Executive Summary

A research report from AXIS Capital has exposed a critical disconnect between executive leadership and security leadership on the topic of Artificial Intelligence (AI). The survey of 500 leaders in the U.S. and U.K. found that CEOs are significantly more optimistic about AI's ability to strengthen cybersecurity, while CISOs are more cautious, focusing on the new and unprecedented risks AI creates. This perception gap poses a strategic risk to organizations, potentially leading to inadequate resource allocation for securing AI systems and a false sense of security at the board level.

Regulatory Details

The survey, published January 20, 2026, provides several key data points illustrating the divide:

• Confidence Gap: Nearly one-third (30%) of CISOs are not confident that AI will strengthen their company's cybersecurity, compared to just 19.5% of CEOs.
• Trust in Tools: 67% of CEOs trust AI tools to help them make cybersecurity decisions, while only 59% of CISOs share that trust.
• Transatlantic Differences: The optimism is more pronounced in the U.S., where 88% of CEOs believe AI will make their companies more secure, versus only 55% of their U.K. counterparts.
• Investment vs. Headcount: Despite the risks, nearly 82% of all respondents plan to increase cybersecurity budgets. However, a concerning 75.2% stated they are likely to reduce cybersecurity headcount due to expected productivity gains from AI.

Affected Organizations

This issue affects all organizations across every industry that are adopting or planning to adopt AI technologies. The divide is particularly acute in sectors that are early adopters of AI for core business functions. The findings are relevant for boards of directors, executive leadership teams, and security departments in the U.S. and the U.K.

Compliance Requirements

While not a formal regulation, the survey highlights emerging risk areas that will likely become subject to future compliance and governance frameworks. Key risks and concerns voiced by CISOs include:

• AI-Driven Attacks: Identified as the top emerging threat, including advanced ransomware and deepfakes.
• Data Leakage: The risk of sensitive corporate data being exposed through interactions with public or poorly secured AI models.
• Model Manipulation: Adversarial attacks designed to poison training data or manipulate model outputs to achieve malicious ends.

Impact Assessment

The primary impact of this CEO-CISO disconnect is strategic misalignment. If CEOs push for rapid AI adoption without fully appreciating the risks articulated by CISOs, organizations may deploy insecure AI systems, underfund necessary security controls, and create new, unmonitored attack surfaces. The plan to reduce security headcount based on anticipated AI productivity is particularly alarming, as human expertise is more critical than ever to manage the complexity and novelty of AI-related threats. This could lead to a net decrease in security posture despite increased technology spending.

Enforcement & Penalties

While there are no direct penalties for a perception gap, the consequences will manifest as increased successful cyberattacks. Regulatory bodies are beginning to focus on AI security, and a failure to demonstrate due diligence in securing AI systems could lead to significant fines under existing data protection laws (e.g., GDPR) if an AI-related breach occurs.

Compliance Guidance

To bridge this gap, organizations should take the following steps:

1. Establish an AI Governance Committee: Create a cross-functional team including the CEO, CISO, legal, and data science leaders to jointly assess AI opportunities and risks.
2. Conduct AI-Specific Risk Assessments: Move beyond general cyber risk assessments. CISOs should lead technical deep dives into each AI use case, mapping out potential attack vectors like prompt injection, data poisoning, and model inversion.
3. Translate Technical Risk into Business Impact: CISOs must articulate AI risks in terms of financial loss, reputational damage, and regulatory penalties. Use tabletop exercises with the executive team to simulate an AI-driven attack.
4. Invest in Human Expertise: Instead of planning headcount reductions, organizations should invest in upskilling security teams in AI security, data science, and machine learning. The focus should be on augmenting human analysts with AI tools, not replacing them.