Press Release

HackerOne Research Reveals “AI Security Gap”: 89% of Organizations that Lack Testing Report More Frequent AI-Related Attacks

HackerOne Research Reveals “AI Security Gap”: 89% of Organizations that Lack Testing Report More Frequent AI-Related Attacks

New survey of security leaders finds AI adoption is outpacing security coverage, compounding enterprise risk

SAN FRANCISCO — March 12, 2026 — HackerOne today released new research identifying what it calls the “AI Security Gap”—a growing disconnect between rapid AI deployment and formal security testing coverage. 

As AI adoption continues to accelerate, nearly all respondents (94%) report operating more AI/ML systems than a year ago. Yet only 66% say they formally test 61% or more of their AI/ML systems, creating a 28-point AI Security Gap. For organizations operating in that gap, 89% of security leaders reported AI-related attacks or vulnerabilities in the past year.

For security leaders, the AI Security Gap is not just a coverage issue. Those operating in the gap have 70% higher annual remediation costs than those who test nearly all their AI systems. 

“AI systems are dynamic, evolving with every model update, integration, and data connection — and the same is true of modern digital systems overall,” said Kara Sprague, CEO of HackerOne. “As systems become more interconnected and adaptive, risk evolves in real time. Periodic testing assumed stability. Today’s reality requires continuous testing so leaders can detect change, identify what’s exploitable, and mitigate risk before it materializes.”

The findings are based on a survey of over 300 security leaders across six countries and highlight structural trends shaping AI risk exposure:

  • AI Risk Compounds as Deployments Scale: Organizations expanding from a small AI footprint (two systems) to a larger footprint (8–10 systems) experienced 82% more attack types reported and 2.4× higher attack costs. As AI systems integrate with APIs, tools, and enterprise data sources, exposure can increase disproportionately, especially when testing does not scale alongside deployment.
  • Testing Coverage is Not Keeping Pace: 94% of organizations added AI/ML systems in the past year, yet only 66% formally test 61% or more of their systems. Across all respondents, 84% experienced at least one AI-related attack or vulnerability in the past 12 months. Organizations testing 91% or more of their AI systems are 16% less likely to report an AI-related incident than organizations with lower coverage, demonstrating that coverage reduces likelihood.
  • Shadow AI Remains a Material Blind Spot: Only 55% of organizations report that they fully track unsanctioned or “shadow” AI usage, limiting visibility into how AI tools are being adopted across the enterprise. When employees independently integrate AI into daily workflows, unmanaged use expands the attack surface, introducing governance and compliance risks.

"Organizations keep adding AI systems without thinking about the blast radius,” said Luke Stephens, security researcher. “These aren't sandboxed toys. They're hooked into real data, real APIs, real decision-making. When something goes wrong, it doesn't stay contained. The cost data in this report reflects what I've been seeing in the wild: the longer you wait to test, the more expensive it gets to fix."

As AI systems move into production and regulatory scrutiny intensifies, boards and executive teams are demanding clearer evidence of oversight. Continuous testing is becoming not just a security best practice, but a governance requirement.

The research highlights a structural reality: AI risk compounds with each integration. When testing fails to keep pace, organizations lose visibility into what is truly exploitable. Closing the AI Security Gap requires embedding continuous security into how AI systems are built, deployed, and governed.

Methodology 

HackerOne surveyed more than 300 security leaders between January and February 2026. Respondents were screened to ensure they oversee or contribute to tracking, managing, or testing their organization’s AI/ML systems. Participants represented organizations with $250M+ in revenue across the United States, Canada, the United Kingdom, Australia, Singapore, and Germany, spanning multiple industries. 

For more information, download the full research report, Closing the AI Security Gap: Containing Risk Before It Scales. 

About HackerOne

HackerOne is a global leader in Continuous Threat Exposure Management (CTEM). The HackerOne Platform unites agentic AI solutions with the ingenuity of the world’s largest community of security researchers to continuously discover, validate, prioritize, and remediate exposures across code, cloud, and AI systems. Through solutions like bug bounty, vulnerability disclosure, agentic pentesting, AI red teaming, and code security, HackerOne delivers measurable, continuous reduction of cyber risk for enterprises. Industry leaders, including Anthropic, Crypto.com, General Motors, Goldman Sachs, Lufthansa, Uber, UK Ministry of Defence, and the U.S. Department of Defense, trust HackerOne to safeguard their digital ecosystems. HackerOne was recognized in Gartner’s Emerging Tech Impact Radar: AI Cybersecurity Ecosystem report for its leadership in AI Security Testing and has been named a Most Loved Workplace for Young Professionals (2024).