Three out of every four organizations surveyed by DigiCert have already experienced an AI related security incident or identified an AI related vulnerability, according to research the company published on July 7, 2026, exposing a widening gap between how fast companies deploy artificial intelligence and how well they can govern it.

The finding sits at the center of DigiCert's AI Trust Outlook, a report built from an independent survey of 1,001 IT and cybersecurity decision makers across the United States, the United Kingdom, and Australia. Propeller Insights conducted the fieldwork on DigiCert's behalf in May 2026, and the resulting data paints a picture familiar to anyone tracking enterprise technology adoption cycles: capability has outrun oversight, and the gap between the two is not closing on its own.

What the survey found

Seventy eight percent of respondents reported experiencing an AI related security incident or identifying an AI related vulnerability within their organization. Only 21 percent said they had encountered no such incidents at all. That split, drawn directly from the report's own findings, marks what DigiCert frames as a signal that artificial intelligence has entered a new operational phase, one in which the technology creates measurable business value while simultaneously generating measurable operational risk.

The pace of deployment helps explain why. Three quarters of surveyed organizations, 75 percent, said they had deployed four or more AI powered systems in the past six months alone. More than a third, 35 percent, had deployed more than ten systems in that same window. Only 22 percent reported deploying three or fewer. Rapid, multi system rollout of this kind introduces what the report calls a growing network of non human actors, each one requiring its own identity, authentication, oversight, and accountability structure.

Despite that velocity, visibility has not kept pace. Almost half of organizations, according to the report, lack centralized visibility into AI systems and activity across their environments. Sixty four percent said they had taken the first step of identifying and inventorying their AI systems, a task the report characterizes as foundational rather than advanced. Without that inventory, security teams cannot reliably answer basic questions about what AI systems exist inside their own infrastructure, let alone what those systems are doing at any given moment.

The traceability problem

Perhaps the most consequential finding in the entire report concerns explainability. Only 53 percent of organizations said they can fully trace AI decisions back to the models and source data that produced them. Thirty nine percent report only partial traceability, and 52 percent maintain centralized monitoring with regular executive reporting. Taken together, these figures mean that nearly half of respondents lack full visibility into how their own AI systems arrive at outcomes.

That gap becomes operationally significant the moment an AI system produces an unexpected or controversial result. Customers, executives, and regulators will all eventually ask why a system did what it did. If the honest answer is that nobody knows, trust in the system begins to erode, according to the report's own framing of the issue.

The report's methodology notes that percentages throughout may not total 100 due to rounding, a standard caveat for survey research of this kind but one worth flagging given how closely several of the figures cluster around round numbers.

Governance discussed more than governance built

DigiCert's data reveals a marked gap between boardroom conversation and operational execution. Ninety percent of organizations have discussed AI governance at the executive or board level, a figure that suggests the topic has become a fixture of leadership agendas. Yet only half, 50 percent, have established dedicated budgets and formal governance programs to back that discussion with action.

Brian Trzupek, Senior Vice President at DigiCert, addressed the disconnect directly. "The question is no longer whether organizations should adopt AI," Trzupek said. "It's whether they can explain, govern and trust the AI they've already deployed. Those capabilities will increasingly determine which organizations can safely scale AI and which struggle with the risks it creates."

Organizations are not standing entirely still on the accountability question, even where formal programs remain incomplete. Fifty seven percent have established dedicated budgets specifically for securing AI systems, distinct from broader AI governance spending. Eighty six percent have established formal or informal processes to revoke access or trust when AI systems are found to be compromised. Nearly 90 percent have evaluated their AI related liability exposure as they prepare for tightening regulatory and compliance requirements, a figure that suggests legal and risk teams have moved faster on this issue than technical governance structures have.

Identity emerges as the control point

One of the report's clearer through lines concerns how organizations are choosing to manage AI agents once those agents are deployed. Nearly half of organizations have assigned unique digital identities to all AI agents operating within their environments. A further four in ten have assigned identities to at least some of their AI agents. Combined, these figures point toward growing recognition that AI systems require the same level of oversight and accountability applied to other critical enterprise assets, including human employees and traditional software applications.

