Executive Summary
The CISO holds a double position no other executive holds. AI is the newest risk the security function has to govern, and it is also the only realistic way to scale the team that governs it. This report reads both sides of that position from inside the room.
The market frames the squeeze. The agentic AI security market is forecast to grow from $1.65 billion in 2026 to $13.52 billion by 2032, a 42 percent compound annual rate (MarketsandMarkets). Bessemer has called securing AI agents the defining cybersecurity challenge of 2026. Yet the budget underneath that challenge is not growing to meet it: security budget growth slowed to 4 percent in 2025, the lowest rate in five years, security's share of IT spend fell from 11.9 percent to 10.9 percent, and 89 percent of security teams describe themselves as stretched thin or understaffed (IANS Research and Artico Search, 2025 Security Budget Benchmark, 587 CISOs). The demand curve belongs to the agents. The budget curve does not.
Our own rooms show the gap in the open. Asked the biggest AI security problem on their desk, 62 percent of the security-room respondents named securing AI agents and their access, well ahead of data leaking into AI models at 31 percent and shadow AI at 23 percent. Asked how AI security is funded, only 31 percent said it has its own budget line. Half fund it case by case or not at all. Among the ten security leaders inside that base, nine of ten have no dedicated line. These are early reads, base of 26, reported as directional with the base on the face of every figure, and they firm up edition over edition as the responses grow.
The seat gap compounds the problem. Inside companies, the CEO is the most named signer of AI purchases at 47 percent (base 87). From the outside, the founders selling in target the CIO or CTO at 43 percent and the business unit at 38 percent (base 92). Not one founder named security as their buyer. New AI enters the company through doors the CISO does not control, and the security function is asked to govern what it did not approve, on money it does not have.
That is the position this report measures. Its flagship metric, the CISO AI Leverage Index, reads the share of security leaders who say AI now lets the security function cover more surface without growing the team, the leverage question arriving in the one seat that also has to secure the leverage everyone else is buying.
The Answers We Have Now
This section is the data in hand. It is drawn from Open Future Forum event records across the twelve events in the July 2026 data pull. Invitation outreach that did not become an application is excluded from every count in this report; the figures count the people who applied. The figures are reported at the lane level, as rounded floors of distinct applicants, because the lane is the unit that matters. They describe demand and audience composition, not spend and not opinion. Opinion figures arrive in the Early Signal section, from the instrument questions embedded in the application flow.
The registration forms collect screening data (company, role, whether the registrant is a CISO or head of security). They are not opinion surveys. So these answers tell us who is being pulled toward which AI question, and in what numbers. Accurate verbs for this layer: convened, brought together, engaged.
Finding 1: The security lane is the smallest room in the pull, by design
The July 2026 pull spans twelve Open Future Forum events. Read at the lane level, as rounded floors of distinct applicants: more than 290 founders, more than 270 in the finance rooms, more than 250 in the engineering and data-agent rooms, more than 220 in marketing and growth, 70 in the security lane, and more than 30 investors.
Security is the smallest lane in the pull, and that is by design rather than by weakness. The CISO Roundtable series is an invitation-screened dinner, not an open panel, and it is kept deliberately small so the table stays peer level. Small is the format, not the demand: 70 distinct executives applied to a room built for a fraction of that. What the rest of this report shows is that the budget side of the lane is not keeping up with the demand side.
Finding 2: Fewer than half the screened security room are security leaders
Of the 70 who applied to the CISO Roundtable series, 66 answered the screening question on whether they are a CISO or head of security, and 28 said yes. The rest are the same mix the finance lane showed in the CFO edition: CEOs and founders selling into security, CTOs and CIOs who share the surface, investors reading the market, and advisors. So "70 applicants in the security lane" is defensible; "70 CISOs" would overstate it, and this report does not say it.
This composition is why the instrument is asked of security leaders and reported role-tagged, with the security-leader cut shown separately. The room is the honest unit. The operator read inside it is the one the Index tracks.
Finding 3: The deepest single room in the pull is an agent room in a regulated industry
The largest single event by applications in the July 2026 pull is not a title room and not a founder mixer. It is a use-case room: AI Agents for Fintech Engineering Teams, with 245 distinct applicants, more than any other event in the pull. The engineering and data-agent rooms together hold more than 250 distinct applicants.
Read from the security seat, that is demand data. The deepest self-selected demand in the network is for agents in the industry where the compliance and security bar is highest, which means the people deploying agents fastest are the ones working under the rules the CISO enforces. The governance conversation is already happening. It is just happening in rooms the security function does not yet run.
Finding 4: In our events, AI use case sorts the security room as much as title
The pattern the CFO edition carried as its softest thesis shows up in the security lane too. The rooms that recruit best are organized around a specific AI question rather than a title promise: the agents-for-fintech-engineering framing out-recruited every title room in the pull. This is a pattern in our own application data, not a proven shift at large, and the major security communities still group by role. We carry it as a local signal worth watching, and as one reason the Index reports by lane and role-tags the operator cut.
