Heimdal's State of AI Risk Management in 2026, drawn from 1,000 IT professionals surveyed across the UK and US, puts a number on the disconnect. In the US, 29% of C-suite and VP respondents say their organisation has AI risk under control. Among mid-level practitioners managing it, the figure is 7%. In the UK the split runs 18% to 11%.
The explanation is partly what visibility reveals. Among UK teams with full visibility into AI use, 56% flag data leakage as a top concern, compared with 27% of teams operating with none. In the US the corresponding figures are 59% against the lower baseline. Seeing more of the AI estate does not produce confidence — it produces concern.
The tooling is already embedded. ChatGPT runs in 72% of UK IT environments and 69% of US environments. Microsoft Copilot appears in 68% of UK estates and 59% of US ones. Despite that saturation, only around four in ten security teams rate their current stack as ready to handle AI-related risk. Teams that are also the most overloaded are simultaneously the most optimistic about AI fixing that: 59% of the most stretched US teams, and 55% of UK equivalents, expect AI to ease their workload.
The report includes a concrete example from the first weeks of 2026: the acting director of CISA, the US cybersecurity agency, uploaded documents marked For Official Use Only to public ChatGPT. The agency's own monitoring flagged it within a week. The use policy had not prevented it. Visibility was present. Control was not.
"Misplaced confidence is one of the most dangerous things in security. This data shows executives are far more confident that AI risk is under control than the evidence supports. Most of the conversation right now is about productivity, when the bigger question is how AI can be turned against the business. The report shows the gap between how secure leaders feel and how secure they actually are," said Adam Pilton, Cybersecurity Advisor at Heimdal.
Independent researcher Rafay Baloch, CEO and founder of REDSECLABS, put the operational implication plainly: "The risk that concerns me most is not AI itself but the blind spots it can create. When teams use AI tools without clear oversight, sensitive information, intellectual property, and business data can end up in places leaders never intended. Many organizations believe having an AI policy means they are prepared, but a policy alone does not create visibility. The companies seeing the best results are not the ones trying to restrict AI. They are the ones creating clear guardrails while helping employees use AI responsibly."
The survey was conducted via Pollfish from May 1 to 8, 2026, across 500 UK and 500 US IT professionals spanning six seniority tiers from entry-level through C-suite.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
