AI adoption has outpaced the architecture built to govern it
Across the enterprise world, a quiet but consequential divide has emerged between ambition and capability: organizations have rewritten their security strategies for the age of artificial intelligence, yet fewer than one in three possess the architecture to act on those strategies. Check Point's 2026 Cloud Security Report places a number on this dissonance — 51 points — and in doing so names a vulnerability that is less technical than it is structural. As AI reshapes how systems communicate, how data moves, and how attackers operate, the distance between what institutions intend and what they can actually defend grows into a liability of its own.
- Attackers are already exploiting the gap — 78% of organizations suffered confirmed or suspected AI-related security incidents in the past year, as criminals weaponize AI to accelerate phishing, generate malware, and strike with unprecedented speed.
- The complexity is compounding daily: 88% of enterprises say AI has made their security operations harder to manage, with fragmented policies, hybrid workloads, and autonomous AI agents creating threats that existing architectures were never designed to handle.
- Visibility has become the critical missing ingredient — more than three-quarters of companies either know they've been hit or simply cannot tell, because they lack the monitoring tools to distinguish a breach from background noise.
- Security teams are being consumed by false signals: 71% are overwhelmed by false positives from web application firewalls, while only 24% can inspect AI traffic without slowing their own systems down.
- A new frontier of risk has arrived in the form of non-human identities — AI agents, APIs, and automated processes — which 48% of organizations now flag as a primary concern, yet most have no coherent governance framework to address them.
- The emerging answer points toward unified hybrid mesh security architectures and runtime protection built into the foundation — not layered on afterward — but the path from recognition to implementation remains the defining challenge.
A significant gap has opened between what companies say they are doing about AI security and what they are actually equipped to do. Check Point Software Technologies released its 2026 Cloud Security Report this spring, revealing that while 77% of organizations have adjusted their security strategies to account for AI, only 26% have the architecture in place to execute those strategies. That 51-point chasm between intention and capability is the report's central finding.
The problem is not simply one of timing. AI is transforming how cloud environments operate — how applications communicate, how users interact with systems, and how attackers find their way in. Criminals are now deploying AI-powered tools to run faster, more sophisticated phishing campaigns and generate malware at scale. The consequences are already visible: 78% of organizations reported confirmed or suspected AI-related security incidents over the past year, and an additional 24% cannot determine whether they have been compromised at all, because they lack the visibility to know.
Operationally, the strain is mounting. Eighty-eight percent of companies say AI has increased the complexity of their security environments. Half of all AI workloads now span hybrid infrastructures, yet 64% of those organizations acknowledge their architecture requires a complete redesign to handle them. Only 24% can inspect AI traffic without degrading performance. Meanwhile, 71% of security teams are drowning in false positives, burning time and attention on noise rather than genuine threats.
Access control has become a particular blind spot. Twenty-four percent of organizations have no specific controls for AI systems whatsoever, and the rise of non-human identities — AI agents, APIs, automated processes — has introduced a class of risk that 48% of companies now name as a primary concern. These are not users logging in with passwords; they are autonomous systems making decisions and moving data, largely ungoverned.
Check Point's Paul Barbosa framed the challenge directly: AI adoption has outpaced the architecture built to govern it. The solution, he argued, requires security embedded from the foundation — not added afterward — with visibility and enforcement at every layer where AI workloads operate. Until that infrastructure catches up, the gap between strategic intent and operational reality will remain an open liability.
A gap has opened up between what companies say they're doing about artificial intelligence in their cloud systems and what they're actually capable of doing. Check Point Software Technologies, a major cybersecurity firm, released its 2026 Cloud Security Report this spring and found something troubling at the heart of enterprise operations: 77 percent of organizations have adjusted their security strategies to account for AI, but only 26 percent say they have the actual architecture in place to make those strategies work. That 51-point chasm between intention and capability is the real story.
The problem runs deeper than simple lag time. AI is fundamentally changing how cloud environments operate—how users interact with systems, how applications communicate with each other, and crucially, how attackers find their way in. Criminals are now building AI-powered tools to accelerate phishing campaigns, generate malware, and execute attacks with increasing sophistication and speed. The damage is already measurable: 78 percent of organizations reported confirmed or suspected security incidents tied to AI over the past year.
Yet visibility into these threats remains fragmented. More than three-quarters of companies have either experienced an AI-related security incident or cannot determine whether they have, because they lack the visibility to know. An additional 54 percent have confirmed incidents; another 24 percent simply cannot tell. The uncertainty itself is a vulnerability.
The operational reality is becoming unwieldy. Eighty-eight percent of companies say AI has increased the complexity of their security operations. Sixty-seven percent report fragmented policies across their infrastructure. Half of all AI workloads now span hybrid environments—on-premises and cloud mixed together—yet 64 percent of those organizations admit their architecture needs a complete redesign to handle it. Only 24 percent can fully inspect AI traffic without degrading system performance. Meanwhile, 71 percent are drowning in false positives from their web application firewalls, burning through security teams' time and attention on noise.
Access control has become a particular blind spot. Twenty-four percent of organizations have no specific access controls for AI systems at all. Only 16 percent apply controls consistently across their entire environment. And the emergence of non-human identities—AI agents, APIs, automated processes—has created a new class of risk that 48 percent of companies now cite as a primary concern. These aren't users logging in with passwords. They're autonomous systems making decisions and moving data, and most organizations have no clear way to govern them.
Paul Barbosa, Check Point's vice president of cloud security and SASE, framed the problem plainly: AI adoption has outpaced the architecture built to govern it. Agents are operating inside live systems. Data flows through external AI services. Most enterprises lack the visibility and enforcement mechanisms to keep pace. The solution, he argued, requires security woven into the foundation from the start—not bolted on afterward. It means visibility, control, and protection at every layer where AI workloads operate: infrastructure, across cloud platforms, and especially at runtime, where decisions are actually being made.
What emerges from the data is a picture of organizations caught between two worlds. They understand they need to move fast with AI. They've made strategic commitments to do so. But the infrastructure to secure those commitments—the architecture, the tools, the policies, the visibility—hasn't caught up. Until it does, the gap between what companies intend and what they can actually protect will remain a liability.
Citas Notables
AI adoption has outpaced the architecture built to govern it. Agents are operating inside live systems, data flows through external AI services, and most enterprises lack the visibility and enforcement to keep pace.— Paul Barbosa, VP of Cloud Security and SASE at Check Point Software
La Conversación del Hearth Otra perspectiva de la historia
Why does the gap between strategy and capability matter so much? Couldn't companies just catch up over time?
Because attackers aren't waiting. They're already weaponizing AI. The 78 percent of companies that experienced incidents last year—that's not a future problem. It's happening now, in the gap.
So the real issue isn't that companies don't understand the threat?
No, they understand it. Seventy-seven percent have changed their strategies. The issue is that understanding doesn't translate to infrastructure. You can't retrofit security into a system that's already running live AI agents and moving data through external services.
What about the companies that do have the architecture in place? What are they doing differently?
The report doesn't name them, but the implication is clear: they're building security in from the foundation, not adding it later. They have visibility at every layer—infrastructure, cloud, runtime. Most companies don't.
This hybrid mesh network security approach Check Point mentions—is that the answer?
It's a direction. But the real answer is simpler and harder: you have to slow down enough to build right. Most companies are trying to move fast and secure simultaneously, and they're failing at both.
What happens to the companies that don't close this gap?
They stay in that 78 percent. Confirmed incidents, suspected incidents, or worse—incidents they never see because they lack visibility. The uncertainty itself becomes a business risk.