Three honesty notes on the counts
- Figures are rounded floors of distinct applicants, kept deliberately conservative. Invitation outreach that did not become an application is excluded from every count, and application is not attendance. Some executives apply to more than one event, so lane totals are floors rather than exact unique counts.
- The security events draw non-security titles too. Of the 66 applicants who answered the role question, 28 are security leaders. "70 applicants in the security lane" is defensible; an applicant count presented as a count of CISOs is not.
- "Surveyed" implies opinion collection. The registration counts are screening data. Accurate verbs: convened, brought together, engaged.
Defensible claim language, from the data in hand
- "The July 2026 Open Future Forum data pull spans twelve events, including 70 distinct applicants in the security lane and more than 250 in the engineering and data-agent rooms."
- "Of the 66 applicants in the Open Future Forum security lane who answered the role question, 28 are CISOs or heads of security."
- "The deepest single room in the Open Future Forum network in the July 2026 pull is an agent room: AI Agents for Fintech Engineering Teams, with 245 distinct applicants."
Early Signal from the Room
The instrument questions are live in the security lane, and the first answers are in. These are early reads on a small base at one event series, below this program's 40-response floor, so they are directional, shown in "we asked; this is what they said" form with the base on the face of every figure. A moving-market note applies here and is reported as a finding: the Executive AI Leverage Report published these questions on a base of 16 in July. The base has since grown to 26, and the movements are stated at each figure below.
The biggest AI security problem is the access the AI already has
Asked the biggest AI security problem on their desk right now, 62 percent of respondents named securing AI agents and their access, with data leaking into AI models at 31 percent, shadow AI, tools the organization uses without approval, at 23 percent, and attacks that use AI against the company last at 15 percent. Base of 26, any-mention, multiple selections allowed. As the base grew from 16 to 26, the agent-security share moved from 56 to 62 percent and shadow AI moved from 31 to 23 percent; the ordering held. The security seat is worried less about being attacked by AI than about the access the AI already deployed inside the company has. That is a governance problem before it is a threat problem, which is exactly where the funding question below lands.
The governance budget gap: the problem is named, the line is not funded
Asked how AI security is funded on their team right now, 31 percent said it has its own budget line. 35 percent fund it case by case with no dedicated funding, 19 percent carve it out of the existing security budget, and 15 percent have no AI security spend at all. Base of 26, single-select. Put the two reads together and the edition's lead finding falls out: 62 percent name securing AI agents as the top problem, and 69 percent have no dedicated budget line for AI security. Half the room governs production-grade AI on ad hoc money. As the base grew from 16 to 26, the dedicated-line share held at 31 percent while case-by-case funding rose from 25 to 35 percent, so the gap did not close as the base grew. It widened at the ad hoc end.
The security-leader cut: nine of ten without a line
Ten of the 26 respondents are security leaders, CISOs or heads of security by their own screening answer, and their cut is reported as counts because the base is small. On funding: one of ten has a dedicated AI security budget line, five fund it case by case, two carve it out of the existing security budget, and two have no AI security spend yet. Nine of ten security leaders have no dedicated line. On the biggest problem, the security leaders order it differently from the room: six of ten name data leaking into AI models, five name securing AI agents and their access, three name attacks that use AI, and three name shadow AI, any-mention. The operators closest to the controls worry first about what is leaving through the models, while the wider room worries about what the agents can reach. Both reads point at the same missing line item.
The instrument is live across the security, finance, marketing, founder, and investor rooms. The two security questions above continue to field at every security event, and the flagship CISO AI Leverage Index question, the governance-budget question, and the shadow AI inventory question enter the field at the next CISO Roundtable dinners. The next edition reports each on a larger base, filtered to security leaders, with percentages of those who answered. Read the figures in this edition as the first data points on a line we will track, not as settled numbers.
By the Numbers
The AI security shift, in the figures the market is citing in 2025 and 2026. External benchmarks are attributed to their sources. The Open Future Forum figures are early reads from our own rooms, with the base shown.
- $1.65 billion to $13.52 billion, the projected growth of the agentic AI security market from 2026 to 2032, a 42 percent compound annual rate (MarketsandMarkets).
- 4 percent, average security budget growth in 2025, the lowest rate in five years, down from 8 percent in 2024 (IANS Research and Artico Search, 2025 Security Budget Benchmark, 587 CISOs).
- 11.9 percent to 10.9 percent, the one-year fall in security's share of IT spend, breaking a five-year upward trend as AI and cloud absorb the growth (IANS Research and Artico Search).
- 89 percent of security teams describe themselves as stretched thin or understaffed (IANS Research and Artico Search).
- Roughly 95 percent of enterprise generative AI pilots produced no measurable profit-and-loss impact (MIT, The GenAI Divide, 2025).
- 17 percent to 42 percent, the one-year jump in the share of companies abandoning most of their AI initiatives (S&P Global Market Intelligence). Canceled agent projects leave their access behind, which is a security read no other seat has to make.
- More than 40 percent of agentic AI projects are expected to be canceled by the end of 2027 (Gartner). Every cancellation is a decommissioning job on the CISO's desk.
- $2.59 trillion, estimated global AI spending in 2026 (Gartner). The surface grows with the spend.
