Cybersecurity budgets are expanding sharply heading into 2026, but a new multinational study suggests the surge in AI-driven investment is outpacing organisations’ ability to prove its value to the board.
Exabeam’s report, From Adoption to Accountability: The New Economics of AI in Cybersecurity, surveyed 750 IT decision-makers responsible for security in organisations with more than 500 employees across 12 countries. It paints a picture of strong spending growth coupled with mounting pressure to demonstrate measurable business impact.
According to the findings, 95% of organisations are increasing cybersecurity budgets in 2026, with 74% reporting double-digit growth. AI and automation are cited as the primary drivers of expansion (44%), ahead of cloud infrastructure growth (33%) and broader enterprise AI adoption (32%).
Yet the data also reveals what the report describes as a “critical paradox”. AI is simultaneously the top driver of budget increases (44%), the first area leaders would cut if budgets tightened (44%), and the most difficult category of spending to justify to business stakeholders (32%).
Steve Wilson, Chief AI and Product Officer at Exabeam, argues the issue is not a lack of telemetry but a measurement gap. “Security leaders are getting mandates to invest in AI, but nobody’s given them a way to prove it’s working. You can’t measure AI transformation with pre-AI metrics,” he said. “The problem isn’t that security teams lack data. They’re drowning in it. The issue is they’re tracking the wrong things and speaking a language the board doesn’t understand.”
The report suggests that while 87% of security leaders believe their AI investments are delivering business value, 30% cite a lack of board understanding of how cybersecurity spend links to resilience as their biggest challenge in defending budgets. Although 63% report using quantified ROI metrics and 59% track outcome-based measures, boards remain unconvinced about how those metrics translate into reduced enterprise risk.
Kevin Kirkwood, CISO at Exabeam, notes that traditional performance indicators may be losing relevance in AI-assisted environments. “In AI-assisted environments, traditional metrics like mean time to resolution (MTTR) becomes almost automatic, so speed alone doesn’t prove risk has been reduced,” he said. “Boards don’t fund faster ticket closure, they fund measurable risk reduction and business resilience.”
The findings reflect a broader shift in cybersecurity economics. Historically, budget increases were often justified by headcount growth and expanding compliance requirements. The 2026 outlook shows more capital being channelled into technology platforms and automation, signalling a structural change in how security operations are expected to scale.
Regional differences in AI adoption also emerged. Saudi Arabia reported the highest levels of perceived AI impact in security operations (75%), compared with 27% in Japan and 30% in the Netherlands. The variations likely reflect differing national digital transformation strategies, regulatory environments and organisational risk appetites.
The report stops short of prescribing a single solution but argues that deployment alone is insufficient. As budget abundance raises expectations, security leaders will need new frameworks that tie AI-driven improvements directly to measurable business outcomes. Without that linkage, AI investments risk becoming discretionary when economic conditions tighten.
For chief information officers and security executives, the message is clear: AI may be the dominant driver of cybersecurity spending, but accountability — particularly in financial and risk terms — is emerging as the new mandate.
You can read the full report here.
