly transforms enterprise operations and cyber risk, this year's annual report expands for the first time to measure organizations’ maturity and readiness to adopt AI alongside their overall cybersecurity maturity.
The analysis found that across both cyber maturity and AI risk maturity, organizations are significantly better at identifying and governing risks than taking action to reduce them. The pattern was consistent across both maturity assessments. The lowest scores were concentrated in the functions responsible for putting risk management into practice - Protect in NIST CSF 2.0 and Manage in AI RMF 1.0 - highlighting a persistent gap between risk awareness and risk reduction.
The findings are particularly significant in the context of AI's rapid adoption and growing influence on enterprise risk. While Gartner forecasts worldwide AI spending will reach $2.59 trillion in 2026, the findings suggest that organizations are making faster progress in AI adoption and governance than in operationalizing AI risk management, according to NIST AI RMF 1.0 framework.
This gap can create a false sense of security, where organizations assume AI risks are being managed because governance frameworks are in place, despite having limited visibility into how AI is being used across the enterprise. As Shadow AI and autonomous AI agents proliferate, the gap between AI governance and operational control is emerging as a defining challenge of enterprise security in 2026 - the AI Maturity Gap.
“AI is inheriting cybersecurity's oldest problem: the gap between policy and action,” said Reuven Aronashvili, founder and CEO of Cye. “The challenge is no longer understanding the risks. It's about accurately identifying which risks may disrupt the business or operations, and determining the specific action to take. That requires operationalizing controls and processes, remediating when needed and at times deciding to do nothing. As AI adoption accelerates, addressing that gap between policy and action will become a defining factor in organizational resilience.”
Drawing on year-over-year maturity data, the 2026 global report provides visibility into where maturity is improving, where critical gaps persist, and emerging risks are creating new challenges for organizations. Key findings observed in the report include:
Organizations Can't Keep Pace with Their Own AI Policies: While Govern was the highest-scoring AI RMF function, Manage ranked lowest at 2.22, highlighting a growing gap between AI governance efforts and the controls, response capabilities and oversight needed to reduce AI-related risk.
Shadow AI Exposure Has Reached Critical Levels: Shadow AI exposure remains unacceptably high across many sectors, reaching 71% in transportation and 62% in energy, compared with just 5% in financial services, revealing stark differences in organizations' ability to govern and control AI use.
AI is Accelerating Cybersecurity's Biggest Challenge: The lowest maturity scores in both frameworks were concentrated in the functions responsible for reducing risk in practice - Protect in NIST CSF 2.0 and Manage in AI RMF 1.0 - revealing a common gap between risk awareness and risk reduction that is now being amplified by AI adoption.
Regulatory Deadlines Are Driving Measurable Security Gains: Switzerland recorded the largest year-over-year maturity improvement following the implementation of new cyber reporting and operational resilience requirements. Similar gains in the U.S., U.K. and Spain suggest that enforceable regulatory deadlines are accelerating cybersecurity maturity across regulated markets.
Even the Most Mature Organizations Struggle to Execute: Financial services led overall maturity rankings, yet Protect remained its weakest NIST CSF function, demonstrating that strong governance and regulatory oversight do not automatically translate into effective risk reduction.
“In this year’s assessment, nearly every organization had findings explicitly tied to AI systems,” said Dr. Nimrod Partush, Chief Innovation and AI Scientist at Cye. “The challenge is not whether organizations understand AI risk, because most do. As threat actors use AI to significantly reduce the time to exploit vulnerabilities, the critical failing is the speed of action. Organizations need to move from awareness to execution, and that starts with knowing which AI risks create the greatest business exposure and which actions will reduce that risk fastest.”
The report was carried out by the company’s world-class data scientists. The latest edition now covers 21 countries and 2,400+ National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) function scores, up from 17 countries and 1,500 function scores in 2025. For the first time, Cye also expanded its benchmark study to examine AI risk maturity and Shadow AI exposure, aligned to NIST AI Risk Management Framework (AI RMF) 1.0.
Download the full Global Cybersecurity Maturity Report today to get the actionable intelligence you need to redefine your cyber maturity.
About Cye
Cye is an AI‑native exposure management platform that reveals real‑world exploitability and quantifies business impact. Cye enables organizations to prioritize and take the right action—remediate, mitigate, or accept risk—with clarity and confidence amidst the dynamic threat landscape.