Half of enterprise security professionals now spend as much time, or more, on stakeholder coordination, ticket assignment and SLA tracking as they do on technical risk analysis, according to Seemplicity’s 2026 State of Exposure Management report.
The report, based on a survey of 300 U.S.-based cybersecurity and IT professionals, describes a widening gap between finding exposures and actually closing them.
It finds that the discrepancy is driven in part by the volume of incoming alerts. Seemplicity found 54% of organizations face a high or very high monthly volume of findings, while 61% said more than a quarter of their findings remain unresolved and 26% said more than half remain open.
The report says visibility has improved, but remediation velocity has not kept pace.
Automation routes findings but not ownership
That backlog persists even where workflow automation is widespread. Seemplicity found 66% of leaders said routing findings to the right remediation owner is fully or mostly automated, yet only 50% said their teams spend more time on risk analysis than on coordination.
Among organizations with fully automated routing, 78% said they spend more time on analysis than on remediation coordination.
This split becomes sharper at the ownership stage. Seemplicity found only 18% of organizations determine remediation ownership automatically, while 59% still assign ownership collaboratively between security and fixing teams and 13% assign it manually through the security team.
In NIST SP 800-40 Rev. 4, the agency defines enterprise patch management as identifying, prioritizing, acquiring, installing and verifying patches, and recommends an enterprise strategy that simplifies and operationalizes patching while improving risk reduction.
Confident in prioritization, inconsistent on process
The report also points to a gap between confidence in prioritization and process consistency. Seemplicity found 68% of respondents said they have a clearly defined and consistently used prioritization process, and 95% said they are very or somewhat confident that remediation focuses on findings that materially reduce risk.
Yet the top inputs remain dispersed across business criticality at 55%, severity scoring such as CVSS at 52%, threat intelligence at 50%, likelihood of exploitation at 44% and compliance or audit requirements at 41%, while only 20% cited engineering capacity as a top-three factor.
CISA says organizations should use its Known Exploited Vulnerabilities (KEV) catalog as an input to their vulnerability-management prioritization framework and prioritize timely remediation of KEV-listed flaws as part of vulnerability-management practice.
AI is in the workflow but trust is conditional
While AI adoption is high, its role remains largely advisory. Seemplicity found 88% of organizations use AI in exposure management in some capacity, including 47% that actively use it to influence remediation decisions and 41% that use it in limited or experimental ways.
Trust remains lower than adoption: 80% said they fully or mostly trust AI-driven recommendations, but only 31% said they fully trust them, rising to 34% among active AI users.
The data also shows a gap between reporting confidence and process maturity. Seemplicity found 94% of respondents said they are confident in their ability to explain exposure-management progress in business terms, but only 57% said their processes are well-defined and consistently followed across the organization.
The same report found the most common KPIs remain time to remediation at 67%, number of findings identified at 66% and number of findings remediated at 66%, while changes in exposure or risk over time rank fourth at 62%.
NIST and CISA also emphasize prioritization, operationalization and timely remediation in adjacent parts of the vulnerability-management workflow. The report concludes that bridging the gap will require a shift from manual ownership to integrated engineering workflows.