AI cyber risk has entered the top tier of security concerns for the first time for 39 per cent of UK critical infrastructure, it’s suggested by a cyber firm’s survey. It says attackers increasingly use AI to scale phishing and malware attacks. At the same time, AI is being rapidly adopted in defensive operations with more than a third (36pc) of those surveyed already using AI to automate incident response and support threat hunting (35pc).
Martin Riley, CTO at Bridewell, pictured, said: โAI is now central to modern cyber defence. If you are not using AI to accelerate detection and response, you are falling behind attackers who are already using it against you. The challenge for 2026 is not whether to adopt AI, but how to govern it safely.โ
Anthony Young, CEO at Bridewell, added: โAI today feels very similar to the early days of cloud. It is powerful and widely adopted but often implemented faster than the controls designed to secure it. Organisations must apply the same discipline and guardrails to AI that they now expect for cloud and digital infrastructure.โ
Driver of maturity
Regulation has now overtaken cyber threats as the main driver of security investment, with 35pc of organisations citing regulatory requirements as their main motivator, a rise from 26pc last year. Adoption meanwhile of major frameworks remains inconsistent. Less than half report use or compliance with the Cyber Assessment Framework by the UK official National Cyber Security Centre (46pc) and only 29pc report adoption of NIS2; the latest European Union directive covering network and information systems (NIS). Some 39pc admit low confidence in their cyber security measures for data protection.
โFrameworks are essential, but compliance on paper does not automatically translate into operational resilience,โ said Young. โRegulators are asking harder questions, and organisations will need to demonstrate policy alignment as well as real-world capability.โ
Confidence gapย
The research also uncovered a striking confidence gap in post quantum cryptography. While 90pc claim to feel prepared, 38pc admit they have yet to review government guidance. This disconnect highlights what the firm describes as โconfidence without clarityโ in emerging risk areas like PQC (post quantum computing).
The study suggests that 2026 marks a turning point. With IT disruption affecting half of organisations and average breach costs continuing to rise along with rising geopolitical tensions, CNI faces pressure to move from awareness to action, the firm says.
Riley added:ย โThe speed of attack now outpaces traditional response models. Attackers can move from initial access to data theft in minutes. The organisations that succeed will be those that can detect attacks faster, respond in minutes rather than hours, and govern emerging technologies like AI securely.โ
To download the report in full visit: https://www.bridewell.com/insights/white-papers/detail/cyber-security-in-cni-2026.
