Full Report
Corporate cybersecurity leaders believe AI will be essential to their missions, but, so far, few are seeing big gains from agentic security products, according to a new EY survey. With AI governance dominating C-suite agendas, the survey found that companies are making progress in integrating risk management frameworks into their operations, even if those ways of…
Analysis Summary
# Industry News: AI Security ROI Gap and the Rise of Agentic Governance
## Summary
A new EY survey reveals a significant disconnect between the perceived importance of AI in cybersecurity and the actual returns on investment from "agentic" security products. While corporate leaders view AI as essential for future defense, early deployments have yet to yield major gains, leading to a strategic pivot toward AI governance and risk management frameworks.
## Key Details
- **Date:** March 23, 2026
- **Companies Involved:** EY (Ernst & Young), various global corporate cybersecurity departments
- **Category:** Market Analysis / Research Report
## The Story
According to the latest EY cybersecurity report, there is a "valuation gap" in the AI security market. While the C-suite has prioritized AI governance, the actual implementation of agentic security products—autonomous systems capable of making and executing security decisions—is failing to meet initial performance expectations.
The survey highlights that while companies are successfully integrating AI risk management frameworks into their operational processes, these frameworks have not yet fully permeated corporate cultures. This suggests that while the "paperwork" of governance is being completed, the practical application and trust in autonomous security agents remain low. EY responded to these findings by issuing four high-level recommendations focused on aligning AI adoption with specific business outcomes rather than pursuing technology for its own sake.
## Business Impact
### For the Companies Involved (EY)
- Strengthens EY’s position as a strategic consultant for AI governance, moving beyond technical implementation toward multi-year organizational change management.
### For Competitors
- **Security Vendors:** Providers of "agentic" products face increasing pressure to prove ROI through tangible metrics rather than speculative capabilities.
- **Consulting Firms:** Rivals like Deloitte or KPMG will likely mirror this focus on governance to capture the spend shifts from product acquisition to risk management strategy.
### For Customers (CISOs and Enterprises)
- Likely to slow down the purchase of autonomous security tools in favor of more robust governance and human-in-the-loop systems.
- Shift in budget allocation toward internal training and framework integration.
### For the Market
- Potential cooling of the "hype cycle" for autonomous security agents.
- Increased demand for "transparent" or "explainable" AI (XAI) in security to bridge the trust gap identified in the report.
## Technical Implications
The lack of "big gains" highlights the difficulty of deploying autonomous agents in complex, legacy IT environments. Technically, this suggests current AI agents may be struggling with high false-positive rates or an inability to navigate non-standardized network architectures without human intervention.
## Strategic Analysis
- **Market Positioning:** The market is moving from "AI Adoption" to "AI Governance." Companies that provide the scaffolding for safe AI usage are currently outperforming those selling the AI engines themselves.
- **Competitive Advantage:** Organizations that focus on integrating risk frameworks *before* deploying autonomous agents will likely see higher long-term stability.
- **Challenges:** The primary obstacle remains "cultural permeation"—getting security teams to trust and correctly utilize AI outputs in high-stakes environments.
## Industry Reactions
- **Analyst Opinion:** High-level consensus suggests that the "honeymoon phase" for AI in cyber defense is ending, replaced by a "show-me-the-data" era.
- **Market Response:** Investors may begin scrutinizing cybersecurity startups specifically on their AI's proven efficacy versus marketing claims of autonomy.
## Future Outlook
- **Predictions:** Expect a wave of "Governance-as-a-Service" offerings to emerge as companies struggle to permeate risk frameworks into their culture.
- **What to Watch for:** Watch for a shift in product updates from "autonomous response" to "augmented intelligence," where AI assists human analysts rather than replacing the decision-making process.
## For Security Professionals
Practitioners should expect an increase in governance-related tasks and compliance oversight regarding AI tools. Instead of fearing replacement by autonomous agents, professionals should focus on mastering the "human-in-the-loop" oversight roles that organizations are currently prioritizing to manage the risks identified in the EY survey.