Wavestone finds AI security gap as cyber attacks rise

Wavestone has published its seventh annual Cyber Benchmark of large organisations, finding a wide gap between AI security policy and protection against AI-specific attacks.

The consultancy assessed more than 200 large organisations representing nearly 7 million employees against the NIST CSF v2.0 and ISO 27001 cybersecurity standards. Average cybersecurity maturity reached 55.3%, up 1.3 points from the previous year, though year-on-year progress slowed.

The report comes as the UK faces a higher volume of serious cyber incidents. According to the National Cyber Security Centre, the country is now experiencing four nationally significant cyber attacks each week, more than double the level recorded a year earlier.

AI emerged as the clearest weakness. While 76% of organisations surveyed have a dedicated AI security policy, only 10% have deployed defences against attacks aimed specifically at AI systems, including prompt injection.

That leaves a large gulf between governance and operational readiness as companies adopt AI tools more widely. The benchmark warns that attackers are using AI to automate phishing and refine attack methods, increasing pressure on organisations that have set rules but not deployed technical safeguards.

Dedicated teams focused on AI incidents also remain uncommon. The study describes the emergence of such teams as an early trend, reflecting the need for organisations to build more specific responses to AI-related risks.

Regulation effect

The strongest results came from sectors with heavier regulatory obligations. Finance recorded cybersecurity maturity of 67.6%, up 5.1 points, which Wavestone linked to rules such as the Digital Operational Resilience Act and continued spending on security.

Elsewhere, progress was weaker. The gap between regulated and non-regulated sectors reached 8.8 points and widened by 2.1 points, while non-regulated organisations showed no significant improvement.

The findings also suggest that compliance with the European Union's NIS 2 framework remains difficult even for large organisations. None of those assessed could yet meet NIS 2 requirements fully and sustainably, and average maturity against those requirements stood at 60%.

This has relevance in the UK as lawmakers consider the Cyber Security and Resilience Bill. The benchmark indicates that a substantial compliance gap remains at a time when regulatory expectations are rising alongside the threat level.

Slower progress

The overall increase in average maturity was modest compared with the scale of the threats identified in the report. For businesses, that suggests security improvements are continuing, but not at a pace that matches changes in the attack environment.

Wavestone's methodology covered large organisations across sectors and used internationally recognised standards as the basis for assessment. The overall picture is one of uneven preparedness, with some industries pushed forward by regulation while others lag behind.

The contrast is especially sharp in AI security, where written policy is moving faster than practical controls. As more organisations use generative AI in internal systems and customer-facing services, that gap may become harder to defend.

Florian Pouchet, Partner and Head of Cybersecurity and Operational Resilience at Wavestone, commented on the findings.

"The threat environment is changing faster than most organisations can adapt. Geopolitical tensions and AI-powered attacks are intensifying precisely as regulatory pressure mounts. What the benchmark tells us is that the market knows this. The next step is to accelerate security measures," said Pouchet.