Middle-market companies are adopting AI faster than their cybersecurity programs are adapting, with only 35% of executives reporting formal AI governance frameworks even as 96% express confidence in their security measures, according to RSM US’ 2026 Middle Market Business Index Cybersecurity Special Report.
The survey was conducted by The Harris Poll on behalf of RSM and covered over 500 U.S. middle-market executives and over 100 Canadian executives. The firm defines the U.S. middle market as companies with annual revenue from $30 million to $10 billion.
For the second straight year, 18% of U.S. middle-market executives reported a data breach in the previous 12 months.
Midsize companies, with revenue between $250 million and $1 billion, reported the highest breach rate at 21%, while smaller firms with $30 million to less than $250 million in revenue reported 16%. In Canada, one quarter of surveyed executives reported a breach.
The scale of the ransomware threat
Ransomware remains part of that exposure, as RSM found that 24% of surveyed middle-market companies experienced at least one ransomware attack or demand in the past year, with larger companies reporting a 30% rate compared with 20% among smaller counterparts.
Rich Servillas, a director at RSM US LLP, said many incidents still involve “exposed edge devices,” firewall gaps, VPN issues and multifactor authentication weaknesses.
RSM’s report contrasts high confidence with lower adoption of several core controls. Respondents said their top cybersecurity priorities were detection and response at 39%, securing the cloud at 36% and strategy and risk management at 35%.
Digital identity was prioritized by 23%, which RSM described as a missed opportunity to focus on what human and nonhuman users can access.
Similarly, Google Cloud’s H1 2026 Threat Horizons report said Mandiant incident response and threat defense engagements from the second half of 2025 found identity issues were exploited for initial access in 83% of incidents involving major cloud and SaaS-hosted environments.
Fortinet’s 2026 Global Threat Landscape Report also said most confirmed cloud incidents in 2025 originated from stolen, exposed or misused credentials rather than infrastructure exploitation.
Alden Hutchison, a principal at RSM US LLP explained that “most threat actors don’t break in. They log in.”
RSM linked that access problem to AI adoption, noting that companies are still debating whether AI tools should carry their own identities and permissions or inherit access from the users operating them.
Training outpaces formal AI governance
RSM’s AI findings show more training than governance. While 51% of executives reported staff training on responsible AI use, fewer reported data governance policies or AI performance monitoring, both at 46%, and defined roles for AI decision-making at 44%. Formal AI governance frameworks were reported by 35%.
NIST’s AI Risk Management Framework treats governance as a cross-cutting function across the AI lifecycle, alongside mapping, measuring and managing AI risks. RSM’s data suggests many middle-market companies are still relying on early controls while AI tools spread across business functions.
Macroeconomic pressures cool budget growth
Budget growth is also slowing. RSM found that 81% of respondents plan to increase cybersecurity spending in the coming year, down from 91% last year. RSM said companies are reevaluating cybersecurity spending as they navigate tariff expenses, rising energy costs and geopolitical business complexity.