Blog Industry Research December 9, 2025 4 min read

81% of Leaders Say GenAI Is Moving Faster Than Their Risk Management

Cohesity surveyed 3,200 IT and security decision-makers across 11 countries. The cyberattacks are material, the financial fallout is public, and the AI risk gap is widening.

By the AuthorityGate Architect Team

Cohesity's fourth annual Global Cyber Resilience Report - Risk-Ready or Risk-Exposed: The Cyber Resilience Divide, published in November - surveyed 3,200 IT and security decision-makers across 11 countries, all at organizations with more than 1,000 employees. The headline number is that 76 percent experienced at least one material cyberattack. The word to notice in that sentence is "material." It is a finance word, and finance is where this report spends most of its time.

The fallout does not stay in the SOC Share of organizations reporting each consequence, Cohesity 2025
Faced legal, regulatory, or compliance consequences
92%
Lost revenue
87%
Lost customers
42%

Legal consequences, lost revenue, lost customers. Those are not security metrics. They are the line items a board asks about, which is exactly the point: the cyberattack has completed its migration from an IT incident to a financial event.

Cyberattacks are now earnings events

The report's most striking finding is how directly attacks now reach the numbers companies report to their investors. Among public companies that were attacked, 70 percent adjusted earnings or financial guidance afterward, and 68 percent saw stock price impacts. Private firms felt it differently but no less structurally: 73 percent redirected budgets away from innovation to deal with the aftermath.

The course corrections reach the investor call Share of public or private companies, as labeled, Cohesity 2025
Private: redirected budget away from innovation
73%
Public: adjusted earnings or financial guidance
70%
Public: saw stock price impacts
68%

When seven in ten public victims are restating guidance, change control stops being an operational preference and becomes a fiduciary one. Whatever touches production - a config push, a patch, an agent's action - is now, in a very literal sense, touching the share price.

The admission in the data

Which makes the report's other headline number remarkable, because it is a confession. Cohesity asked IT leaders how their risk management is keeping up with generative AI, and 81 percent said it is not:

The gap leaders admit to IT leaders who say GenAI is advancing faster than their risk management capabilities
0% of 3,200 IT and security decision-makers surveyed
050100

81 percent of IT leaders say GenAI is outrunning their risk management. That is not a technology gap. It is an accountability gap.

A sleek high-speed train blurs past a small rural station platform where a lone station master holds up a paper signal flag
GenAI in the enterprise, per its own operators: the train is moving faster than the signaling system built to control it.

The answer is not slower AI

The tempting read of that 81 percent is that organizations should pump the brakes on GenAI until risk management catches up. That is the wrong lesson, and most leaders know it - the competitive cost of freezing adoption is real, and the 73 percent of private firms already cannibalizing their innovation budgets after attacks show what falling behind costs. The gap does not close by making AI slower. It closes by making every AI-driven change accountable before it lands.

That is a solvable engineering problem. An AI agent proposing a change is fine; an AI agent landing a change that nobody validated is how a material attack, or a material outage, gets a head start. The augmented model keeps the speed and removes the blind spot: the AI proposes, validation gates verify the change against policy and score its risk, and the consequential ones stop at a named human before production. Risk management stops chasing GenAI and starts standing in front of it.

The AuthorityGate take

Cohesity sells data resilience, so read its resilience report with the catalog in mind. But the two halves of this survey indict each other in a way no vendor spin can soften. Half of it documents that attacks now produce guidance adjustments, stock impacts, and legal consequences. The other half documents that the people responsible admit their risk controls cannot keep pace with the fastest-moving change source in their environment. Boards will eventually connect those halves; better that you connect them first.

Our position is that the connection point is the change itself. Every change - human, pipeline, or AI - should pass a validation pipeline before it takes effect, so that "GenAI moves fast" and "someone is accountable" stop being opposites. The 81 percent are describing a race they set up to lose: capabilities on one side, a policy binder on the other. Put a gate on the track and the race ends.

Three thousand two hundred decision-makers, in aggregate, just told the market that the financial consequences of ungoverned change are already on the income statement, and that the fastest source of new change is the one they govern least. That combination has a short shelf life. The organizations that fix it will do it deliberately, at the gate - not in the 8-K after the incident.

Share this post: LinkedIn

Go deeper

Every agent action, validated before it takes effect

AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.