From our own rooms, early reads with the base shown:
- 62 percent of the security room names securing AI agents and their access as the biggest AI security problem on their desk (Open Future Forum, early read, base of 26, any-mention).
- 69 percent of the same room has no dedicated budget line for AI security, and nine of the ten security leaders inside the base have none (Open Future Forum, early read, bases of 26 and 10).
- Zero of 92 founders asked who owns the buying decision inside the companies they sell to named security or the CISO. They named the CIO or CTO at 43 percent and the business unit at 38 percent (Open Future Forum founder events, base of 92, any-mention).
The Thesis, in One Line
AI is the first technology the CISO must secure and deploy at the same time, and the budget to govern it arrived after the agents did. This report puts a measured number on that gap, from the room where it is being carried.
What the Security Seat Sees Across the C-Suite
Finance sees every AI budget, because every AI purchase crosses the CFO's desk for approval. Security sees every AI deployment, because every agent, model, and connection lands on the surface the CISO answers for, whether or not security approved it, funded it, or knew about it. That gives the security seat a view of the whole C-suite no other function has, and it is the view this section reads. These are read from the security side, not surveys of each function, and they are written that way on purpose.
The CEO
The most named signer of a new AI purchase in our finance rooms at 47 percent, base of 87, consistent with BCG's AI Radar 2026 finding that 72 percent of CEOs call themselves the main AI decision-maker. A moving-market note: the Executive AI Leverage Report published this read on a base of 76; the base has grown to 87 and the CEO share held at 47 percent. From the security seat the CEO is the source of deployment pace: the ambition is set at the top, the surface it creates lands at the bottom of the org chart, and the distance between the two is measured in unreviewed connections. The CISO who can state that distance as a number is the one whose budget requests get heard.
The CFO
The seat the CFO AI Leverage Report documented, and the seat this one reports to on funding. The finance lane is already deployed: 71 percent of the largest finance room runs Claude or another AI tool today, base of 185. That edition also found security is the AI line finance is most often asked to fund as net-new rather than reallocated, because the risk is new: the clearest necessity case and the least clean ROI. The governance budget gap in this edition is what that looks like from the security side. The necessity is agreed. The line item is not yet standing. When it stands, it crosses the CFO's desk as net-new, which is why the two lanes read each other.
The CIO or CTO
The door the market knocks on. Founders selling in name the CIO or CTO as the buyer at 43 percent, base of 92, more than any other seat. From the security seat that means the technology function admits most of the AI the security function later has to govern. The CIO buys the capability; the CISO inherits the access. The working relationship between the two seats now decides how much of the surface is known at deployment rather than discovered at audit.
The CMO
The furthest-along seat on agents in our rooms, and the one whose agents act in public. Marketing agents run in the brand's voice on customer data, which makes marketing the function where an agent failure is a headline rather than an incident report. The CMO edition found the go-to-market room asking, unprompted, for checks and balances for agents. That is the CISO's agenda in the CMO's own words, and it is why the marketing and security lanes increasingly share a table.
The CAIO or AI leader
The newest seat, and the one whose boundary with the CISO is still being drawn. Where a chief AI officer exists, the governance-ownership question is live: the CAIO owns AI capability and often AI policy, the CISO owns the surface the capability runs on, and agent identity and access sit exactly on the line between them. From the security seat the CAIO is an ally on inventory and a rival on ownership. Which one wins depends on who is accountable when an agent's access is the incident.
The board
Cyber is a standing board topic; AI governance is becoming one. From the security seat the board conversation has changed shape: the question is no longer whether the company is adopting AI but whether anyone can say, within bounds, how many AI systems are running and what they can reach. The CISO who brings an inventory number to the board owns that conversation. The one who cannot is describing someone else's deployment decisions.
Three seats outside the company, inside the same picture
The AI founder. The supply side, and the sharpest external read in this edition. Of the 92 founders asked who owns the buying decision inside the companies they sell to, not one named security or the CISO. They named the CIO or CTO at 43 percent, the business unit at 38 percent, and the CFO or finance at 20 percent. A moving-market note, reported as a finding: the Executive AI Leverage Report published this read on a base of 49, with the CIO or CTO at 47 percent and finance at 10; on the near-doubled base, the CIO share moved to 43 and the finance share doubled to 20. Finance is entering the founders' field of view. Security still is not. And of the 83 founders charging, roughly two thirds price on usage or outcomes, a read that held as the pricing base grew from 44 to 92.
The venture investor. Twenty investors in our own room answered who increasingly owns the AI buying decision across their portfolios: the CEO and the CIO or CTO tied at 8 mentions each, individual teams at 3, finance at 2, and 5 said it is too early to say. Base of 20, any-mention, directional. Nobody named security there either. The capital consensus for 2026 is concentration, more spend through fewer vendors, and from the security seat consolidation is the one trend that works in the CISO's favor: fewer vendors is a smaller surface.
