AI makes debut in Bridewell cyber safety in CNI report

Synthetic intelligence (AI) danger has entered the highest tier of safety issues for the primary time for 39% of organisations, in keeping with a report from Bridewell, a cyber safety providers agency targeted on operational expertise (OT).

The provider’s Cyber safety in important nationwide infrastructure 2026 report discovered that AI is being quickly adopted for defence, with 36% of the organisations surveyed utilizing AI to automate incident response and assist risk looking (35%).

The analysis survey was performed by market analysis agency Censuswide amongst 600 cyber safety professionals in CNI-providing organisations drawn from sectors that embrace central authorities, civil aviation, power, monetary service, rail and water provide.

Martin Riley, CTO of Bridewell, mentioned: “AI is now central to trendy cyber defence. In case you are not utilizing AI to speed up detection and response, you’re falling behind attackers who’re already utilizing it towards you. The problem for 2026 is just not whether or not to undertake AI, however methods to govern it safely.”

Anthony Younger, CEO of Bridewell, added: “AI immediately feels similar to the early days of cloud. It’s highly effective and broadly adopted however usually applied quicker than the controls designed to safe it. Organisations should apply the identical self-discipline and guardrails to AI that they now anticipate for cloud and digital infrastructure.”

In a press briefing forward of the publication of the report, Younger mentioned: “OT is at all times, I might say, 5 to 10 years behind what’s happening within the IT sector. We’re nonetheless, from a safety controls perspective, catching up on the OT facet in comparison with the place we’re on the IT facet. Even issues like monitoring and detection and the way you’re doing response, that’s nonetheless behind what most corporations have gotten on the IT facet.”

In the identical briefing, Riley mentioned: “The biggest problem that we see in ICS [industrial control systems] necessities is understanding what belongings you’ve received. And most organisations don’t have the funds to have the ability to deploy instruments to have the ability to deal with that. In the event you ask any ICS engineer, ‘How does that security instrumentation system work?’, they’ll inform you fingers down, however they’ll’t inform you what the community is behind it, what number of of these gadgets are linked to it. To do this safely in OT, you want instruments which are in a position to hear on the community safely. After which it simply turns into an information problem. It’s not an AI problem.

“I’ve been main our AI practices and growth for about three and a half years, however I might say that solely up to now 12 months has there been an actual inflection level whereby it’s truly precious for a enterprise and its manufacturing.”

In line with the analysis, cyber assaults have affected virtually each UK important infrastructure organisation, with 93% reporting a cyber incident up to now yr.

The analysis reveals assaults are more and more inflicting operational disruption throughout power, finance, transport and authorities sectors, amongst others. Half of the organisations surveyed report IT disruption or outage following cyber incidents, and almost one-third (31%) say assaults have resulted in income loss.

Phishing and enterprise e-mail compromise [BEC] stay the most typical assault strategies, with organisations experiencing a median of 11 phishing or BEC annually, adopted by malware assaults, averaging eight incidents yearly.

Information safety and privateness stays the primary concern for 43% of CNI organisations. The analysis means that regulation is now the primary governor of safety spending. Some 35% of the organisations surveyed cited regulatory necessities as their foremost driver, up from 26% in 2025.

However the analysis additionally discovered organisations failing to implement such laws. Solely 46% are compliant with the NCSC’s Cyber Evaluation Framework and solely 29% report adoption of the European Union’s NIS2. Some 54% reported themselves compliant with the federal government’s Cyber Necessities certification scheme.

Younger mentioned: “Frameworks are important, however compliance on paper doesn’t routinely translate into operational resilience. Regulators are asking more durable questions, and organisations might want to reveal coverage alignment in addition to real-world functionality.”

Riley concluded, in a press assertion accompanying the report: “The pace of assault now outpaces conventional response fashions. Attackers can transfer from preliminary entry to information theft in minutes. The organisations that succeed can be these that may detect assaults quicker, reply in minutes moderately than hours and govern rising applied sciences like AI securely.”