Vanta State of Trust 2025: AI Threats Outpace Security Expertise

SAN FRANCISCO--(BUSINESS WIRE)--Vanta, the leading AI-powered trust management platform, today released its third annual State of Trust Report, an in-depth analysis uncovering global trends in AI, security, compliance, and trust from a survey of 3,500 IT and business leaders across the U.S., U.K., France, Germany and Australia.

Today, 72% of organizations say the security risks for their company have never been higher—a 17 point increase from 2024 when 55% said the same. As AI-driven cyber threats proliferate, organizations admit they can't keep up, with a majority (59%) of business and IT leaders warning that AI cyber threats are advancing faster than their security team’s expertise to deal with them. In the past year, half of all organizations reported an increase in AI-generated phishing (49%), AI-powered malware (48%), and AI-driven identity theft or fraud (47%).

On the other hand, companies leveraging AI agents to protect against AI-cyber attacks is increasing sharply, with 8 in 10 leaders currently using AI agents or planning to this year. However, AI usage doesn’t match the understanding of the technology—particularly when it comes to agents with nearly two-thirds (65%) saying their use of agentic AI outpaces their understanding of it.

“AI has completely changed the security equation,” said Jeremy Epling, Chief Product Officer, Vanta. “It’s creating new risks at unprecedented speed, but it’s also one of the most powerful tools we have to strengthen defenses and limit burnout for overworked security teams. The challenge now is balance—adopting AI in ways that enhance security without losing control or visibility. As evident in the State of Trust data, to really build lasting trust, we need frameworks to help ensure AI is reliable, secure, and verifiable in how it makes decisions.”

Agentic AI adoption is high, but control is low

To combat the surge of new attack vectors, security teams are trusting agentic AI with everything from decision-making to security strategy. But a lack of governance threatens to do more harm than good:

• 79% of leaders are currently or planning to use AI agents to protect against AI-cyber attacks
• 61% say they trust agentic AI to override human decision-making in certain scenarios like suspending a risky browser extension or session when a policy violation is detected
• 71% of teams feel comfortable with agentic AI giving input on security strategy
• But AI usage doesn’t match understanding—nearly two-thirds (65%) say their use of agentic AI outpaces their grasp of it
• A mere 48% have developed a framework for granting or limiting autonomy in AI systems

Security theater is getting in the way of real protection

The security paradox of AI means that as customers demand more proof of security, many teams are spending more time proving security, rather than improving it.

While 8 in 10 believe improving security and compliance directly boosts customer trust, leaders say their organizations only spend half of what they should on security—dedicating 10% of IT budgets to security vs a 17% ideal. This amounts to 12 working weeks per year spent on compliance related tasks (vs 11 last year), and 9 working weeks per year on vendor security reviews and risk assessments (vs 7 last year).

As a result, 61% say they spend more time proving security rather than improving it, with 64% saying today’s security frameworks feel like ‘security theater’.

AI banishes cybersecurity team burnout

Amid growing compliance pressure, AI is both a relief valve and a reinvention tool. It’s helping overburdened teams do more with less, automating manual tasks and freeing up time for meaningful security work:

• 76% of security and compliance leaders say AI and automation tools are reducing burnout and improving day-to-day productivity
• 95% believe AI and automation have improved security team effectiveness
• 1 in 2 say that risk assessments and incident response times are faster and more accurate with AI

VantaCon 2025: How AI is rewriting trust

On November 19, Vanta will host VantaCon 2025: How AI is Rewriting Trust, bringing together security's brightest minds for a half-day of keynotes and panels exploring how AI is transforming trust, risk and compliance.

Speakers from leading AI, tech and security companies include Duolingo, Sierra, Pendo, Sublime Security, 1Password, Ro, Anthropic, Ramp and Ironclad. To learn more, visit https://www.vanta.com/vantacon.

Methodology

In July 2025, quantitative research conducted by Sapio Research was commissioned by Vanta to understand the challenges and opportunities businesses are facing when it comes to security and trust management. Vanta and Sapio Research co-designed the questionnaire and surveyed the behaviors and attitudes of 3,500 business and IT leaders across the U.S., UK, France, Germany and Australia.

For consistency with prior years’ analyses, the data presented here and in the global report reflects a subset of 2,500 respondents from the U.S., UK, and Australia. Tracking data from the 2024 State of Trust Report has also been included, sample sizes in 2024 were 1,000 in the UK and U.S. and 500 in Australia.

About Vanta

Vanta is the leading AI-powered trust management platform that helps businesses earn and prove trust. Companies including Atlassian, Duolingo, the Golden State Warriors, Icelandair, Ramp, and Synthesia rely on Vanta to build, maintain, and demonstrate their trust, all in a way that is real-time and transparent.