The machines meant to help you work faster may also be quietly exposing your most sensitive corporate data. That is one of the unsettling takeaways from the 2026 Thales Data Threat Report, a sweeping global study of more than 3,100 security and IT professionals across 20 countries, conducted by S&P Global Market Intelligence 451 Research. The findings paint a picture of an industry sprinting toward AI adoption while its security foundations quietly crack beneath it.
AI Has Become the New Insider Threat
For years, the biggest fear in cybersecurity was the rogue employee — someone with access who shouldn’t be trusted. Today, according to the Thales report, that role is increasingly being played by AI itself. As agentic AI tools — software that can act autonomously, browse files, write code, and make decisions — become mainstream in the enterprise, they are being granted sweeping access to company data with little oversight.
The numbers are striking. A third of enterprises already have embedded AI agents in use, and 73% expect to deploy them within the next 12 months. Yet only 34% of organizations have complete knowledge of where their own data is stored. Even fewer — just 39% — can classify it all. When an AI agent has broader visibility into your data than your own security team, the threat is already inside the building.
Cloud Is Still the Biggest Bullseye — And Getting Worse
For the third consecutive year, cloud-based assets swept the top three spots as the most targeted attack surfaces. Cloud storage (35%), SaaS applications (34%), and cloud management infrastructure (32%) remain the primary destinations for attackers. Meanwhile, the average organization now runs 89 SaaS applications and works across an average of 2.26 cloud providers — each new integration adding fresh entry points for bad actors.
Making matters worse, only 47% of sensitive data in the cloud is encrypted — a figure that has barely budged for years. More than half of organizations (53%) allow their cloud providers to control the encryption keys for the majority of their applications, effectively handing the keys to a third party.
Credential Theft Is Surging — And Executives Are Oblivious
The most common and growing attack method against cloud infrastructure is credential theft, cited by 67% of respondents. User credentials have jumped from eighth to fifth on the list of top attack targets in just one year. Identity data is climbing fast, too.
Here’s where the findings get politically awkward: 78% of C-suite executives reported their organization had experienced no breach — compared to just 57% of their own IT and security teams saying the same. That gap in perception has real consequences. When leadership believes everything is fine, security budgets stagnate, and investment in the right places doesn’t happen.
Deepfakes, Disinformation, and AI-Powered Attacks
The report also documents the rapid rise of AI as an offensive weapon. A striking 97% of all respondents reported some form of organizational harm from AI-generated false information — including deepfake business email scams, brand abuse, reputational damage, and even hiring fraud. Nearly 59% have encountered deepfake attacks, and 57% say AI-generated misinformation ranked as the second-fastest-growing attack category.
Security Is Drowning in Its Own Tools
Ironically, part of the problem is too much security — or at least too many tools. The average organization deploys seven separate tools for data protection and monitoring alone, with 77% using five or more. For AI security tools specifically, the average is 6 tools. Yet only 39% of respondents expressed high confidence in their understanding of the tools they already have.
This sprawl is fueling human error, which remains the single leading cause of data breaches at 28% — ahead of hacking, malware, and every other threat combined.
Quantum Risk: The Ticking Clock That Most Are Ignoring
The report also flags the emerging — and very real — threat of quantum computing. The top quantum concern, cited by 61% of respondents, is “harvest now, decrypt later” — the practice of stealing encrypted data today to decode it once quantum computers become powerful enough. Just 59% are even in the prototyping phase for post-quantum cryptographic defenses.
The Bottom Line
The 2026 Thales Data Threat Report is a clear-eyed dispatch from the front lines of enterprise security — and the message is urgent. AI adoption is accelerating faster than the security infrastructure built to contain it. Organizations that fail to classify their data, consolidate their tools, and take back control of their encryption keys are not just at risk. They may already be compromised — and simply don’t know it yet.
