RSM US LLP announced on May 13 that middle market companies are implementing artificial intelligence at a rapid pace, outstripping the development of governance, identity controls, and cybersecurity frameworks necessary to manage these technologies. The findings come from RSM’s latest Middle Market Business Index (MMBI): Cybersecurity Special Report 2026.
The report highlights a significant risk gap as executives show high confidence in their defenses despite increasing threats. Nearly one in four organizations reported experiencing a ransomware attack or demand in the past year, and 18% faced data breaches. However, 96% of executives expressed confidence in their cybersecurity posture, suggesting a disconnect between perceived resilience and actual vulnerability.
According to the survey of 501 middle market executives conducted from Jan. 6 through Jan. 30, AI adoption is advancing more quickly than governance maturity. Only 35% of executives said they use formal AI governance frameworks. Instead, most rely on staff training for responsible AI use (51%) and inconsistent controls such as data governance policies (46%), performance monitoring (46%), and defined roles for decision-making (44%). The report notes this has led to increased exposure to “shadow AI,” where employees use unauthorized tools outside official security protocols.
The report also finds that digital identity management remains an underweighted priority among organizations despite being a common entry point for cyberattacks. While most companies focus investments on detection and response systems or cloud security, only about one in four prioritize digital identity management.
Financial pressures are starting to slow momentum for cybersecurity investment; while 81% plan increases in spending over the next year, this is down from last year’s figure of 91%. Budget authority is shifting towards chief technology officers but also involves chief financial officers and chief information security officers more frequently.
Outsourcing continues to play a central role in how firms manage cybersecurity operations as many rely on external providers for specialized services while focusing internal teams on supporting business transformation efforts. The report concludes that as AI adoption grows across core operations without matching advances in governance or technical safeguards, risks may increase—especially with attackers leveraging automation themselves.