The report frames this identity focused approach as a natural extension of established security practice rather than a wholly new discipline. AI agents, the report argues, are increasingly acting less like passive software and more like active participants in business processes: accessing systems, retrieving information, making decisions, and taking action on behalf of human users. That shift in behavior is precisely why identity has become such a critical control point. Every agent needs a verifiable identity, appropriately scoped permissions, and a clear line of accountability for whatever actions it takes.

Forward thinking security teams, according to the report, are already applying established machine identity principles to AI agents, using cryptographic credentials and automated controls to verify agent identity and manage access at scale. The report's own framing puts it plainly: AI agents may represent a new category of actor inside enterprise environments, but identity management itself is not a new discipline.

Regional and sector variation

The survey's geographic breakdown produces one of its more counterintuitive findings. Despite substantial differences in AI regulation, investment levels, and public discourse across the three surveyed markets, the underlying accountability challenges look remarkably similar. The ability to fully explain AI decisions remains consistent across regions: 53 percent in the United States, 54 percent in the United Kingdom, and 52 percent in Australia can trace decisions back to source data and models.

AI system inventories tell a similar story of convergence rather than divergence. Across all three regions, the share of organizations with complete AI inventories ranges from 59 percent to 68 percent, a comparatively narrow band given how differently each of these markets has approached AI policy. Dedicated AI security funding follows the same pattern: roughly half of organizations in every surveyed market maintain a dedicated AI security budget, regardless of jurisdiction.

The report's own conclusion on this point is direct. Geography does not appear to play a significant role in whether an organization has solved AI accountability, because no country, according to the data, has solved it yet.

Industry level results show wider variation than the geographic breakdown. AI related incidents and vulnerabilities were reported by 83 percent of Science and Technology respondents, 82 percent of Banking, Financial Services and Insurance respondents, 81 percent of Telecom and Media respondents, 79 percent of Retail respondents, 78 percent of High Tech respondents, 76 percent of Health Tech and MedTech respondents, and 65 percent of Manufacturing respondents.

Preparedness varies just as widely. Telecom and Media organizations lead on AI agent inventories, with 76 percent maintaining complete records, compared with 68 percent of Financial Services, 67 percent of Science and Technology, 64 percent of Manufacturing, 63 percent of Healthcare, and 59 percent of Retail respondents. Science and Technology organizations lead on dedicated AI security budgets, with 64 percent maintaining one, followed by 62 percent of Telecom and Media and 60 percent of Banking, Financial Services and Insurance respondents.

Retail shows the widest explainability gap of any sector measured. Only 45 percent of Retail respondents report full AI traceability, compared with 57 percent each for Science and Technology and for Telecom and Media respondents, the two sectors that scored highest on that particular metric.

Why marketing and advertising professionals should pay attention

DigiCert's findings arrive at a moment when the advertising and marketing technology sector has been racing to deploy autonomous AI systems of its own, often under the banner of agentic AI. PPC Land has tracked this deployment velocityclosely, and DigiCert's data provides an external, cross industry benchmark against which that specific sector's progress can now be measured.

The parallels are direct rather than incidental. LiveRamp, Amazon, Adobe, PubMatic, and Magnite have each introduced agentic capabilities into advertising workflows over the past year, giving autonomous systems governed access to identity resolution, campaign management, and audience activation tools. Each of those deployments introduces exactly the kind of non human actor DigiCert's report describes: a system that needs an identity, a set of permissions, and a mechanism for accountability when something goes wrong.

The traceability finding carries particular weight for an industry already sensitive to the so called black box problem in automated decision making. As PPC Land reported in March 2026, the OECD's own working paper on agentic AI flagged accountability, explainability, and transparency as unresolved challenges in complex socio technical environments, without fully addressing what the advertising industry calls the black box problem: the difficulty of attributing specific outcomes to autonomous agent decisions made at speed, across multiple platforms, without legible audit trails. DigiCert's finding that only 53 percent of organizations can fully trace AI decisions back to their source data gives that abstract concern a concrete, cross industry figure.

The governance gap DigiCert describes also echoes a separate but closely related finding PPC Land covered in November 2025, when Publicis Sapient's Guide to Next report warned that most enterprises claiming AI readiness were, in practice, still operating in pilot mode without the data governance foundations autonomous systems require. That report introduced the phrase decision debt to describe organizations whose confidence had outpaced their evidence. DigiCert's 90 percent figure for executive level AI governance discussion, set against a 50 percent figure for organizations with actual dedicated budgets and formal programs, describes the identical pattern in different language: conversation running ahead of infrastructure.

