-optimized.jpg){kind=avatar}
Threat intelligence is still being overlooked in business decision-making, despite rapidly escalating AI security risks, says Bharat Mistry, Field CTO, TrendAI, part of the cyber firm Trend Micro.
Here is a number that should bother anyone responsible for organisational security: just 21 per centย of business decision makers say they are integrating threat intelligence into their decision-making. In a landscape where AI-related vulnerabilities surged 34.6 per centย year-on-year in 2025 alone, that gap between available intelligence and actual boardroom behaviour is not a minor oversight. It is a structural failure in how most organisations process risk. New research from Trend AI suggests that while security teams are generating increasingly sophisticated threat intelligence, most of it is dying somewhere between the SOC and the boardroom table.
The intelligence is there. The uptake is not. This is not a data scarcity problem. Threat intelligence capabilities have improved dramatically over the past five years. Security teams can now track attacker infrastructure in near real-time, map emerging vulnerability trends before exploits appear in the wild, and correlate signals across endpoints, networks, and cloud environments. The raw material for informed decision-making exists.
The problem is that it rarely reaches the people making strategic calls about technology investment, AI deployment timelines, and acceptable risk thresholds. When only 21 per centย of business leaders are integrating this intelligence into their decisions, the implication is clear: 79 per centย are making those calls without it. They are flying on instinct, vendor assurances, and compliance checklists while the threat landscape shifts underneath them at a pace none of those inputs can track.
AI is widening the gap faster than governance can close it
The urgency comes from the speed at which AI is expanding the attack surface. Trend AIโs analysis of over 330,000 CVEs identified 6,086 vulnerabilities directly affecting AI systems between 2018 and 2025. Of those, 2,130 were disclosed in 2025 alone, a growth rate that nearly doubles the 17.9% increase in overall CVE disclosures during the same period. Nearly half of scored AI vulnerabilities were categorised as high or critical severity.
These are not theoretical risks buried in academic papers. They affect the AI tools organisations are deploying right now, across developer environments, SaaS platforms, productivity tools, and security technologies themselves. Yet the governance response has not kept pace. Our research found that approximately half of the responding organisations are still drafting AI policies. Only 41 per centย of business decision makers report having governance controls for data integrity. And nearly two-thirds say they are only moderately confident in their understanding of the legal frameworks governing AI. This is a sector moving at production speed while still writing the safety manual.
Who owns AI risk? Nobody agrees.
Part of what makes threat intelligence so difficult to operationalise at the executive level is that nobody can agree on who owns the risk it describes. Among IT decision makers, 44% say the CISO or security function should be responsible for AI risk. Business decision makers lean differently, with 41% assigning ownership to data protection, legal, or compliance teams. When accountability is this fragmented, threat intelligence has no natural home in the decision-making process. Security teams produce it. Business leaders don’t consume it. And the gap between the two means that critical signals about emerging AI threats get deprioritised in favour of whatever is loudest on the quarterly agenda.
Making this worse, around two-thirds of respondents report pressure from leadership or market dynamics to accelerate AI deployment even when security concerns are raised. That pressure creates a perverse incentive: the people closest to the threat intelligence are the same people being told to move faster and worry less.
A framework that actually works
Solving this requires more than telling business leaders to “pay attention to threat intelligence.” The intelligence itself needs to be translated into a format and cadence that matches how business decisions are actually made.
That means threat intelligence teams need to deliver outputs tied to business outcomes, not just technical indicators. A briefing that says “we are seeing increased exploitation of AI model-serving infrastructure” means nothing to a CFO. A briefing that says “our current AI deployment timeline exposes us to a category of vulnerability that has grown 34.6% this year, and we do not yet have governance controls in place to manage it” does. Better still is one that quantifies the financial exposure: potential regulatory penalties, incident response costs, business interruption losses, and reputational damage translated into currency the board already uses to make every other strategic decision. Cyber risk quantification turns abstract threat data into the language of financial impact that business leaders and boards actually respond to, making it possible to weigh security investment against measurable downside risk rather than relying on fear or intuition.
It also means embedding threat intelligence into existing governance workflows rather than treating it as a parallel stream. If AI risk ownership sits across security, legal, and compliance functions, then threat intelligence needs to reach all of them, presented in terms each function can act on. The alternative, where intelligence flows upward through security alone and gets filtered or diluted before it reaches the board, is demonstrably failing. The 21% figure is proof.
Organisations should also align AI deployment approvals with threat intelligence review cycles. If two-thirds of organisations are being pressured to accelerate AI adoption, then the counterweight cannot be a vague appeal to caution. It needs to be a concrete, evidence-based risk assessment drawn from current threat data, delivered at the point where deployment decisions are being made.
The cost of not listening
The 79 per centย of business leaders who are not integrating threat intelligence into their decisions are not doing so because they are reckless. They are doing so because the systems, structures, and translation layers that should carry that intelligence into the boardroom do not yet exist in most organisations. Building them is not optional. As AI-related vulnerabilities continue to accelerate, the window for making uninformed decisions without serious consequences is closing fast.
