A year ago, 17% of organizations reported zero insider incidents. Today, that number has fallen to just 10%. At the same time, the share of enterprises experiencing more than 20 insider incidents annually has doubled. Insider risk is no longer an occasional investigation; it has become a sustained operational burden that most organizations are not structurally equipped to address.
Investment and awareness both increased, but neither has kept pace with how fundamentally the operating environment has changed—or with the sheer volume of insider activity organizations now face. Access expanded faster than governance could follow. Data spread into cloud apps and collaboration platforms. AI assistants began operating inside email, calendar systems, and internal documents, often without security visibility into what they touched or what they did with what they found.
The underlying failure is architectural. Trust and access models that worked in smaller, more contained environments were never designed to scale under current conditions. AI exposed that fragility and compressed the margin for error faster than legacy controls can adapt. What followed is a steady expansion of ways for mistakes, misuse, and inherited access to become breaches.
To understand how organizations are navigating this shift, we surveyed 725 IT and cybersecurity professionals. The findings reveal a clear inflection point: insider risk programs are being forced to evolve from identifying rare bad actors to managing continuous risk across people, data, identities, and increasingly, machines.