The identity focused framing in DigiCert's report also intersects with a measurement challenge PPC Land documented in April 2026, when HUMAN Security disclosed that automated traffic is growing eight times faster than human traffic on the open web. That earlier report found that most marketing analytics platforms remain built for a human centric internet and offer no structured way to distinguish AI crawlers, search agents, or agentic commerce flows from ordinary human visitors. DigiCert's emphasis on assigning unique digital identities to AI agents addresses a closely related problem from the opposite direction: not classifying incoming AI traffic, but establishing verifiable identity for the AI systems an organization itself operates and deploys.

For marketing organizations weighing further investment in agentic tools, DigiCert's report offers a useful reality check against vendor enthusiasm. Deployment velocity, on its own, is not the same thing as operational maturity. An organization can run ten or more AI powered systems, as more than a third of DigiCert's respondents already do, while still lacking the centralized visibility, formal governance program, or full decision traceability that would allow it to explain those systems' behavior to a regulator, a customer, or its own board. That distinction between adoption and accountability is precisely the one DigiCert's report is built to surface.

What DigiCert recommends

The report's conclusion frames the current moment as an inflection point rather than a cause for pausing deployment. According to DigiCert, none of the findings suggest organizations should slow down their AI adoption. Instead, the report argues that trust has become a core part of the deployment challenge itself, alongside performance and cost.

The next phase of enterprise AI, according to the report, will not be defined by which organization deploys the most models, launches the most agents, or automates the most workflows. It will instead be defined by which organizations can govern those systems, secure their identities, explain their decisions, and earn confidence in their outcomes. Trust, the report concludes, is becoming the infrastructure layer for enterprise AI, the same way identity and access management became foundational infrastructure for earlier generations of enterprise software.

Methodology

DigiCert commissioned Propeller Insights to conduct the underlying survey in May 2026. The study reached 1,001 IT and cybersecurity decision makers across three markets: 500 respondents in the United States, 251 in the United Kingdom, and 250 in Australia. Respondents represented organizations across a range of industries and company sizes, and included professionals responsible for cybersecurity, IT infrastructure, risk management, compliance, digital transformation, and technology strategy.

The survey explored organizational readiness and investment priorities across several dimensions: artificial intelligence adoption, machine identity security, governance structures, cryptographic resilience, certificate lifecycle management, and emerging cybersecurity risks associated with AI deployment. Data collection occurred through an online survey instrument, with responses analyzed in aggregate to identify trends, priorities, and challenges shaping enterprise AI adoption. As is standard for research of this kind, some percentages reported throughout the study do not sum to exactly 100 due to rounding.

Timeline

  • May 2026: Propeller Insights conducts the underlying survey of 1,001 IT and cybersecurity decision makers on behalf of DigiCert.
  • July 7, 2026: DigiCert publishes the AI Trust Outlook report and accompanying press release, disclosing that 78 percent of organizations have experienced an AI related security incident or identified an AI related vulnerability.

Summary

Who: DigiCert, a global provider of digital trust and certificate lifecycle management services, published the research. Brian Trzupek, Senior Vice President at DigiCert, is the report's named spokesperson. Propeller Insights conducted the underlying survey.

What: DigiCert's AI Trust Outlook report found that 78 percent of surveyed organizations have experienced an AI related security incident or identified an AI related vulnerability. The report also found that only 53 percent of organizations can fully trace AI decisions back to their source models and data, that 90 percent have discussed AI governance at the executive level while only 50 percent have formal governance programs and dedicated budgets, and that nearly half have assigned unique digital identities to all AI agents operating in their environments.

When: The underlying survey was conducted in May 2026. DigiCert published the report and accompanying press release on July 7, 2026.

Where: The survey covered 1,001 respondents across the United States, the United Kingdom, and Australia. DigiCert is headquartered in Lehi, Utah.

Why: The findings matter because they quantify, for the first time in a single cross industry study, the gap between how quickly organizations are deploying AI systems and how well they can explain, govern, and secure those systems. For marketing and advertising professionals specifically, the report provides an external benchmark for a sector already racing to deploy agentic AI tools across campaign management, identity resolution, and audience activation, where the same traceability and identity questions DigiCert raises are becoming operationally unavoidable.