Todd Moore | Global VP of Data Security Products at Thales
More About This Author >
Todd Moore | Global VP of Data Security Products at Thales
More About This Author >
Over the past year, I’ve watched AI move to operational reality across nearly every industry we work with. The conversation is no longer about whether AI will transform business. It already has.
What concerns me, and what this year’s Thales Data Threat Report confirms, is how profoundly it is transforming risk.
The report's findings send a clear message: AI has moved from an innovation driver to a primary security concern.
According to the report, 61% of organizations now cite AI as their top data security risk. At the same time, 70% of IT and security professionals say the pace of AI-driven transformation is their most significant security challenge.
AI is embedded in workflows, connected to cloud platforms, accessing sensitive data, and increasingly acting with autonomy. However, AI does not introduce entirely new weaknesses. It scales existing ones.
And security teams are struggling to keep up.
AI Is Acting Like a Trusted Insider
One of the most striking findings in this year’s report is how organizations are treating AI systems.
AI tools and agents are increasingly granted broad, automated access to enterprise data, often with fewer controls and less oversight than human users.
What stands out to me this year is how quickly AI has shifted from being viewed as a productivity enhancer to being treated like a trusted insider. Insider risk is no longer just about people. It now includes automated systems that are being trusted too quickly and often too broadly.
When identity governance, access policies, or data protections are weak, AI does not simply inherit those weaknesses; it amplifies them at machine speed.
Visibility and Encryption Gaps Are Exposing Organizations
This year’s findings highlight a troubling reality: many organizations lack foundational data visibility and protection.
- Only 34% know where all their data is stored
- Just 39% can fully classify their data
- 47% of sensitive cloud data remains unencrypted
As AI systems ingest, process, and act on enterprise information across cloud and SaaS environments, these visibility and encryption gaps create significant exposure.
AI increases data discoverability. Without strong data governance and encryption, that discoverability becomes a risk.
I firmly believe that organizations that succeed in this next phase will treat data security as an enabler of innovation, not a barrier.
Identity Has Become the Primary Attack Surface
As AI systems depend on API keys, tokens, and machine credentials, identity is emerging as the most critical control layer.
The report finds that identity and access management is now ranked as the top security skills priority, ahead of cloud and application security.
Credential theft was cited as the leading attack technique against cloud management infrastructure by 67% of organizations that experienced cloud attacks.
In an AI-driven environment, compromising identity is often the fastest route to sensitive data.
In my view, this shift elevates identity governance from a technical discipline to a board-level priority.
AI-Powered Threats Are Escalating Business Impact
Besides expanding internal risk, AI is reshaping external threats.
- Nearly 60% of organizations report experiencing deepfake-driven attacks
- 48% report reputational damage linked to AI-generated misinformation
AI-powered impersonation, misinformation, and automated attack techniques are increasing the speed, scale, and sophistication of cyber threats.
Security teams are no longer protecting infrastructure alone. They are protecting trust, brand integrity, and digital authenticity.
Investment Is Growing — But the Model Is Still Evolving
I’m encouraged to see organizations responding to these threats.
- 30% now allocate dedicated AI security budgets, up from 20% last year
- However, 53% are still relying on existing security funding models
The data makes one thing clear: continuous visibility, classification, and protection are no longer optional. They are foundational requirements for operating safely in an AI-driven environment.
The real problem is not investment; it’s inefficient investment. AI security cannot be treated as an add-on. It requires an architectural shift toward enterprise-wide visibility, strong encryption, identity governance, and data security posture management.
2026 is a Defining Year for Data Security
For me, the key takeaway of the 2026 Thales Data Threat Report is that it reveals a pivotal transition:
- AI is becoming a trusted insider.
- Identity is the primary attack surface.
- Data remains the ultimate target.
The organizations that succeed will be those that build security architectures designed for autonomous systems, not just human users.
We already know AI will continue to reshape business.
The real question is whether our security strategies are evolving at the same pace.
Download the 2026 Thales Data Threat Report
Explore the full findings, global insights, and expert analysis in the 2026 Thales Data Threat Report and discover how leading organizations are adapting their security strategies to manage AI-driven risk.