The business-unit leader. The second door into the company, named by 38 percent of founders as their target and by 17 percent of our finance-room respondents as the internal signer. From the security seat the business unit is where shadow AI takes root, because it buys closest to the work and furthest from the inventory. The 23 percent of the security room naming shadow AI as the top problem is this seat's purchasing, read from the desk that has to find it later.
The Same View, by Industry
Industry sits underneath all of this, because a CISO at a bank and a CISO at a hospital govern very different AI. Open Future Forum does not yet run industry-specific security rooms, so this read is drawn from external benchmarks rather than our own data, and it is written as the security-seat view of where each sector's AI risk is going. The adoption figures are representative of 2026 cross-industry surveys and are attributed to McKinsey, Deloitte, and NVIDIA, consistent with the companion editions.
Financial services
Among the most adopted and best-proven AI industries, around 85 to 89 percent on Deloitte's numbers, and the most regulated surface in the economy. From the security seat this is the sector where AI governance had a head start, because model risk management existed before generative AI did. The gap is that the old frameworks were built for models that score, not agents that act, and extending them to agent access is the live work.
Technology and software
The highest adoption of any sector, around 92 percent, and the sector where the security team is outnumbered worst: the whole company builds, so the whole company deploys. Coding is the largest single line of raw AI spend, which from the security seat means the deepest agent penetration is in the function that touches the codebase. Agent access to source, build systems, and credentials is the defining exposure here.
Healthcare and life sciences
The fastest accelerator, climbing from roughly 38 percent adoption in 2024 to about 67 percent in 2026 as regulatory clarity arrived. From the security seat healthcare is the clearest case of governance gating deployment rather than following it: the compliance review runs first, so the shadow AI problem is smaller and the sanctioned-AI problem is better inventoried. The cost is speed, and the lesson travels: the sectors that gate on the way in audit less on the way out.
Manufacturing and industrials
Around half to two thirds of firms, with the cleanest cost-out case and the most physical surface. AI here touches operational technology: predictive maintenance, quality, supply chain. From the security seat the exposure is convergence, IT-grade agents reaching into OT-grade systems that were never built to authenticate software colleagues. The spend case is clean; the segmentation work is not.
Retail and consumer
Among the highest adopters of agentic AI, close to half of firms, with agents closest to the customer and the transaction. From the security seat retail is where agent failure is fraud rather than downtime: agents touch payments, pricing, and personal data at volume. The governance question arrives as a revenue-protection question, which, as the finance lane found, is the framing that gets funded fastest.
The pattern across all five is the one this report measures. Where the surface is regulated or touches money, AI governance gets funded early. Where it is not, governance chases deployment. The industry does not change the CISO's question. It changes how far behind the agents the budget starts.
What AI People Say About the Security Spend
The buyer side of this report is the CISO funding AI governance. The commentary around that spend has split into a sharp, useful debate in 2026, and a buying-and-budget report has to carry both sides. One convention first, disclosed in the open: much of the loudest AI security data is published by vendors who sell the fix. Where a vendor-published statistic would carry weight in this report, we say who published it and what they sell, and we prefer analyst, academic, and benchmark sources. The figures in this section follow that rule.
The reckoning
The skeptic case is that agents were deployed faster than they were governed, and the record supports it. MIT found roughly 95 percent of enterprise generative AI pilots produced no measurable profit-and-loss impact, and S&P Global Market Intelligence found the share of companies abandoning most of their AI initiatives jumped from 17 percent to 42 percent in a year. Gartner expects more than 40 percent of agentic AI projects to be canceled by the end of 2027. Read from any other seat, those are spending stories. Read from the security seat, they are surface stories: every abandoned pilot and canceled agent project leaves credentials, connections, and data pathways behind unless someone decommissions them, and the someone is the security team, working, on our own early read, mostly without a dedicated budget line. Shadow AI runs underneath all of it: the tools the organization uses without approval, named by 23 percent of our security room, are the deployments no cancellation notice will ever reach.
The counter-case
The builders and their backers read the same market as the opportunity. The agentic AI security market forecast, $1.65 billion to $13.52 billion by 2032 at a 42 percent compound rate (MarketsandMarkets), is capital chasing exactly the gap this report measures, and Bessemer has called securing AI agents the defining cybersecurity challenge of 2026. The deeper counter-case is about the team, not the tools: security has been the outnumbered function in every company for as long as the function has existed, 89 percent of teams describe themselves as stretched thin (IANS Research and Artico Search), and AI is the first credible answer to that arithmetic. An agent that triages alerts, reads logs, and drafts responses is headcount the budget was never going to fund. On that reading the CISO is not just AI's reluctant governor. The CISO is one of its most natural buyers.
Why it matters for this report
The two sides are not actually in conflict, and the reconciliation is the point. The reckoning says AI created surface faster than governance; the counter-case says AI is also the only way governance catches up. Both are true at once, which is why the security seat's position is double: secure the AI everyone else deployed, and deploy AI so the team can do it. The governance budget gap is where the two meet. When the dedicated line appears, it funds both at once, the counterweight to everyone else's leverage and the leverage of the security team itself. The CISO AI Leverage Index is built to measure the second half of that, edition over edition, from inside the rooms where it is being decided.
