
The CISO role has become one of the few executive positions where a bad day can end in a personal lawsuit, and CISO personal liability anxiety is now the defining pressure of the job. Three-quarters of the world’s security chiefs now say they worry about personal legal exposure for incidents on their watch, up from just over half a year ago. Oxford Economics and Splunk, a Cisco Company, surveyed 650 Chief Information Security Officers (CISOs) across nine countries between July and August 2025, and the result is the 2026 CISO Report: a clear picture of a role that has grown faster than most people holding it can absorb.
- 96% of CISOs now own AI governance and risk management across their enterprises, up from a minority position just two years ago, and that mandate came without a corresponding budget increase or headcount expansion at most organizations.
- 98% of security teams are overwhelmed by high alert volumes, and nearly two-thirds are experiencing moderate to significant burnout, which makes the liability jump especially consequential: exhausted teams in legally exposed roles are making decisions under conditions no liability framework was designed for.
- Despite the AI wave, only 1% of CISOs see technology investment as the primary solution to talent gaps; the other 99% are betting on people: upskilling, new hires, and contractors, because agentic AI alone cannot handle threat hunting or strategic defense.
- 92% say AI enables more security events to be reviewed, yet 86% fear it will make social engineering attacks more sophisticated: the AI paradox every CISO now has to navigate.
How CISO Personal Liability Became the Third Rail of the Expanding Role
When Oxford Economics first ran this survey, just over half of respondents worried about personal liability for incidents. The 2026 edition shows that figure has crossed three-quarters. Enforcement agencies and civil litigants have pursued individual security executives after high-profile breaches, and CISOs are watching.
The liability fear sits inside a role that has expanded on nearly every axis. 85% of CISOs now own DevSecOps. 67% are responsible for Internet of Things (IoT), Operational Technology (OT), and Industrial Control Systems (ICS) security integrations. Nearly four out of five say their role has become significantly more complex in the past year. The survey covered nine industry groups across ten countries.
Michael Fanning, CISO at Splunk, put it plainly: “We are not just managing technology. We are managing risk, talent, and the digital resilience that drives critical business outcomes.” We have followed the legal exposure arc in depth in our earlier coverage of CISO liability risk.
AI Governance Mandate Arrives Without the Authority to Match
The 96% AI governance figure is the report’s starkest scope finding, but the operationally consequential read is the gap it implies: nearly every CISO is now expected to shape AI policy, vet models, and ensure secure adoption, while the report also shows that 85% of CISOs identify bridging the cybersecurity knowledge gap within the C-suite as a foundational obstacle. They own the governance; they do not always own the room where those deployment decisions get made.
The AI adoption numbers reveal that split directly. 40% of CISOs use generative AI in their security functions today, while 39% are already exploring agentic AI. Among early agentic AI adopters, 39% strongly agree it has increased their teams’ reporting speed, more than double the rate of those still evaluating (18%). 92% say AI enables more security events to be reviewed; 89% report improved data correlation. These are real operational gains. But 86% fear agentic AI will increase the sophistication of social engineering attacks, and 83% cite hallucination impacts (missed alerts or false positives) as their greatest concern for agentic deployments. You now own AI governance AND the AI risk exposure — at the same desk, at the same time — and that double mandate compounds the CISO personal liability pressure sitting beneath both.
The AI governance maturity gap follows the same pattern across the industry: mandate outpaces structure. Oxford Economics and Splunk quantify how that gap feels operationally: 41% of CISOs cannot correlate security ROI to risk mitigation, so they are being asked to prove value with metrics they cannot yet produce at board-precision.
Three Moves That Address Liability Exposure Before the Next Incident
The report’s data points to a specific order: governance structure before the liability event, human capability before the AI co-pilot, risk language before the budget cycle. Each is a discrete move.
Document AI governance scope before any model goes to production – 96% ownership is meaningless without a governance artifact that proves scope was defined and the CISO was in the room. When the post-incident question is “who owned this,” verbal governance is no governance at all. Write down who owns what before any model ships — that written record is the only thing that turns abstract responsibility into demonstrable accountability when the review begins.
Build a dedicated security team for AI agents before the first agentic incident – 78% of CISOs have already done this; for the 22% who have not, the 86% social engineering concern and the 83% hallucination-concern figure define the exposure window. An agentic system without a human review layer is a CISO personal liability event waiting for a trigger. Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) will measure how fast the AI agent failure was caught.
Make burnout a board-level risk metric, not an HR footnote – 98% cite high alert volumes and 94% cite false alerts as top stressors; 65% of security teams show moderate to significant burnout. A burned-out team making threshold decisions under alert fatigue belongs in the same risk register as the AI governance gaps. Data-sharing obstacles compound the problem: 91% cite privacy concerns, 76% storage costs, 70% lack of shared data views, all preventing the consolidation that would reduce alert load. Three-quarters of those CISOs carry CISO personal liability exposure on top of the operational load, and the ones running on empty are the most exposed when the next incident arrives.
Join our LinkedIn group Information Security Community!











