Back to blog

June 22, 2026

The DBIR Is a Governance Failure Report. The Industry Just Does Not Know It Yet.

Written by

Naeem Hussain, CEO

Every May, the Verizon Data Breach Investigations Report (DBIR) lands and the security industry lights up. CISOs share the charts. Cybersecurity vendors write blog posts. LinkedIn fills with takes. Everyone reads it as a security document, a map of how attackers are winning and what defenders need to do differently.

I read the DBIR differently.

I read it as a governance document. And this year's report, the 2026 edition, is the clearest evidence yet that the root-cause gap killing organizations is not a security gap. It is a governance gap. The tools are not catching up to the threat. The frameworks are not catching up to the risk. And the platforms most organizations rely on to govern all of it were built for aworld that no longer exists.

Let me explain.

Nearly Half of All Breaches Come Through a Third Party. That Is a Governance Failure.

In 2025, the year covered by the 2026 report, 48% of all breaches involved a third party. This is up 60% from the year before, which had already doubled the year before that. The DBIR describes this trajectory as "impossible to ignore."

Ask yourself an honest question. How many of your vendors are assessed more than once a year? How quickly would you know if a supplier with privileged access to your environment suffered a breach? How many of your third-party relationships involve access controls that have not been reviewed in the last six months?

For most organizations, the answers are not good. Not because the security team is negligent. Because the vendor risk program was designed for a world where third parties were the exception. At 48% of breaches, they are not the exception anymore. They are the primary attack surface.

This is not a firewall problem. You cannot patch your way out of a vendor relationship that was granted excessive access eighteen months ago and never reviewed since. What you need is a governance program that treats third-party risk as a live, continuous discipline rather than an annual questionnaire exercise.

The DBIR is telling you that half your breach exposure lives outside your walls. Most GRC programs are still looking inside them.

67% of Employees Are Using Unauthorized AI. That Is a Governance Failure.

The DBIR found that in 2025, 67% of employees were using personal accounts to access AI services on corporate devices. Shadow AI became the third most common insider action in Data Loss Prevention (DLP) data, up fourfold in a single year. The most common type of data being submitted to unauthorized external AI systems was source code. In 3.2% of cases, employees were uploading internal research and technical documentation.

This is intellectual property, customer data, and proprietary code flowing into systems the organization has no contractual relationship with, no visibility into, and no ability to audit or control.

And what is the typical organizational response? An AI usage policy. Maybe a training module. A reminder email from IT telling employees not to use unauthorized tools.

None of that is governance. Governance is knowingwhich AI tools exist in your environment. Governance is being able to see when sensitive data flows to an unauthorized external system, act on it and stop it in time. Governance is having an AI policy that is not just a document, but rather a set of monitored, enforced controls with audit evidence behind them.

The EU AI Act is now live. GDPR applies to every unauthorized data transfer, intended or not. The regulatory exposure from Shadow AI is real and it is growing. Most organizations have a policy around AI. Almost none have governance around it.

Agentic AI Is Already Making Decisions in Your Business. That Is a Governance Failure in the Making.

The U.S. Secret Service contributed to this year's DBIR. Their message was unambiguous. Agentic AI, meaning autonomous systems capable of independent action, is already being used by attackers to automate every stage of cybercrime, from reconnaissance to data theft. In November 2025, researchers documented VoidLink, a malware framework written entirely by an AI agent in six days.

Moreover, at Gartner’s Security & Risk Management Summit, held in early June 2026 in National Harbor, Maryland, the topic of agentic AI was the main focus of the summit. More specifically, everyone at the summit (top executives, practitioners, analysts, and many vendors) was focused on one question: How do we build and implement secure and compliant AI agents?

But here is the governance angle that many people miss. Organizations do not only face agentic AI from the outside. They deploy it internally. Customer service agents, coding assistants, procurement systems,research tools. All of them taking actions without a human approving each step.

For every AI agent operating inside your business, can you answer the following questions?

  • What data can it access?
  • What can it do without human approval?
  • How would you know if it behaved unexpectedly?
  • If a regulator asked you to demonstrate control over it tomorrow, what evidence would you produce?

Most organizations deploying agentic systems right now cannot answer these questions. The deployment happened. The governance did not.

This is exactly the pattern we have seen play out in every previous wave of enterprise technology adoption. Cloud came first, governance caught up years later. Mobile came first, governance caught up years later. AI will follow the same arc, except the speed of AI adoption is so far beyond anything that came before that, and hence "catching up later" is not a viable plan.

What the DBIR Is Actually Telling Us

Taken together, these findings tell a consistent story. Not about the sophistication of attackers, though that is real and growing. Rather, the findings tell a story about the structural inadequacy of how organizations govern risk.

