A new report by Proofpoint, Inc. finds UAE organizations among the most advanced in AI deployment, with security strategies rapidly evolving. Based on a survey of over 1,400 security professionals across 12 countries, the study highlights gaps between fast AI adoption and preparedness to manage emerging risks.
AI is increasingly permeating organizations and is now operational across most functions, with deployments spanning customer support, internal messaging, email workflows, and third-party collaboration. Globally, 87% of organizations have deployed AI assistants beyond the pilot stage, and 76% are actively piloting or rolling out autonomous agents. Yet while organizations are investing in AI tools and controls, many cannot confirm those controls are effective—52% are not fully confident their AI security controls would detect a compromised AI, and half of those with controls in place have already experienced a confirmed or suspected AI-related incident.
Further, most organizations report they are not fully prepared to investigate AI-related incidents that span multiple systems and channels—only one-third say they are fully prepared to investigate one.
“This year’s findings highlight a widening divide between AI adoption and security readiness,” said Ryan Kalember, Chief Strategy Officer at Proofpoint. “Organizations are scaling AI assistants and autonomous agents across core workflows, yet many cannot confirm their controls are effective or fully investigate incidents that move across collaboration channels. As AI becomes embedded in how work gets done, security leaders must rethink how they protect trusted interactions across people, data and AI systems.”
Emile Abou Saleh, Vice President Emerging Markets, Proofpoint, said: “The UAE has established itself as one of the fastest growing markets in the region in AI adoption, and that ambition is not slowing down. Yet cybersecurity is still catching up, and the stakes are rising. We’re seeing a significant surge in phishing attacks in both volume and sophistication, driven in part by geopolitical tensions that are fueling more targeted campaigns across the region, and cybercriminals are increasingly exploiting both AI and human behavior to amplify their impact. Many UAE organizations are already dealing with these threats in live environments. The good news is that organizations across the UAE are actively investing to course correct. The focus now needs to shift to getting the foundations right: improving visibility, strengthening governance, and building security that keeps pace with how AI is actually being used, including the growing human attack surface that phishing continues to exploit.”
Key UAE findings from Proofpoint’s 2026 AI and Human Risk Landscape report include:
- AI Deployment Has Outpaced Security Readiness. AI adoption has moved into production faster than governance frameworks have matured. While 92% of organizations in the UAE have deployed assistants beyond pilot stage and 80% are advancing autonomous agents, 55% describe security as catching up, inconsistent or reactive. 41% report experiencing a suspicious or confirmed AI-related incident, indicating that exposure is already present in live environments.
- Collaboration Channels Are the Primary AI Attack Surface. AI is expanding the attack surface, enabling threats to spread at machine speed and impact connected workflows. While third-party SaaS and cloud applications are the most common threat vector at 58%, exposure now extends across email (52%), social and messaging platforms (42%), and SMS or text (41%). Among organizations that experienced an AI-related incident in the UAE, exposure increases across every channel, including 59% in third-party SaaS and cloud applications and 51% in file-sharing platforms.
- Confidence Exceeds Control Effectiveness. While many organizations have security controls in place, they also lack assurance. 57% of organizations in the UAE report having AI security coverage in place, yet 51% are not fully confident those controls would detect compromised AI. Further, 40% of organizations in the country with controls still reported an AI-related incident. Gaps persist in no risk assessment for AI workflows (48%), no model for detecting compromised agents or exploited AI assistants (44%), and training (41%).
- Investigation Readiness Lags Behind Incident Reality. When AI-related incidents occur, many organizations struggle to investigate them effectively. Only 53% of respondents in the UAE say they are fully prepared to investigate an AI- or agent-related incident, and 39% report difficulty correlating threats across channels. As AI-related activity spans email, collaboration platforms and cloud systems, the ability to reconstruct events depends on visibility across connected environments, which many organizations do not yet have.
- Tool Sprawl is a Structural Barrier. Fragmentation across security stacks is compounding the challenge, limiting visibility and slowing response when incidents move across systems at machine speed. 98% of organizations in the UAE say managing multiple security tools is at least moderately challenging, and 68% describe it as very or extremely difficult. Respondents cite overlapping or redundant tools (45%), difficulty correlating threats (39%), and slow investigation times (39%).
- Security Architecture Becomes a Strategic Priority as AI Scales. 51% of organizations in the UAE are actively pursuing vendor and tool consolidation, and 47% believe a unified platform is more effective than point solutions. Over the next 12 months, 65% plan to expand AI protections, 64% intend to extend collaboration channel coverage, and 65% expect to move toward a unified platform approach.
“While AI has introduced new risks, such as prompt engineering, its bigger impact has been amplifying the risks we’ve always had,” Kalember said. “Running untrusted code, mishandling sensitive data, and losing control of credentials are the same challenges that humans have created for decades. AI executes them at machine speed and scale. When organizations hand AI the keys to act on their behalf—across customers, partners, and internal systems—the blast radius of any one of those failures grows dramatically. The answer isn’t to treat AI as a novel threat category, but to apply rigorous, proven controls to what AI touches, what it runs, and what it’s allowed to authenticate as. Organizations that get that foundation right early will scale AI confidently. Those that don’t are just automating their own exposure.”
