Press Release

RSM’s Cybersecurity Special Report Finds Middle Market Racing Into AI Faster Than It Can Secure It

Photo of Cision PR Newswire Cision PR Newswire Send an email 23 seconds ago
0 5 minutes read

Confidence remains high even as ransomware, breaches and governance gaps persist

CHICAGO, May 13, 2026 /PRNewswire/ — Middle market companies are accelerating artificial intelligence (AI) adoption faster than they are building the governance, identity controls and cybersecurity frameworks needed to manage it, creating a widening risk gap even as executives report near-universal confidence in their defenses, according to RSM US LLP’s latest Middle Market Business Index (MMBI): Cybersecurity Special Report 2026.

“Organizations are accelerating AI adoption, but many don’t yet have a clear destination or a governance model to guide them,” said Daniel Gabriel, principal with RSM US LLP. “This is a pivotal moment: companies can continue operating reactively and play catch-up as risks emerge, or they can be intentional about secure AI adoption now and put themselves in an advantageous position going forward.”

In addition to deployment risks, threat actors are able to leverage AI to scale more quickly and deliver sophisticated attacks. Nearly one in four organizations reported a ransomware attack or demand in the past year and 18% experienced a data breach. Yet 96% of executives expressed confidence in their cybersecurity posture – highlighting a growing disconnect between perceived resilience and actual exposure.

The survey of 501 middle market executives that was fielded from Jan. 6 through Jan. 30, 2026, shows that AI adoption is advancing more quickly than governance maturity, with many organizations still replying on early-stage controls as they expand use of generative and automated AI tools across business functions.

AI Adoption Accelerating Faster Than Governance
Only 35% of executives report using formal AI governance frameworks, placing structured oversight well behind adoption trends across the middle market.

Instead, companies are primarily relying on staff training on responsible AI use (51%), alongside emerging but inconsistent controls such as data governance policies (46%), AI performance monitoring (46%), and defined roles and responsibilities for AI decision-making (44%). This indicates that while awareness is rising, governance structures remain fragmented and inconsistently enforced, and the implementation of AI-centered security controls are trailing far behind.

The MMBI Cybersecurity Special Report notes that this gap is contributing to increased exposure to “shadow AI,” where employees use unauthorized or unmonitored AI tools outside formal security and compliance frameworks.

Identity Remains an Underweighted Risk Priority
The report highlights a persistent imbalance between cybersecurity investment priorities and evolving threat patterns.

Organizations continue to focus on detection and response (39%), cloud security (36%), and broader risk management functions (35%), yet only 23% prioritize digital identity management, despite identity-based attacks remaining one of the most common entry points for ransomware and breaches as well as a vital control point for securing AI-enabled platforms.

“AI use amplifies current state identity risk within an organization,” said Omer Arshed, partner with RSM Canada. “If identity controls are weak or poorly governed, AI will scale that risk instantly. The middle market still has a window to mature identity controls now, before AI meaningfully expands the attack surface and drives higher cost, complexity and exposure.”

Financial Pressure Slows Cybersecurity Investment Momentum
While 81% of respondents still plan to increase cybersecurity spending in the year ahead, this represents a decline from 91% last year, suggesting that economic pressure is beginning to temper investment growth even as threats continue to intensify.

Cybersecurity budget authority is also shifting. Funding is now most commonly managed by the chief technology officer (43%), followed by the chief financial officer (37%) and chief information security officer (34%), reflecting the growing integration of cybersecurity into enterprise financial and technology decision-making, with the potential to become a competing line item within broader business transformation initiatives.

Outsourcing Remains Central to Cybersecurity Operations
Middle market firms continue to rely heavily on external providers to execute key cybersecurity functions and refocus their internal teams on supporting value-generating digital transformation efforts.

The most commonly outsourced services include:

  • Cloud security management (50%)
  • Security awareness training (44%)
  • Security operations center services (43%)
  • Risk and compliance management (41%)

This suggests that while internal cybersecurity capabilities are expanding, most organizations still depend on third-party expertise for specialized or continuously monitored security functions.

A Widening Gap Between Confidence and Control
Across all segments of the middle market, the findings point to a consistent theme: cybersecurity confidence is rising, but governance maturity, as well as technical safeguards, are not keeping pace with the speed of AI adoption and the increasing sophistication of cyber threats.

As organizations expand AI use across core operations, the MMBI Cybersecurity Special Report cautions that gaps in identity management, governance frameworks, and control structures may become increasingly consequential, particularly as attackers leverage automation and AI-enabled techniques to scale and accelerate attacks.

About the RSM US Middle Market Business Index 
The RSM US Middle Market Business Index (MMBI) is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The Panel is in transition to reflect RSM’s new definition of the US Middle Market. Panel members from smaller companies with revenue under $30M are being removed from the Panel through screening criteria in each quarterly survey. The Panel currently consists of approximately 400-500 active records who have conducted at least one survey in the past two years. 

Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that asks respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses. 

The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead. 

The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction. 

About RSM US LLP
RSM empowers middle market companies worldwide to take charge of change. The clients we serve are the engine of global commerce and economic growth. Our unique middle market perspective makes RSM the natural choice for growth-oriented, internationally active organizations seeking relevant insights and tailored, innovative solutions for a complex and changing world. With a global reach spanning more than 120 countries, we instill confidence in a world of change by bringing the full power of RSM to make a lasting impact on our clients, colleagues and communities. For more information, visit rsmus.com, like us on Facebook and/or connect with us on LinkedIn.

 

Cision View original content to download multimedia:https://www.prnewswire.com/news-releases/rsms-cybersecurity-special-report-finds-middle-market-racing-into-ai-faster-than-it-can-secure-it-302771060.html

SOURCE RSM US LLP

Author

Photo of Cision PR Newswire Cision PR Newswire Send an email 23 seconds ago
0 5 minutes read

Leave a Reply

Related Articles

Creatv Bio Opens CLIA-Certified Laboratory to Support Oncology Drug Development

7 seconds ago

Optical Quantum Computing Platform Market to Reach USD 29.64 Billion by 2030, Driven by Secure Quantum Communication Demand | Valuates Reports

49 seconds ago

Security Information and Event Management Market worth $13.67 billion by 2031 | MarketsandMarkets™

1 minute ago

eCurrency launches world’s first ISO 20022 compliant CBDC-to-RTGS implementation

1 minute ago
Back to top button