Artificial intelligence (AI) risk has entered the top tier of security concerns for the first time for 39% of organisations, according to a report from Bridewell, a cyber security services firm focused on operational technology (OT).
The supplier’s Cyber security in critical national infrastructure 2026 report found that AI is being rapidly adopted for defence, with 36% of the organisations surveyed using AI to automate incident response and support threat hunting (35%).
The research survey was done by market research firm Censuswide among 600 cyber security professionals in CNI-providing organisations drawn from sectors that include central government, civil aviation, energy, financial service, rail and water supply.
Martin Riley, CTO of Bridewell, said: “AI is now central to modern cyber defence. If you are not using AI to accelerate detection and response, you are falling behind attackers who are already using it against you. The challenge for 2026 is not whether to adopt AI, but how to govern it safely.”
Anthony Young, CEO of Bridewell, added: “AI today feels very similar to the early days of cloud. It is powerful and widely adopted but often implemented faster than the controls designed to secure it. Organisations must apply the same discipline and guardrails to AI that they now expect for cloud and digital infrastructure.”
In a press briefing ahead of the publication of the report, Young said: “OT is always, I would say, five to 10 years behind what’s going on in the IT sector. We’re still, from a security controls perspective, catching up on the OT side compared to where we are on the IT side. Even things like monitoring and detection and how you’re doing response, that’s still behind what most companies have got on the IT side.”
In the same briefing, Riley said: “The largest challenge that we see in ICS [industrial control systems] requirements is knowing what assets you’ve got. And most organisations don’t have the budget to be able to deploy tools to be able to address that. If you ask any ICS engineer, ‘How does that safety instrumentation system work?’, they’ll tell you hands down, but they can’t tell you what the network is behind it, how many of those devices are connected to it. To do that safely in OT, you need tools that are able to listen on the network safely. And then it just becomes a data challenge. It’s not an AI challenge.
“I’ve been leading our AI practices and development for about three and a half years, but I would say that only in the past 12 months has there been a real inflection point whereby it’s actually valuable for a business and its production.”
According to the research, cyber attacks have affected almost every UK critical infrastructure organisation, with 93% reporting a cyber incident in the past year.
The research shows attacks are increasingly causing operational disruption across energy, finance, transport and government sectors, among others. Half of the organisations surveyed report IT disruption or outage following cyber incidents, and nearly one-third (31%) say attacks have resulted in revenue loss.
Phishing and business email compromise [BEC] remain the most common attack methods, with organisations experiencing an average of 11 phishing or BEC each year, followed by malware attacks, averaging eight incidents annually.
Data protection and privacy remains the number one concern for 43% of CNI organisations. The research suggests that regulation is now the main governor of security spending. Some 35% of the organisations surveyed cited regulatory requirements as their main driver, up from 26% in 2025.
But the research also found organisations failing to implement such regulations. Only 46% are compliant with the NCSC’s Cyber Assessment Framework and only 29% report adoption of the European Union’s NIS2. Some 54% reported themselves compliant with the government’s Cyber Essentials certification scheme.
Young said: “Frameworks are essential, but compliance on paper does not automatically translate into operational resilience. Regulators are asking harder questions, and organisations will need to demonstrate policy alignment as well as real-world capability.”
Riley concluded, in a press statement accompanying the report: “The speed of attack now outpaces traditional response models. Attackers can move from initial access to data theft in minutes. The organisations that succeed will be those that can detect attacks faster, respond in minutes rather than hours and govern emerging technologies like AI securely.”
