AI drives cyber budgets yet remains first on the chop list

Cybersecurity budgets are rising sharply across large organisations, but a new multinational survey points to a widening gap between spending on artificial intelligence and the ability to justify that spending in business terms.

The study, commissioned by Exabeam and based on responses from 750 IT decision-makers responsible for security, found that 95% of organisations plan to increase cybersecurity budgets in 2026. Nearly three-quarters (74%) expect double-digit growth.

At the same time, the survey highlights a contradiction in how boards and executives view AI. Respondents cited AI as the top driver of budget increases, yet also named it as the first line item they would cut if budgets tightened.

AI spending paradox

AI and automation ranked first among reasons for increased cybersecurity spending (44%). Cloud infrastructure growth followed at 33%, and mainstream adoption of AI across the business ranked third at 32%.

That same 44% also said AI would be the first area cut if budgets tightened. Respondents also named AI as the hardest security investment to justify to business stakeholders (32%).

Exabeam Chief AI and Product Officer Steve Wilson said measurement approaches are not keeping pace with the rapid adoption of AI in security operations.

"Security leaders are getting mandates to invest in AI, but nobody's given them a way to prove it's working. You can't measure AI transformation with pre-AI metrics," Wilson said.

He added that security teams struggle to translate operational data into board-level evidence of reduced risk.

"The problem isn't that security teams lack data. They're drowning in it. The issue is they're tracking the wrong things and speaking a language the board doesn't understand. Those are the budgets that get cut first. The window to fix this is closing fast," Wilson said.

Boards and metrics

Security teams reported confidence in the value of their programmes, even as they described friction in the boardroom. Some 87% said they were confident their investments deliver business value. Yet 30% said their biggest challenge in defending spend is the board's limited understanding of how cyber investment supports business resilience.

Many respondents said they use formal measures of value, including quantified return on investment and outcome-based metrics. About 63% reported using quantified ROI, while 59% said they use outcome metrics.

The results suggest measurement alone is not resolving the debate. The report frames the issue as a mismatch between operational security indicators and the decision metrics boards use to evaluate investment and risk.

Exabeam Chief Information Security Officer Kevin Kirkwood said commonly used operational indicators can become less persuasive when AI is introduced into workflows.

"In AI-assisted environments, traditional metrics like mean time to resolution (MTTR) becomes almost automatic, so speed alone doesn't prove risk has been reduced," Kirkwood said.

"We need new ways to measure security effectiveness that actually show business impact, because boards don't fund faster ticket closure, they fund measurable risk reduction and business resilience. We have to show that we're not just responding quickly but eliminating and improving the conditions that allow incidents to happen in the first place," he said.

Technology versus headcount

The survey also points to a shift in where security budgets are going. More spending is being channelled into technology rather than staffing, which has historically absorbed a large share of security budgets.

The change reflects the growing role of AI and automation in day-to-day security operations. It also increases pressure on security leaders to show that tools reduce material risk, not just increase throughput.

Regional differences

Responses varied significantly by country, particularly on whether AI is already improving security operations. Saudi Arabia stood out, with 75% of respondents reporting that AI is already improving security operations.

Other markets reported lower perceived benefit: Japan at 27% and the Netherlands at 30%.

The survey linked these differences to organisational priorities. It attributed Saudi Arabia's stronger reported results to national digital transformation initiatives, while noting that European and Asian respondents place more emphasis on evaluation and workforce considerations before expanding deployments.

Accountability focus

The survey's central finding is that budget growth can raise expectations from boards and finance leaders. Larger allocations can also increase scrutiny over whether programmes deliver measurable reductions in business risk.

Security leaders reported pressure to invest in AI, while also struggling to link those investments to outcomes executives recognise as resilience and risk reduction. The report argues this tension may become harder to sustain if economic conditions tighten and boards begin looking for costs to cut.

Sapio Research conducted the survey in December 2025. It covered organisations with more than 500 employees across 12 countries: the UK, Ireland, France, Germany, the Netherlands, the US, Canada, India, Saudi Arabia, Singapore, Japan, and Australia. Respondents came from sectors including technology, financial services, manufacturing, healthcare, retail, telecommunications, and government.