The Evidence Behind the Theses
The report rests on five theses. Here is how each holds up against the data, first-party and external, the support and the counter-evidence, so the claims are calibrated rather than asserted. External figures are attributed to their sources and used for context. They are not Open Future Forum findings.
Thesis 1: AI agent governance is named as the top security problem but is funded behind it. Well supported, on a directional base.
Support. In our own room, 62 percent name securing AI agents and their access as the biggest AI security problem, while 69 percent have no dedicated AI security budget line, and nine of the ten security leaders in the base have none (base 26, directional). The external picture matches the shape: the agentic AI security market is forecast to compound at 42 percent (MarketsandMarkets) while security budgets grew 4 percent and security's share of IT spend fell (IANS Research and Artico Search). The problem is priced by the market; the line item lags inside the buyer.
Counter. The base is 26, self-selected into an AI-security-themed event, and the funding question does not distinguish small carve-outs from large ones. A dedicated line is also not the only honest way to fund governance; mature programs sometimes embed it deliberately. The Index tracks the Governance Budget reading over time rather than asserting the gap from one read.
Thesis 2: AI is the CISO's own leverage answer to a stretched team. Partially supported, stated carefully.
Support. 89 percent of security teams describe themselves as stretched thin or understaffed, security staffing growth has slowed to its lowest rate in the benchmark's record, and budget growth at 4 percent will not buy the missing people (IANS Research and Artico Search). The finance lane's leverage pattern, 62 percent expecting measurable AI return in under 6 months and one in six funding AI from would-be headcount money (Open Future Forum finance rooms, base 87), describes the mandate arriving at every operating function, security included.
Counter. This edition has no first-party measurement of security-team AI leverage yet; the flagship question enters the field at the next security dinners. Until the Index reports on its floor, the leverage half of the thesis is the market's inference, not our measurement, and this report says so.
Thesis 3: New AI enters through doors the CISO does not control. Well supported.
Support. Inside companies, the CEO is the most named signer of AI purchases at 47 percent and the CIO or CTO at 23 percent (base 87). From outside, founders selling in target the CIO or CTO at 43 percent and the business unit at 38 percent, and zero of 92 named security as their buyer (base 92, any-mention). Both readings put the admission decision somewhere other than the security seat, and the shadow AI answer, 23 percent of the security room, is the same finding stated as a problem.
Counter. Sign-off is not the same as review: a purchase the CISO does not sign can still pass a security review the data does not capture. The bases are role-mixed rooms, not clean panels. The Shadow AI Read in the instrument is built to test how much of the surface is actually inventoried, which is the check on this thesis.
Thesis 4: Security AI spend is necessity-funded, net-new, with the least clean ROI. Partially supported, stated carefully.
Support. The CFO AI Leverage Report, reading the same community from the finance seat, found security is the AI line finance is most often asked to fund as net-new rather than reallocated, because the risk is new: the clearest necessity case and the least clean ROI. The 46 percent of finance-room respondents funding AI budgets from net-new money (base 87) is the general pattern; the security carve is its sharpest case. Our own funding read, half the security room on case-by-case money, shows the stage before the net-new line stands up.
Counter. Necessity framing is also how unmeasured spend survives, which is the exact failure mode the 2026 reckoning punished. The counter-discipline is arriving in security too: the proof gate that governs the finance lane, 54 percent naming proving ROI as the top blocker (base 87), will reach security spend as the dedicated lines appear. The Index's Budget Direction reading is built to watch it land.
Thesis 5: Abandoned AI projects are becoming a security liability class of their own. Early, treated as directional.
Support. S&P Global found abandonment jumping from 17 to 42 percent in a year, and Gartner expects more than 40 percent of agentic projects canceled by end of 2027. Every canceled agent leaves access unless decommissioned, and our own room's top problem, agent access at 62 percent, is the standing version of the same exposure.
Counter. No published benchmark yet measures orphaned agent access directly, and this program has no first-party read on it. We carry this as a security-seat inference from adoption data, not a measured finding, and the instrument's inventory question is the first step toward measuring it.
Where this leaves the report: it leads on Theses 1 and 3, which carry first-party support on stated bases, states 2 and 4 in their careful form pending the Index's own floor-clearing reads, and treats 5 as the forward hypothesis the instrument is built to test.
AI Transformation, Measured
AI transformation, read from the security seat, is the move from AI as a reviewed exception to AI as governed infrastructure: inventoried, funded on its own line, and secured by a team that uses AI itself. Most coverage of that shift is narrative. This Index turns part of it into a measured line.
Three of the Index's own readings are transformation metrics:
- The CISO AI Leverage Index is the security version of the decoupling signal: the point at which coverage stops tracking headcount, in the function with the worst staffing arithmetic in the company.
- Governance Budget captures the funding shift this edition leads with: AI security moving from case-by-case money to a standing line, which is the same innovation-budget-to-core-budget migration the CFO edition documented, arriving one lane over.
- Shadow AI Read is the inventory metric: whether security can state, within bounds, how many AI systems are running. Transformation that cannot be counted cannot be governed.
