One-Third of UK Businesses Still Lack AI Risk Policies, CyXcel Research Finds
A new report by cybersecurity firm CyXcel reveals a worrying gap in AI risk preparedness among UK businesses, despite growing awareness of the potential threats. According to the findings, 31% of UK companies surveyed have no AI governance policies in place, while nearly the same proportion—29%—only recently adopted their first formal strategy to manage AI-related risks.
This comes even as a third of organizations acknowledge that AI could pose significant cybersecurity threats. The lack of proactive measures, CyXcel warns, leaves companies vulnerable to data breaches, operational disruption, and regulatory penalties.
The study also found that 18% of UK and US firms remain unprepared for AI data poisoning—a tactic where attackers manipulate the data used to train AI models, potentially compromising their integrity. Additionally, 16% have no safeguards in place against AI-generated threats like cloning or deepfakes.
“There’s a clear catch-22,” said Megha Kumar, Chief Product Officer and Head of Geopolitical Risk at CyXcel. “Organisations want to embrace AI but remain anxious about the risks—especially when many have no governance or policy frameworks to guide that adoption.”
To address this, CyXcel promotes its Digital Risk Management (DRM) platform, which helps businesses detect, understand, and respond to emerging digital threats. Designed for organizations across all industries—including those with limited in-house tech capabilities—the platform integrates cybersecurity, legal, and strategic insights into a central dashboard.
Beyond AI, the DRM tool also covers risk areas such as cybersecurity, supply chains, geopolitical tension, technology infrastructure, and regulatory compliance. It offers practical guidance for mitigating threats and strengthening governance. Built-in analytics help companies monitor legal exposure, respond to evolving regulations, and craft resilient risk strategies.
One standout feature is its dispute resolution service, which aims to reduce legal complexity and compliance timelines—especially for companies subject to regulations like the EU’s NIS2 and DORA. These frameworks govern sectors considered part of Critical National Infrastructure (CNI), including finance, energy, and telecommunications in the UK, US, and EU.
CyXcel CEO Edward Lewis highlighted the growing regulatory momentum around AI and cybersecurity.
“Governments are stepping up to safeguard critical systems with legislation like the EU’s Cyber Resilience Act,” Lewis noted. “We expect similar mandates in the UK soon, including compulsory ransomware reporting and increased regulator oversight.”
Interestingly, CyXcel is upfront about the fact that it faces the same digital risks as its clients. The company emphasizes that its approach to risk management isn’t just advisory—it’s personal. Its own reputation, legal compliance, and client trust hinge on the same standards it recommends to others.