Third-party breaches at 48% is not a patching problem. It is a continuous monitoring problem. Shadow AI growing fourfold in a year is not a policy problem. It is a visibility and enforcement problem. Agentic AI operating without oversight is not a technology problem. It is a control framework problem.

GRC platforms have existed for over two decades. Most of them were built to digitize the audit cycle. Connect a policy to a control, attach some evidence, produce a report. That was the right answer for a stable, slow-moving world where risk lived in known places and regulations updated every few years.

That world is gone.

The threat landscape in the 2026 DBIR is dynamic, interconnected, and moving faster than any point-in-time compliance process can track. Risk does not wait for your quarterly review. Attackers do not pause while your vendor assessment questionnaire makes its way through a supplier's inbox. AI tools do not stop spreading because your policy document says they should.

What organizations need now is governance that runs at the speed of the business. Continuous control monitoring that tells you whether your controls are working right now, not as of the last audit. Third-party risk management that gives you live visibility into your vendor ecosystem, not a snapshot from six or twelve months ago. AI governance that knows what AI tools exist in your environment, what data is flowing through them, and whether that aligns with your policies and your regulatory obligations. If it doesn’t align, the platform should stop potential AI harm before it happens. Just reporting the harm isn’t good enough.

Why We Built What We Built

I started LockThreat because I believed the GRC category was at an inflection point. The platforms that dominated the market for the last twenty years were built on the right premise, that organizations need a structured way to manage governance, risk, and compliance. However, they were built for audits. That’s no longer the case. What the world needs now is a platform built for continuous adherence.

Adding AI Governance and Security to our platform was not a product decision. It was a thesis decision. The thesis is that AI governance is not a separate problem from enterprise GRC. It is the newest and most urgent layer of the same problem. Organizations need to govern AI the same way they govern everything else, with policies connected to controls, controls connected to evidence, and all of it monitored continuously across the enterprise.

And there is a second part to that thesis. AI governance on its own is not enough. In the era of AI, flagging potential risk after the fact, which is what traditional governance does, is too slow. With AI, you have to stop the risk before it materializes. Prompt injections. Jailbreaks. Bias. Leakage of personally identifiable information. Leakage of intellectual property. These are not risks you can document your way out of. You have to actively prevent them. That is why LockThreat combines AI governance with AI security, two capabilities that were always meant to work together and that, in our view, should never have been sold as separate products.

Three layers. One platform. Enterprise GRC, Cyber Compliance, and AI Governance & Security working together, not as separate tools bolted together after the fact.

The DBIR keeps documenting the cost of the governance gap. The third-party breaches. The Shadow AI explosion. The agentic threats that organizations are not yet built to address. Those are not separate problems requiring separate point solutions. They are the same problem, showing up in different places.

The organizations that get ahead of this will be the ones that stopped treating governance as an audit function and started treating it as a continuous operating discipline. The DBIR has been making that case for years.

It is just that most people are too busy reading it as a security document to notice.

 

--------------------

Naeem Hussain is the Founder and CEO of LockThreat. With deep experience spanning enterprise technology, cybersecurity, and AI strategy, he previously served as COO at CirrusLabs, Head of Market Research at Capital One, and Head of Technology Services at ING DIRECT. Naeem holds an MBA from the University of Chicago's Booth School of Business, an MS in Telecommunications and Computers from The George Washington University, and an AI Strategy certification from MIT Sloan Executive Education. The combination of serial entrepreneurship, enterprise technology leadership, and hands-on AI strategy experience gives Naeem a builder's perspective on GRC, compliance automation, and AI governance, and what it takes for organizations to operationalize them at scale.

--------------------

Data referenced in this piece is drawn from the 2026 Verizon Data Breach Investigations Report. Third-party breach statistics are from pages 11 and 20. Shadow AI and DLP findings are from pages 13, 60, and 61. U.S. Secret Service agentic AI analysis is from page 113. VoidLink is referenced on page 109.

On This Article

Copied!

Book A Demo
Platform
Platform Overview
Enterprise GRC
Cyber Compliance
AI Governance & Security
INDUSTRIES
Transportation & Logistics
Financial Services & Banking
Retail & E-commerce
Healthcare and Life Sciences
Technology & Communications
Government & Public Sector
Manufacturing & Industrial
Energy & Utilities
Service & Consulting
NGO & Not Profit Organizations
RESOURCES
Blog
Case Studies
Ebooks
Guided Tour
Newsletters
Webinars
News
Company
Partners
About
Careers
Privacy Policy
EULA
Support Policy
EULA for Azure
©2026, All rights reserved.
ISO 27017 Information Security Management Systems Certified badge with a globe design.
ISO 27018 Certified information security management system logo with a globe and key symbol.
info@lockthreat.com
5865 North Point Pkwy STE 100, Alpharetta, GA 30022
Help