There’s a critical paradox taking shape around the economics of AI in cybersecurity.
While cybersecurity budgets see unprecedented growth, security leaders are racing ahead on AI transformation while falling behind on measurement, justification, and strategic alignment.
This is the headline finding from Exabeam’s new multinational report, From Adoption to Accountability: The New Economics of AI in Cybersecurity, which is based on a survey of 750 IT decision-makers responsible for security in organisations with 500+ employees across 12 countries.
According to the study, 95% of organisations are increasing cybersecurity budgets in 2026, with 74% seeing double-digit growth.
However, AI simultaneously holds three contradictory positions in budget planning: it’s the top driver of increases (44%); the first investment that would be cut if budgets tightened (44%); and the most challenging spend to justify to business stakeholders (32%).
“Security leaders are getting mandates to invest in AI, but nobody’s given them a way to prove it’s working. You can’t measure AI transformation with pre-AI metrics,” says Steve Wilson, chief AI and product officer at Exabeam.
“The problem isn’t that security teams lack data. They’re drowning in it. The issue is they’re tracking the wrong things and speaking a language the board doesn’t understand. Those are the budgets that get cut first. The window to fix this is closing fast.”
Cybersecurity investment trends in 2026 represent a significant shift, with AI and automation emerging as the primary catalyst for budget expansion (44%), followed by cloud infrastructure growth (33%) and mainstream business AI adoption (32%).
This surge being channeled into technology, rather than the usual suspect of headcount, signals how the AI era is fundamentally shifting security operations.
While 87% of security leaders express confidence that their investments are delivering business value, 30% cite a lack of board understanding of the link between cybersecurity investment and business resilience as their biggest challenge in defending spend.
The disconnect reveals a critical vulnerability: 63% of security leaders report using quantified ROI and 59% use outcome metrics, yet boards and executives still don’t understand the connection between security investments and business risk.
The problem isn’t a lack of information, but a mismatch between security metrics and business-decision metrics. Security teams are relying on traditional security measurements that don’t translate into the business impact language boards need to evaluate investment decisions.
“In AI-assisted environments, traditional metrics like mean time to resolution (MTTR) becomes almost automatic, so speed alone doesn’t prove risk has been reduced,” says Kevin Kirkwood, CISO at Exabeam.
“We need new ways to measure security effectiveness that actually show business impact, because boards don’t fund faster ticket closure, they fund measurable risk reduction and business resilience.
“We have to show that we’re not just responding quickly but eliminating and improving the conditions that allow incidents to happen in the first place.”
Regional variations
Regional differences in AI adoption are striking. Saudi Arabia demonstrates the most aggressive position, with 75% reporting AI is already improving security operations, nearly triple the rate of Japan (27%) and the Netherlands (30%).
These variations reflect different organizational priorities. Saudi Arabia’s figures align with broader national digital transformation initiatives, while European and Asian organisations emphasise careful evaluation and workforce preservation before scaling deployment.