Geopolitical and economic uncertainty and rapid AI adoption elevate cyber risks

The middle market is navigating a confluence of events that have introduced complex, persistent cybersecurity challenges. The rapid escalation of artificial intelligence usage and threats, combined with continued economic and geopolitical concerns, is challenging risk management strategies to keep pace.

The Q1 2026 RSM US Middle Market Business Index survey, conducted from Jan. 6 to Jan. 30 on behalf of RSM by The Harris Poll, drew responses on cybersecurity from executives at 501 U.S. middle market companies across a variety of industries. The RSM Canada middle market survey was conducted from Feb. 9 to Feb. 20, interviewing 101 Canadian executives. The resulting data provides insights on cybersecurity in the middle market overall, as well as in smaller ($30 million to less than $250 million in revenue), midsize ($250 million to $1 billion in revenue) and larger ($1 billion to less than $10 billion in revenue) middle market organizations. The survey responses revealed large gaps between the groups, with smaller firms appearing to lag their larger counterparts in cybersecurity budgets and staffing, as well as in implementing AI governance practices.

For the second straight year, nearly 1 in 5 (18%) middle market executives polled said their organizations experienced a data breach in the previous 12 months. Midsize companies were the most likely to have experienced a breach (21%), while smaller companies were the least likely (16%).

Middle market companies are increasingly targeted because they represent high-value environments with uneven security maturity. Organizations that prioritize identity security, visibility and vendor risk management significantly reduce breach probability.

Even with the elevated threat environment, middle market executives almost universally feel optimistic about their existing control environment. In fact, 96% of survey respondents are confident in their current security measures, nearly identical to last year’s data.

However, “confidence isn't the same as preparedness,” says Rich Servillas, a director at RSM US LLP. “I see a lot of gaps in incident response engagements with organizations that have good tooling but no rehearsed decisions or framework.”

Despite the overwhelming level of confidence among respondents, RSM risk professionals caution companies about a new level of threats—mainly attributed to expanding AI use—that will pose significant challenges moving forward but have yet to be addressed by companies of all sizes.

AI and cybersecurity: The double-edged sword

The rapid evolution of AI introduces heightened cyber risks across several dimensions. AI’s promise of increased efficiency and insight is enticing, but companies often move too quickly without effective governance in place. In addition, if individual users or teams test or use unapproved or unvetted AI and generative AI solutions, shadow AI can emerge within the organization. Both scenarios can quickly result in the exposure or loss of sensitive data.

“Organizations are constantly evaluating ways to do more with less, and the move to AI-enabled solutions is occurring very rapidly,” says RSM US Principal Daniel Gabriel. “But most companies don’t yet know where they want to be or what it means to get there. That acceleration opens up a lot of risk or potential avenues of risk.”

RSM US Principal Steve Kane stresses how quickly shadow IT can spread. “You can only manage what you can see, and companies often don’t realize that they have their own shadow IT—or they just turn a blind eye to it, and do not have the proper controls in place to manage or mitigate the challenges it brings,” he says. “Meanwhile, many of their employees are using public AI tools to ask questions about how to perform certain tasks and using customer data. That's potentially instant data loss, because now that's in somebody else's cloud or somebody else's computer that you don't know.”

Middle market companies must get their arms around AI deployment, even as the broader market has yet to settle on a clear approach. And middle market companies face that challenge with fewer resources at their disposal.

On the bright side, cybersecurity firms and teams are becoming more adept at leveraging AI, and more functionality is now built into security products to increase protection capabilities. AI enables the middle market to take some security measures that were previously out of reach by leveraging tools with built-in AI, essentially extending their workforce without adding personnel.

The identity challenge increases

In addition to AI deployment risks, the cyberthreat landscape for middle market companies is elevated because AI makes sophisticated attacks easier to launch. Campaigns that previously required an exceptionally gifted threat actor and months to develop can now be orchestrated at scale by a relative novice with AI assistance.

The growing use of AI underscores the need for critical security features in the middle market: identity and access, privileged access, the controlling of sensitive data and the assignment of authorizations. 

MMBI survey respondents reported focusing their resources mainly on detection and response (39%), securing the cloud (36%), and strategy and risk management (35%). Digital identity, prioritized by only 23% of respondents, represents a significant missed opportunity to focus on what human and nonhuman users can access rather than where they are connecting from. 

“Identity is at the center of information compromises,” says RSM US Principal Alden Hutchison. “Most threat actors don’t break in. They log in. When identity controls and permissions are weak, attackers don’t need exploits. As organizations adopt AI, those same gaps scale faster, because AI will act on any access it’s given, intended or not.”

Identity is the focal point of securing AI, establishing rights and defining what it is authorized to do. However, companies often debate how to structure authorizations: Should AI tools have authorizations all the time and their own specific identity, or should they inherit the identity of the user? Companies have dealt with these questions for human identities in the past, but their importance is elevated because of the rapid growth of nonhuman identities.

Gabriel emphasizes the identity challenges organizations face in an uncertain environment. “It’s just a very difficult time, mostly because companies don’t necessarily know how to respond,” he says. “Companies have some basic guidelines on things they need to do fundamentally, but nobody truly knows what the future of AI holds.”

Increased pressure on cybersecurity budgets

Amid ongoing economic uncertainty, fewer middle market companies are increasing cybersecurity investments, even in the extremely challenging threat environment. In the MMBI survey, 81% of respondents said they plan to increase their cybersecurity budget, a decrease from 91% last year. As companies navigate tariff expenses, rising energy costs and business complexity related to geopolitical conflicts on multiple fronts, many are reevaluating their spending to address potential cybersecurity threats.

“Rising costs have caused organizations to make tough decisions,” says Gabriel. “Understandably, when things get tight, companies tend to pivot money to what keeps the lights on and generates revenue for the organization. But companies cannot lose focus on cybersecurity, because this a time when threat actors are arguably more active and dangerous than they have ever been.”

Methodology

In 2026, RSM closely evaluated the middle market and redefined the segment to encompass companies with annual revenue between $30 million and $10 billion. Today, approximately 125,000 companies make up the modern middle market, employing 50 million people and generating $16 trillion in revenue. Note: Due to this redefinition, comparisons of current MMBI data to all trended data prior to Q1 2026 should be interpreted with caution.

The Q1 2026 RSM US Middle Market Business Index survey data was gleaned from a combination of an online sample and a panel of approximately 400-500 executives (the Middle Market Leadership Council) recruited by The Harris Poll using a sample supplied by Dun & Bradstreet. All individuals were full-time, executive-level decision makers working across a broad range of industries (excluding public service administration): nonfinancial or financial services companies with annual revenues of $30 million to $10 billion or CA$30 million to CA$1 billion; and financial institutions with assets under management of $500 million to $500 billion or CA$250 million to CA$10 billion.

These panel members are invited to participate in four surveys over the course of a year that include special issue-based question sets, as well as quarterly index-only surveys; the Q1 2026 survey was conducted from Jan. 6 to Jan. 30 (Feb. 9-Feb. 20 in Canada). Information was collected by phone and online from 501 U.S. middle market executives, including 80 panel members and a sample of 421 online respondents, and 101 Canadian middle market executives. Data is weighted by industry.