Tracked together over editions, these three readings give Open Future Forum's executive AI transformation work a measured security line to stand beside the finance and marketing ones.
About This Report
The CISO AI Leverage Report is a standalone Open Future Forum research report. It reads how the security leaders who hold AI budgets are buying, funding, and getting leverage from AI, from the operator level, wherever Open Future Forum convenes them. This is Edition 1, and each edition carries its own number so the CISO AI Leverage Index line can be tracked over time.
Three companion Open Future Forum reports stand alongside this one, each standalone: the CFO AI Leverage Report reads finance, the CMO AI Leverage Report reads marketing, and the Executive AI Leverage Report reads the leverage itself across all the rooms. The four share the same community, the same honesty rules, and the same base-on-face convention, and they cite each other where the lanes cross.
What This Is
The CISO AI Leverage Report is a recurring read on one question, asked of the security leaders in the Open Future Forum community: is AI letting your security function cover more surface without adding headcount, and is the governance of AI funded on its own line.
It is built on a base most people cannot reach. Open Future Forum runs invitation-screened security dinners and gatherings where the same security leaders return event after event, which means their answers can be collected directly and tracked over time. That is the asset. This report reads it.
The flagship number is the CISO AI Leverage Index: the share of security leaders who say AI now lets the security function cover more surface without growing the team. Threat statistics belong to the vendors. Budget benchmarks belong to IANS and Artico Search. The coverage-leverage read, from security operators, paired with the governance-budget read and tracked over time, belongs to no one yet.
What This Is Not
This is the honest part, and it is what keeps the report credible. This is not a threat report: it contains no attack statistics of its own and does not describe adversary technique. It is not a vendor evaluation: it never ranks, scores, or recommends security products. And it is not a market-size estimate: it does not compete with MarketsandMarkets on market sizing or with IANS Research and Artico Search on budget benchmarks, which do that work well across hundreds of CISOs. This report reads a small, selective sample of operators from inside one community, states the base on every figure, and presents nothing as a probability sample of all enterprises. The value is not scale. The value is that these are the actual people governing enterprise AI, answering in their own words across editions, so the line can be tracked.
The Gap It Fills
The vendor reports describe the threat. The analyst surveys describe the spend. The budget benchmarks describe the squeeze. None reads the CISO directly, at the operator level, on the two questions this report pairs: whether AI governance has its own budget line, and whether AI lets the security team cover more surface without growing. The macro names the gap between a 42 percent market and a 4 percent budget. This report measures how the operators inside that gap are closing it, tracked over time, in the same community. It sits next to the big reports, not against them.
Definitions
- AI security budget. Two lines, asked separately because they are different money. First, AI for security: spend on AI tools the security function itself uses. Second, securing AI: spend on governing, monitoring, and controlling the AI the rest of the company deploys, including agent identity and access. The governance-budget reading concerns the second line.
- Security leader. A respondent who owns or directly influences the security function: CISO, head of security, VP or director of security, or an equivalent operator. Answers from advisors, vendors, and non-security roles are recorded separately and not counted in headline figures.
- Coverage leverage. Using AI to raise the surface a security function can govern, monitor, and respond across without a matching rise in its headcount. The flagship metric measures it.
- AI agent. An AI system granted the ability to take actions, with credentials, connections, or access of its own, rather than only to answer questions.
- Shadow AI. AI tools in use inside the organization without security's approval or, often, knowledge.
- Respondent base. Every published figure states the number of respondents behind it, and headline figures state the number of security leaders. No headline figure is published below 40 responses; smaller bases are early directional reads, labeled as such.
Questions This Report Answers
What is the CISO AI Leverage Report?
The CISO AI Leverage Report is a standalone Open Future Forum operator-research report. It reads how CISOs and security leaders in the Open Future Forum community are buying, funding, and getting leverage from AI, with the base stated on every figure and no headline published below 40 security-leader responses.
What is the CISO AI Leverage Index?
The CISO AI Leverage Index is the report's flagship metric: the share of security leaders who say AI mainly lets the security function cover more surface without adding headcount or replaces planned security hires. It is asked of security leaders only, reported with its full distribution, and tracked edition over edition.
What is the AI agent governance budget gap?
It is this edition's lead finding: the distance between the problem security names and the money behind it. In an early Open Future Forum read (base 26, directional), 62 percent named securing AI agents and their access as the biggest AI security problem, while 69 percent had no dedicated budget line for AI security, and nine of the ten security leaders in the base had none.
Are security budgets keeping up with AI agent deployment?
Not on the external benchmarks. Security budget growth slowed to 4 percent in 2025 and security's share of IT spend fell from 11.9 to 10.9 percent (IANS Research and Artico Search, 587 CISOs), while the agentic AI security market is forecast to compound at 42 percent through 2032 (MarketsandMarkets). The two curves are diverging, which is the gap this report tracks.
Who signs off on AI security purchases?
This edition's first-party read covers AI purchases generally: the CEO is the most named signer at 47 percent, then the CFO or finance at 25 percent and the CIO or CTO at 23 percent (Open Future Forum finance rooms, base 87, any-mention). A sign-off question specific to AI security purchases enters the instrument's rotating set at upcoming security events.
