Middle Market Companies Race to Adopt AI Without Strong Cybersecurity Measures

In a recent report by RSM US LLP, it has been revealed that middle market companies are hastening their adoption of artificial intelligence (AI) at a pace that outstrips the establishment of necessary governance frameworks and cybersecurity measures. This trend has resulted in a widening gap in risk management, despite many executives expressing a strong confidence in their existing cybersecurity strategies.

The RSM report, part of the Middle Market Business Index (MMBI), highlights the alarming disconnect between the rapid deployment of AI technologies and the maturity of governance structures designed to manage the associated risks. According to Daniel Gabriel, a principal at RSM, many organizations are rushing towards AI without a clear plan or governance model to guide their efforts. This moment presents a critical juncture; companies can either continue to react to risks as they surface or proactively implement strategies for secure AI adoption.

Growing Security Risks Amid AI Adoption

Notably, the report identifies troubling statistics regarding cybersecurity threats within the middle market segment. Nearly 25% of organizations reported experiencing a ransomware attack or demand in the past year, and 18% faced data breaches. Despite these alarming figures, 96% of the executives surveyed expressed confidence in their cybersecurity posture, illustrating a concerning gap between perceived security and actual vulnerabilities.

The survey, conducted among 501 middle market executives from January 6 to January 30, 2026, shows that while AI usage is increasing, governance remains in its infancy. A mere 35% of executives stated they were utilizing formal AI governance frameworks, positioning structured oversight a significant distance behind current adoption trends.

Instead of formal frameworks, many organizations are leaning towards staff training on responsible AI use (51%) and implementing inconsistent controls. The data suggests a rise in awareness concerning AI governance; however, the structures remain fragmented and poorly enforced. As businesses leverage generative and automated AI tools across various functions, the absence of robust AI-centric security measures has resulted in increased exposure to so-called “shadow AI,” where employees utilize unmonitored AI tools outside of sanctioned security protocols.

Identity Management: An Often Overlooked Priority

The report starkly outlines a critical imbalance within cybersecurity priorities. Many organizations have concentrated their investments on detection and response (39%), cloud security (36%), and broader risk management strategies (35%). Alarmingly, only 23% have deemed digital identity management a priority. This oversight is concerning, as identity-based attacks are among the most common vectors for ransomware and breaches and play a crucial role in safeguarding AI platforms.

Omer Arshed, a partner with RSM Canada, warns that the infusion of AI may amplify existing identity management risks. Weak or poorly governed identity controls can rapidly escalate risks as AI tools become more integrated. Organizations still have a narrow window to strengthen their identity management systems before the expansion of AI increases their exposure.

Financial Constraints Impact Cybersecurity Investments

Despite 81% of executives indicating plans to enhance cybersecurity spending in the upcoming year, this represents a notable decrease from 91% the prior year. Economic pressures seem to be tempering investment growth, even as cyber threats intensify. A shift in funding management is also evident, with responsibility increasingly falling to the chief technology officer (43%), followed by the chief financial officer (37%) and the chief information security officer (34%). This reflects a growing integration of cybersecurity into broader business strategies, potentially leading to competition for funds within larger transformation projects.

Outsourcing Cybersecurity: Relying on External Expertise

Many middle market firms continue to turn to third-party providers for crucial cybersecurity functions, allowing internal teams to focus on digital transformation initiatives. Commonly outsourced services include cloud security management (50%), security awareness training (44%), security operations center services (43%), and risk and compliance management (41%). This reliance on external providers highlights that, while internal capabilities are expanding, there remains a dependency on specialized expertise for sustained security operations.

Bridging the Confidence-Control Gap

The key message from the MMBI Cybersecurity Special Report underscores a prevalent theme: while confidence in cybersecurity is on the rise across the middle market, governance maturity and technical security measures are lagging significantly behind the swift acceleration of AI adoption and the growing sophistication of cyber threats.

As organizations integrate AI more deeply into their operations, the gaps in identity management, governance frameworks, and security controls are poised to become even more critical. Attackers are increasingly capable of leveraging automation and AI-enabled strategies to amplify and accelerate their attacks, raising the stakes for middle market companies. The time for action is now; companies must prioritize secure AI practices and governance structures to mitigate risks before it’s too late.

About RSM US LLP

RSM US LLP is dedicated to empowering middle market firms around the world, helping them navigate change successfully. As a leading provider of assurance, tax, and consulting services, RSM supports organizations that are pivotal to global commerce and economic growth. With a global footprint extending to over 120 countries, RSM is equipped to deliver relevant insights and innovative solutions tailored to meet the complex challenges of today’s business environment.