RSAC 2026 coverage: The Purple Book Community (PBC), in partnership with ArmorCode, released its State of AI Risk Management 2026 report on Monday, based on a survey of more than 650 senior enterprise cybersecurity leaders in North America and Europe.

The report points to a governance gap as organizations operationalize AI faster than security programs can keep up. According to the survey, 90% of enterprises said they have visibility into their AI footprint, but 59% confirmed or suspected “shadow AI” in their environments. The findings suggest employees are using unsanctioned AI tools or deploying agentic AI systems outside established monitoring and governance processes.

The research also ties AI-assisted development to production risk. Seventy percent of respondents said they have confirmed or suspected vulnerabilities introduced by AI-generated code in production systems, and 73% said AI-assisted development is increasing software velocity beyond the pace security teams can review.

“The greatest AI security threat isn’t what organizations can’t see, it’s what they can see but can’t govern fast enough to stop,” said Sangram Dash, PBC Charter Member and CISO and VP of IT at Sisense.

PBC’s executive chair LingRaj Patil said the data shows security leaders expressing confidence in AI governance while reporting outcomes that contradict that confidence. “This is the defining challenge of AI risk management in 2026: closing the gap between perception and reality,” Patil said.

ArmorCode Chief Security and Trust Officer Karthik Swarnam framed the problem as operational ownership and execution. “Visibility into AI is improving, but the volume and speed of change are outpacing how teams actually operate,” he said.