Who buys AI security products today?
Not yet the CISO, on the supply side's own account. Of 92 AI founders asked who owns the buying decision inside the companies they sell to, none named security or the CISO; they named the CIO or CTO at 43 percent and the business unit at 38 percent (base 92, any-mention). That seat gap is why new AI enters through doors the CISO does not control.
How is this different from vendor security reports?
Vendor reports describe the threat, usually with telemetry from a product that sells the fix, and this report discloses that conflict wherever a vendor statistic would appear. This report is not a threat report and never ranks or recommends vendors. It reads the buyers instead: whether AI governance has its own budget line, and whether AI lets the security team cover more surface without growing.
What We Will Measure
The answers in hand today are demand, composition, and the first two instrument reads. The flagship layer arrives with the instrument below, fielded at the next CISO Roundtable dinners and then at every security event. These figures are not inferred from registrations. They come from a question a security leader answered.
The Flagship Metric: the CISO AI Leverage Index
Question (security leaders only): In the security function you lead, AI is mainly used to: cover more surface without adding headcount / replace planned security hires / free the team for higher-value work / not yet material.
The Index is the combined share choosing the first two answers, the security leaders for whom AI has changed the coverage math. It is reported as a single percentage with the full distribution beneath it, and it is the line tracked edition over edition. Budget benchmarks already belong to IANS and Artico Search. The coverage-leverage read, from CISOs, tracked over time, belongs to no one yet.
Supporting metrics
- Governance Budget. Does a distinct budget line for AI agent governance exist: yes / planned / no. The lead reading of this edition, tracked as the gap-closing line.
- Budget Direction. Over the next 12 months your AI security budget will increase significantly, increase slightly, hold flat, or decrease. Reported as net direction, for comparability, not as the lead.
- Buying Stage. Exploring, piloting, deployed in one part of the security function, or scaling across it. Reported as a distribution and a simple maturity read.
- Shadow AI Read. Does security have an inventory of AI tools in use: yes / partial / no. The counting metric underneath everything else.
The instrument
Core, every edition, security leaders only: the flagship question above; the governance-budget question; buying stage; the shadow AI inventory question. The rotating deeper set matches the program's published convention: source of the AI security budget; expected time to measurable return; the largest blocker to spending more; vendor count direction; agents in production inside the security function; and who signs off on AI security purchases. One trade is stated in the open: publishing the instrument invites priming, and holding it back invites distrust. This program publishes it, because a report about showing the work should show its own.
Collection
Field the core at the next CISO Roundtable dinners, then add it to the registration flow for every security event. Ask only security leaders the headline questions, and report security-tagged so the operator read stays clean. Hold any headline figure until at least 40 security-leader responses sit behind it.
How It Runs
Sample and Honesty
The figures describe the security lane of the Open Future Forum community, a selective sample drawn from across multiple markets rather than a probability sample of all enterprises, and they are not presented as one. Every headline figure states its response base, no figure is published below 40 responses, and early editions are framed as directional reads of what operators in this community are doing. A smaller claim, fully backed, beats a larger one that invites the obvious critique.
Assets Each Edition Produces
- The published report, for Substack and the site, written to be quoted and cited.
- A one-page summary graphic led by the CISO AI Leverage Index and the Governance Budget reading.
- A short methodology note, so the report is citable as a source.
- A security-community cut, sent to the CISO list as its own short piece.
- “The CISO AI Leverage Report reads how security leaders in the Open Future Forum community are funding AI governance and getting leverage from AI.”
- “In an early Open Future Forum read (base 26, directional), 62 percent of the security room named securing AI agents and their access as the biggest AI security problem, while 69 percent had no dedicated budget line for AI security.”
- Once the flagship clears the floor, always cite with the base: “Among the security leaders in this edition (n = X), Y percent say AI now lets the security function cover more surface without adding headcount.”
Suggested Citation and Versioning
Cite as: Open Future Forum, The CISO AI Leverage Report, Edition 1, July 2026.
The Index is a recurring series, released as the data supports rather than on a fixed schedule. Each edition carries a lane, an edition number, and a date, lives at a stable URL, and supersedes nothing. Prior editions stay published so the Leverage Index line can be tracked. Short handle for repeat reference: the CISO AI Leverage Index.
Methodology and Disclosure
Methodology Note
The CISO AI Leverage Report is produced by Open Future Forum. Demand-context figures are drawn from application records for Open Future Forum events and describe applicant demand and composition; they are reported as distinct-applicant floors and may include individuals who apply to more than one event. Invitation outreach that did not become an application is excluded from every count, and application is not attendance. Index and supporting figures are drawn from a direct instrument embedded in the event application flow; they are application-stage answers, describing applicant pools rather than confirmed attendance, reported with the response base stated and a minimum base of 40 security-leader responses per published headline figure. The early reads in this edition sit below that floor and are labeled as directional. Two limits apply to them and are stated plainly. First, the instrument questions were added partway through registration for the security events, so only later cohorts answered them, which is why the base is 26 against a much larger registrant count. Second, the room is role-mixed: the 26 respondents include 10 security leaders alongside CEOs, CTOs, founders, and investors, so the room-level figures describe who was in that room, not a clean panel of CISOs, and the security-leader cut is reported separately as counts. Multi-select questions are reported any-mention and can sum past 100 percent; each figure states its conventions on its face. Where a figure a companion edition published has moved because the base grew, the movement is reported as a finding in the body text at the point where the figure appears. External benchmarks from MarketsandMarkets, IANS Research and Artico Search, MIT, S&P Global, Gartner, and BCG are attributed and used only for context. Open Future Forum runs the events and sells sponsorships; sponsorship does not influence the questions, the analysis, or the findings, and the report does not rank or recommend vendors.
