---
title: "78% Already Got Hit. Half Still Haven&#8217;t Funded the Fix."
description: "78% of organizations reported experiencing AI-related security incidents or identifying AI-related vulnerabilities. — DigiCert AI Trust Outlook I guess it's survey season in advance of Hacker..."
url: https://kaynemcgladrey.com/blog/78-already-got-hit-half-still-havent-funded-the-fix/
date: 2026-07-07
modified: 2026-07-07
author: "Kayne"
image: https://kaynemcgladrey.com/wp-content/uploads/2026/07/Business-people-at-work-with-papers.webp
categories: ["Blog"]
type: post
lang: en
---

# 78% Already Got Hit. Half Still Haven&#8217;t Funded the Fix.

![DigiCert Report 2026 Lead Image](https://kaynemcgladrey.com/wp-content/uploads/2026/07/BitDefender-Report-2026-Lead-Image-1024x433.webp)

> 78% of organizations reported experiencing AI-related security incidents or identifying AI-related vulnerabilities. — DigiCert AI Trust Outlook

I guess it’s survey season in advance of [Hacker Summer Camp](https://conferenceparties.com/hsc2026/) this August. This time it’s DigiCert, who’s surveyed more than a thousand IT and security leaders across the US, UK, and Australia for its [AI Trust Outlook](https://www.digicert.com/content/dam/digicert/pdfs/report/ai-trust-pulse.pdf). Never mind what they’re trying to sell you and look at what they found: 78% of organizations have already experienced AI-related security incidents or identified AI-related vulnerabilities, while only 21% reported none. That’s not a warning about what’s coming in some far-off future, it’s a damage report on what’s already happened.

According to the same DigiCert report, 75% of organizations deployed four or more AI-powered systems in the last six months, and 35% deployed more than ten. AI moved from pilot to production, while security’s still trying to figure out what’s running. Which sounds like every security project ever – you can add security provided that it doesn’t slow down the schedule, add costs, say “no”, or take anyone’s attention away from shipping ever faster.

DigiCert also found that 90% of organizations have discussed AI governance at the executive or board level, but only 50% have dedicated budgets and formal governance programs to back it up. That forty-point gap between awareness and action isn’t an accident or a staffing shortage. Why? It’s *still* incentives, and that’s been working against governance since long before AI was the buzzword of the decade.

Let’s consider quarterly or annual bonuses for people at work.

- Product teams get rewarded for shipping
- Engineering gets measured on velocity
- Sales gets paid on revenue

The DigiCert data contains a second problem that compounds the first: only 53% of organizations can fully trace AI decisions back to the models and source data that produced them. That means nearly half can’t answer the question every customer, executive, and regulator will ask when something goes wrong: “Why did it do that?” If the answer is “We don’t know,” trust breaks down immediately.

As for why that happens, nobody’s quarterly bonus depends on catching a model that’s making mistakes that cause business problems and reduce customer or supplier trust; the governance team that flags the problem gets called a “blocker” in the next all-hands. When you reward speed and penalize friction, the friction-reducers win, because governance, by definition, is friction. So governance is continuing to fight a losing battle.

This is where apologizers for their paper tigers will say that they have a “human in the loop”, like [California tried](https://kaynemcgladrey.com/blog/what-californias-ads-report-gets-wrong/). DigiCert found that 86% of organizations have formal or informal revocation processes for compromised AI systems, which sounds reassuring until you ask whether those are automated or require someone to schedule a meeting. A revocation process that depends on committee consensus while the system keeps running is paperwork, not protection.

The board picture doesn’t help much either. Based on [proxy statement analysis](https://insight.factset.com/second-highest-number-of-sp-500-companies-citing-ai-on-earnings-calls-over-past-10-years) I’ve [mentioned before](https://kaynemcgladrey.com/blog/11-of-cxos-say-theyre-ready-for-1661-ai-agents-im-sure-thats-fine/), only 1.6% of S&P 500 companies have explicit board oversight of AI, while just 13% have a director with AI expertise. According to research from Harvard Law School’s Forum on Corporate Governance, 32% of executives say boards are overstepping into management’s role, partly because of the higher expectations around cybersecurity and AI. But these same boards demanding AI velocity haven’t assigned anyone to supervise the blast radius. The Delaware Court of Chancery’s dismissal of the Marriott derivative suit reduced the need for actual governance; they’ll accept “flawed efforts” suffice as long as something is in place, which means companies can check boxes and face no liability when catastrophe strikes.

IBM and Oxford Economics, in their earlier 2026 [C-suite study of 2,000 CXOs](https://www.ibm.com/thought-leadership/institute-business-value/en-us/c-suite-study/cxo), found only 11% feel fully prepared for the agentic AI deployment expected in the next twelve months. The average enterprise apparently plans to add another 1,661 AI agents next year, a 38% jump, where each one makes hundreds or thousands of autonomous decisions daily (and some of those might not be the correct decision). Two-thirds of CIOs told IBM that business units are bypassing IT, and 70% say teams deploy technology faster than IT can track. DigiCert’s report confirmed the pattern: AI inventories sit at 59% to 68% globally. You can’t control what you can’t see, let alone handle securing it.

But the market’s already reacting. Insurers are excluding AI agent losses from coverage, and contracts are starting to require “AI circuit breakers.” Organizations relying on policy PDFs in SharePoint won’t survive the next breach investigation or multi-district litigation.

What companies need is automated governance with teeth, not nice dashboards or even more advisory councils. Specifically:

- **Hard thresholds** where an AI system auto-suspends when anomalous outputs spike or bias detection exceeds defined limits, shutting itself down without requiring a human to convene a meeting.
- **A single human with technical stop authority**, reporting outside the product chain, who can actually pull the plug. Not advisory, not consulted, but the person who presses the button.
- **Rollback capability** built into every deployment so someone can undo what the system just did.

The decision path should fit on one slide: threshold breached, system auto-suspends, named person in charge reviews, person in charge decides restart or withdrawal. No committee, no consensus process, no three-week risk assessment.

DigiCert’s 78% incident rate tells us the alarm bells are ringing, and half the organizations surveyed still haven’t decided if a fire department’s a good idea. The question isn’t whether AI creates value; it does. The question is whether anyone can stop it when it doesn’t. Right now, for most organizations, the answer is no.
