TL;DR: More than 700 security professionals report that 90% of organisations experienced an insider incident in the past year, 94% say AI is increasing exposure, and 54% report confirmed or suspected AI-related insider incidents, according to Gurucul's 2026 Insider Risk Report. The lesson is that insider risk has shifted from isolated events to continuous, cross-domain identity behaviour that legacy monitoring is not built to contain.
NHIMG editorial — based on content published by Gurucul: 2026 Insider Risk Report on AI and insider threat
By the numbers:
- 90% of organizations experienced at least one insider incident in the past 12 months.
- 94% of organizations say AI adoption is increasing their insider risk exposure.
- 53% of organizations say insider attacks are harder to detect than external cyber threats.
Questions worth separating out
Q: How should security teams govern AI tools that behave like insiders?
A: Treat AI tools as governed identities whenever they can access data, trigger actions, or influence workflows.
Q: Why do insider risk programmes struggle with AI-driven activity?
A: They were designed for stable users and discrete events, not for delegated, fast-moving activity that can blend into normal work.
Q: What signals show that insider risk controls are not keeping pace with AI adoption?
A: Look for tool fragmentation, weak cross-system correlation, slow containment, and high reliance on manual triage.
Practitioner guidance
- Unify identity telemetry across users, machines, and AI tools Correlate authentication, workflow, data access, and behavioural logs so insider-risk analysts can follow a single chain of activity across systems.
- Classify AI tools as insider-risk subjects with named owners Assign business and technical ownership to every AI system that can act inside enterprise workflows.
- Extend access review to delegated and non-human access paths Review not only employee entitlements but also service accounts, tokens, copilots, and workflow automations that inherit authority from a human sponsor.
What's in the full report
Gurucul's full report covers the survey detail this post intentionally leaves for the source:
- Breakdowns of insider-risk perceptions across 700-plus IT and cybersecurity professionals by response maturity.
- The full set of reported AI-related insider risk findings, including the 45% and 88% classifications of AI as an insider risk subject.
- Detailed ROI framing for the AI Insider Threat Agent, including the reported 83% return figure for teams using it.
- The report's supporting commentary from Gurucul and Cybersecurity Insiders on continuous insider risk and machine-speed response.
👉 Read Gurucul's 2026 Insider Risk Report on AI as a new insider threat →
AI as an insider threat: what security teams need to rethink?
Explore further
AI has become an insider-risk subject, not just an enabler of insider-risk operations. The report's framing is directionally right because AI systems now sit inside email, documents, and workflows with delegated authority. That changes insider-risk governance from monitoring people to governing behaviour across identity types. Practitioners should treat AI activity as part of the insider surface, not as a separate analytics problem.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should be accountable for AI-related insider incidents?
A: Accountability should sit with the teams that own the identity, the workflow, and the data the AI can reach. If no one can revoke access, interpret behaviour, or approve exceptions, the programme has a governance gap rather than an alerting problem.
👉 Read our full editorial: AI as an insider threat is exposing gaps in risk models