Independence and Disclosure
A buying-and-budget read carries weight only if it is clean, and Open Future Forum has commercial interests around these events, so the firewall is stated plainly and up front.
- Open Future Forum runs the events and sells sponsorships, and Murray Newlands does fractional advisory work with AI companies, including in the agent identity and governance space, disclosed here because this edition covers that market.
- Sponsors receive logo placement and a data appendix. Sponsors do not see, shape, or approve the questions, the analysis, or the findings.
- The report never ranks, scores, or recommends specific vendors or products. It reports aggregate behavior only.
- Any company connected to Open Future Forum or Murray Newlands that appears in the report is disclosed as such.
- The findings are the community aggregate. The report is not a lead-generation instrument and does not pass respondent contact data to sponsors.
This statement runs in every edition.
About Our Events
Open Future Forum convenes security leaders across a program of dinners and gatherings, held in partnership with leading institutions and co-chaired with senior industry leaders. These institutions partner on the events. They do not endorse or contribute to this report, which is editorially independent.
About Open Future Forum
Open Future Forum is a private executive community in Silicon Valley, founded in 2019, with 100 events to date. It runs Forum Select, invite-only private events for C-suite executives, and Forum Events, open panels and gatherings, including the CFO and CISO Executive Forums. The CISO AI Leverage Report is part of its operator-level research program.
Sources
First-party sources. Instrument questions embedded in the application flow for Open Future Forum events in 2026, including the CISO Roundtable series (26 instrument responses, 10 from security leaders), the Claude for Finance and AI as a Force Multiplier finance events (combined base 87 on the budget, sign-off, blocker, and return questions; 185 on buying stage), the YC founder events (92 buyer and pricing responses, 83 charging), the agentic go-to-market event (38 stage responses), and the investor gathering (20 responses); plus application records across the twelve events in the July 2026 pull.
Third-party figures cited in this report are drawn from the sources below. The primary external data sources link to the original reports; other sources link to the publisher, where the specific release can be found.
- MarketsandMarkets. Agentic AI Security Market, Global Forecast to 2032. Market size and growth rate. marketsandmarkets.com
- IANS Research and Artico Search. 2025 Security Budget Benchmark Report (587 CISOs, fielded April to August 2025). Security budget growth, security share of IT spend, staffing. iansresearch.com
- Boston Consulting Group. BCG AI Radar 2026: As AI Investments Surge, CEOs Take the Lead. Survey of 2,360 executives including 640 CEOs. bcg.com
- MIT. The GenAI Divide: State of AI in Business 2025, MIT Project NANDA. Generative AI pilot outcomes and measurable profit. mit.edu
- S&P Global Market Intelligence. Survey data on companies abandoning AI initiatives. spglobal.com
- Gartner. Forecasts on agentic AI project cancellations and global AI spending. gartner.com
- Bessemer Venture Partners. Commentary naming agent security the defining cybersecurity challenge of 2026. bvp.com
- McKinsey & Company. Research on enterprise AI adoption by industry. mckinsey.com
- Deloitte. Enterprise AI adoption by industry. deloitte.com
- NVIDIA. State of AI 2026. Industry adoption and return. nvidia.com
External benchmarks are used for context only. They are not affiliated with this report and do not endorse it.
This report is published by Open Future Forum for general information and research purposes only. It is not legal, financial, investment, tax, accounting, security, or other professional advice, and it should not be relied on as such. Nothing in it is a recommendation to buy, sell, or hold any security, product, or service, or to adopt any particular budget, vendor, or course of action. Figures drawn from Open Future Forum events are early, directional reads on small and self-selected samples, and figures from third parties belong to the organizations cited and are used for context. Readers should do their own research and consult their own qualified advisors before making decisions. Open Future Forum makes no warranty as to the accuracy or completeness of the information in this report and accepts no liability for any action taken in reliance on it.
© 2026 Open Future Forum. All rights reserved. The CISO AI Leverage Report and the CISO AI Leverage Index are works of Open Future Forum. No part of this report may be reproduced or redistributed for commercial purposes without permission. Quotation for journalism, research, and commentary is welcome with attribution to Open Future Forum. All third-party names and marks belong to their respective owners.
Join the CISO Roundtable Series
Invitation-screened dinners for CISOs and security leaders navigating AI agent governance, budget, and board reporting. Off the record. No vendors. No agenda.