Organizations racing to call themselves "AI-first" are discovering that failing to modernize security in step with AI’s rapid expansion creates more problems than it solves. Fastly's fourth annual Global Security Research Report reveals that AI-first companies—those that integrate AI into key processes and offerings from the outset rather than as a secondary enhancement—are the ones struggling the most with security issues.
Key takeaways:
AI-first businesses take 80 days longer to recover from security incidents (6.8 months vs. 3.9 months), with incidents costing 135% more
Attackers directly exploited AI in 44% of incidents at AI-first organizations
Nearly three-quarters (73%) of organizations now put responsibility for breaches down to the CISO
The Data Doesn't Lie
AI-first businesses take nearly seven months to recover from cybersecurity incidents, 80 days longer than everyone else. That means extended downtime, and prolonged reputational damage that compounds with every passing week.
Incidents cost AI-first organizations 135% more than their counterparts. For a mid-sized business this equals to millions in lost revenue.
Here's what makes this particularly painful: almost half (44%) of AI-first organizations report that AI was directly exploited in their most recent security incident.
Web Application and API Protection (WAAP) is becoming business critical as it provides essential visibility and control organizations need to secure innovation at the edge. Solutions like Fastly’s Next-Gen WAF deliver integrated visibility and protection across applications and APIs.
AI Scraping Hits the Bottom Line
AI scraping is hitting almost everyone, regardless of how AI-native your operations are. It has become a material cost center for nearly two-thirds (64%) of businesses, with average annual infrastructure costs rising by nearly $350,000.
43% of organizations report surging infrastructure expenses as a direct result of AI activity. Another 40% faced operational disruption, while 29% were dealing with customer experience issues – sluggish load times, broken functionality, and degraded performance that sent users elsewhere.
Media and Entertainment companies are most impacted by AI content scraping. Over half (51%) are suffering elevated infrastructure costs, and 47% report operational disruption.
The CISO’s Chair is Getting Hotter
Nearly three quarters (73%) of organizations now say the CISO is ultimately responsible when breaches occur. And CISOs aren’t just “accountable on paper”: the report shows CISO involvement in incident response has jumped, with the vast majority (82%) reporting active participation and almost three-quarters (74%) seeing increased engagement over the past year.
Most organizations (94%) say they’ve made policy changes in response to growing CISO accountability. Many of those moves skew towards taking a more defensive approach:
42% promised increased scrutiny of security disclosure documentation
45% offered more legal support for cybersecurity staff
AI sharpens the problem. Over half of AI-first businesses (51%) report confusion over who owns incident response (vs. 23% of non-AI-first).
Security by Design isn't Optional Anymore
The data does contain some genuinely good news. Organizations that invest in the right capabilities are seeing results. Those that implemented post-incident reviews (52%) and response automation (43%) helped drive average recovery times down by 17%, from 7.34 months in 2024 to 6.08 months in 2025.
The organizations handling this well aren't slowing down their AI adoption. They're changing when security enters the conversation. Security architecture built into systems from the beginning removes uncertainty, enabling teams to move faster with confidence.
Read the full Global Security Research Report for more information, industry-specific implications, and strategies for modernizing your security infrastructure at the same pace you're adopting AI.
Methodology
Global Security Research surveyed 2,000 key IT decision makers with an influence in cybersecurity in large organizations spanning multiple industries across North, Central and South America, Europe, Asia-Pacific, and Japan. The interviews were conducted online by Sapio Research in Q4 2025 using an email invitation and an online survey.