Middle market companies are accelerating artificial intelligence (AI) adoption faster than they are building the governance, identity controls and cybersecurity frameworks needed to manage it, creating a widening risk gap even as executives report near-universal confidence in their defenses, according to RSM US LLP's latest Middle Market Business Index (MMBI): Cybersecurity Special Report 2026.

"Organizations are accelerating AI adoption, but many don't yet have a clear destination or a governance model to guide them," said Daniel Gabriel, principal with RSM US LLP. "This is a pivotal moment: companies can continue operating reactively and play catch-up as risks emerge, or they can be intentional about secure AI adoption now and put themselves in an advantageous position going forward."

In addition to deployment risks, threat actors are able to leverage AI to scale more quickly and deliver sophisticated attacks. Nearly one in four organizations reported a ransomware attack or demand in the past year and 18% experienced a data breach. Yet 96% of executives expressed confidence in their cybersecurity posture – highlighting a growing disconnect between perceived resilience and actual exposure.

The survey of 501 middle market executives that was fielded from Jan. 6 through Jan. 30, 2026, shows that AI adoption is advancing more quickly than governance maturity, with many organizations still replying on early-stage controls as they expand use of generative and automated AI tools across business functions.

AI Adoption Accelerating Faster Than Governance
Only 35% of executives report using formal AI governance frameworks, placing structured oversight well behind adoption trends across the middle market.

Instead, companies are primarily relying on staff training on responsible AI use (51%), alongside emerging but inconsistent controls such as data governance policies (46%), AI performance monitoring (46%), and defined roles and responsibilities for AI decision-making (44%). This indicates that while awareness is rising, governance structures remain fragmented and inconsistently enforced, and the implementation of AI-centered security controls are trailing far behind.

The MMBI Cybersecurity Special Report notes that this gap is contributing to increased exposure to "shadow AI," where employees use unauthorized or unmonitored AI tools outside formal security and compliance frameworks.

Identity Remains an Underweighted Risk Priority
The report highlights a persistent imbalance between cybersecurity investment priorities and evolving threat patterns.

Organizations continue to focus on detection and response (39%), cloud security (36%), and broader risk management functions (35%), yet only 23% prioritize digital identity management, despite identity-based attacks remaining one of the most common entry points for ransomware and breaches as well as a vital control point for securing AI-enabled platforms.

"AI use amplifies current state identity risk within an organization," said Omer Arshed, partner with RSM Canada. "If identity controls are weak or poorly governed, AI will scale that risk instantly. The middle market still has a window to mature identity controls now, before AI meaningfully expands the attack surface and drives higher cost, complexity and exposure."

Financial Pressure Slows Cybersecurity Investment Momentum
While 81% of respondents still plan to increase cybersecurity spending in the year ahead, this represents a decline from 91% last year, suggesting that economic pressure is beginning to temper investment growth even as threats continue to intensify.

Cybersecurity budget authority is also shifting. Funding is now most commonly managed by the chief technology officer (43%), followed by the chief financial officer (37%) and chief information security officer (34%), reflecting the growing integration of cybersecurity into enterprise financial and technology decision-making, with the potential to become a competing line item within broader business transformation initiatives.

Outsourcing Remains Central to Cybersecurity Operations
Middle market firms continue to rely heavily on external providers to execute key cybersecurity functions and refocus their internal teams on supporting value-generating digital transformation efforts.

The most commonly outsourced services include:

• Cloud security management (50%)
• Security awareness training (44%)
• Security operations center services (43%)
• Risk and compliance management (41%)

This suggests that while internal cybersecurity capabilities are expanding, most organizations still depend on third-party expertise for specialized or continuously monitored security functions.

A Widening Gap Between Confidence and Control
Across all segments of the middle market, the findings point to a consistent theme: cybersecurity confidence is rising, but governance maturity, as well as technical safeguards, are not keeping pace with the speed of AI adoption and the increasing sophistication of cyber threats.

As organizations expand AI use across core operations, the MMBI Cybersecurity Special Report cautions that gaps in identity management, governance frameworks, and control structures may become increasingly consequential, particularly as attackers leverage automation and AI-enabled techniques to scale and accelerate attacks.