Kiteworks, which empowers organisations to effectively manage risk in every send, share, receive, and use of private data, released energy and utilities–specific findings from its Data Security and Compliance Risk: 2026 Forecast Report, warning that AI governance gaps are already exposing critical infrastructure to elevated security and compliance risk in 2026.
The research, based on a survey of 225 global security, IT, compliance, and risk leaders, finds that energy and utilities organisations have invested heavily in point controls — such as dataset access restrictions and privacy impact assessments — but continue to lack centralised AI monitoring, detection, and incident response capabilities needed to identify coordinated or nation-state–level attacks.
“Energy and utilities organisations are governing AI the way they govern physical infrastructure—locally, in silos,” said Tim Freestone, Chief Strategy Officer at Kiteworks. “That model breaks down in 2026. AI systems are interconnected, adversaries operate across environments, and without centralised visibility and response, attacks won’t be detected until they cause real operational or physical impact.”
AI risks materialising across energy and utilities in 2026
Kiteworks’ research identifies several risks already emerging across the sector this year:
- AI red-teaming gaps that leave operational systems untested against nation-state threats
- Weak centralised monitoring, allowing attacks to persist undetected
- Extended incident response dwell times due to the absence of AI-specific playbooks
- Limited board-level engagement delaying necessary security investment
- Encryption gaps in AI training data, exposing sensitive operational intelligence
Only 9% of energy organisations report conducting AI red-teaming, while just 14% maintain AI-specific incident response playbooks—leaving critical systems vulnerable to sophisticated adversaries.
What energy and utilities leaders must do now
The report recommends that organisations:
- Deploy centralised AI monitoring and data gateways across distributed environments
- Establish AI red-teaming programs focused on critical infrastructure use cases
- Develop and rehearse AI-specific incident response playbooks
- Elevate AI governance to the board level as a critical infrastructure protection issue
- Encrypt all AI training data as part of a defense-in-depth strategy
“In the energy sector, governance failures don’t stay theoretical,” Freestone added. “They translate directly into grid risk, regulatory exposure, and national security consequences.”
The Data Security and Compliance Risk: 2026 Forecast Report examines how accelerating AI adoption, regulatory pressure, and geopolitical threats are reshaping enterprise risk. The findings show that organizations with centralized visibility and board engagement significantly outperform peers on security readiness and compliance assurance.
Download the full Data Security and Compliance Risk: 2026 Forecast Report here and the Energy & Utilities Brief here.
