Report: 77% of security stacks now use AI

The 77% figure is less a headline about hype than a marker of how far AI has already moved into day-to-day security operations. Cloud Security Alliance’s “State of AI Cybersecurity 2026,” published April 2 and based on a survey of more than 1,500 CISOs, IT leaders, administrators and practitioners, said 77% of security stacks now include AI and that adoption is spreading across detection, response and workflow automation. What stands out in the same survey is the split between use and confidence. CSA said AI literacy and confidence in AI-powered defense have improved since last year, but governance remains unsettled. It also said 92% of organizations are concerned about the use of AI agents across the workforce and their impact on security. (cloudsecurityalliance.org) That matters because “AI in the security stack” is a broad category. In practice, it can mean copilots in the SOC, AI-assisted triage, automated detection tuning, LLM-based search and summarization, or agents that can take actions across identity, endpoint, cloud and ticketing systems. The risk profile changes sharply once systems move from assisting analysts to acting on their behalf. That distinction is reflected in current government guidance. (cloudsecurityalliance.org) CISA and international partners on May 1 published “Careful Adoption of Agentic AI Services,” warning that agentic systems can expand the attack surface, create privilege creep, produce behavioral misalignment and leave obscure event records. CISA said organizations should start with low-risk, non-sensitive use cases, avoid broad or unrestricted access, and account for agentic AI in their security model and risk posture from the outset. (cisa.gov) The UK National Cyber Security Centre reinforced that message on May 15 in a blog post titled “Thinking carefully before adopting agentic AI,” telling organizations to “walk before you run.” NCSC has also been publishing related AI guidance this spring, including material on vulnerability discovery and frontier-AI preparedness. The trust gap shows up in identity and visibility data as well. (cisa.gov) A CSA-Strata Identity survey published February 5 said 84% of organizations doubted they could pass a compliance audit focused on agent behavior or access controls, and only 18% said they were highly confident their current IAM systems could manage agent identities effectively. A separate CSA survey published April 21 said 82% of enterprises had unknown AI agents in their environments and 65% reported AI agent-related incidents in the past year. (ncsc.gov.uk) The reference to LOTL, or “living off the land,” adds another layer. CISA’s joint guidance on LOTL techniques, co-authored with the UK NCSC and other partners and published February 7, 2024, said attackers use legitimate tools and normal administrative activity to blend into victim environments and that many organizations still lack the detection capabilities needed to separate malicious behavior from legitimate use. The guidance drew on incident response activity at critical infrastructure organizations, including compromises linked to Volt Typhoon. (cloudsecurityalliance.org) In an AI-agent context, that warning is easy to see: the more privileges, tools and internal access an agent gets, the more its actions can resemble trusted activity unless logging, identity controls and approval boundaries are built in. That is an inference from the published guidance and survey findings, not a direct quote from either agency. (cisa.gov) The next documents to watch are the underlying CSA report and the CISA-NCSC guidance set already in circulation. As of May 22, 2026, the most concrete public references are CSA’s April 2 survey, CISA’s May 1 agentic AI guide, and NCSC’s May 15 follow-on guidance for adopters. (cloudsecurityalliance.org) (cisa.gov)