New data shows AI adoption, risk assessments, and leadership alignment drive security maturity, but budget challenges persist at every stage
SAN FRANCISCO–(BUSINESS WIRE)–Vanta, the first and only AI-powered trust management platform, today released its Trust Maturity Report, offering a data-driven look at how organizations are evolving their security programs in an increasingly complex risk landscape.
Drawing on aggregated, anonymized insights from over 11,000 organizations and aligned to the NIST Cybersecurity Framework (CSF), the report maps companies across four security maturity tiers:
- Partial – Organizations in the earliest stage of maturity, typically relying on limited or ad hoc security processes
- Risk-Informed – Teams that have begun to formalize risk management practices, though application is often inconsistent
- Repeatable – Companies with standardized, organization-wide security practices that are actively maintained
- Adaptive – Highly mature organizations that continuously optimize and scale their security programs through automation, analytics, and cross-functional alignment
As organizations progress through these tiers, the report shows a clear pattern: higher maturity correlates with better risk practices, stronger resilience and more effective use of AI. Key findings from the report reveal:
- Risk assessments are a turning point: Only 43% of Partial companies have completed a risk assessment, compared to 100% for Adaptive
- Budget remains a barrier at all stages: 67% of Repeatable and 35% of Adaptive companies cite budget and resources as ongoing challenges
- Incident preparedness signals maturity: 92% of Repeatable companies monitor threats continuously with alerts compared to 56% of Partial companies with a basic incident response plan that’s not tested, and 12% with no plan at all
- AI drives scale and efficiency at the top: 71% of Adaptive companies are adopting AI to enhance speed, scale, and efficiency.
“Security maturity doesn’t happen by accident—it’s driven by deliberate, strategic investment in risk management, culture and ongoing incremental improvements to people, process, and technology,” said Jadee Hanson, CISO, Vanta. “Our data shows that organizations that embed trust principles in everything they do mature faster, operate more resiliently, and are better prepared for today’s evolving risk landscape.”
Security maturity starts with strategic risk management
One of the clearest markers of maturity that divided the Partial from the other, more advanced tiers is risk assessments. Vanta’s research found that only 43% of Partial organizations conduct risk assessments, while 100% of Risk-Informed businesses have conducted at least one formal risk assessment. This shows how external factors like compliance requirements and customer needs are often the biggest drivers of early-stage security programs.
Incident readiness was also a clear indicator for maturity. Vanta found that 92% of those at the advanced tiers (Repeatable & Adaptive) monitor threats continuously with alerts. Specifically, for Repeatable organizations:
- 100% have business continuity plans
- 85% run regular incident response drills
- 78% test their plans regularly
AI is a key enabler for mature security teams
Adaptive companies are significantly more likely to adopt and integrate AI into their security operations. With a better understanding of their data flows, governance needs and risk exposure, these organizations use AI to reduce rework, streamline decision-making and align with frameworks like ISO 42001.
Trust-first teams drive maturity
Trust isn’t just a byproduct of mature security programs; it’s what drives them forward. As organizations progress, they embed trust into company culture, secure leadership alignment and integrate risk into top-level decision-making.
For Partial organizations, security investments are largely driven by customer expectations and compliance needs. For Adaptive, the top drivers are responding to customer/vendor demands (95%), reducing security risks (93%), meeting compliance requirements (90%), scaling security operations (75%), differentiating through security maturity (70%) and managing multiple frameworks (35%).
Budget remains a universal challenge—but obstacles broaden with maturity
While resource constraints persist across all tiers, mature organizations increasingly face challenges like implementing automation at scale, cross-team alignment and keeping pace with evolving threats, emphasizing the need for strategic leadership, collaboration and adaptable infrastructure.
The top challenges facing each group when moving up the maturity curve are:
- Partial: Budget and resources (48%)
- Risk-informed: Budget and resources (66%)
- Repeatable: Budget and resources (67%), implementing automation or managing frameworks (27%)
- Adaptive: Budget and resources (35%), implementing automation at scale (20%), executive buy-in or internal alignment (15%) and keeping up with threats (15%)
This shows that budget and resourcing are a top concern, regardless of maturity stage, but that these challenges become much more people- and risk-centric as maturity progresses. Ultimately this underscores that achieving security maturity is not a one-time milestone, but an ongoing process—one that requires strategic investment, cross-functional collaboration, and a foundation of trust.
Methodology
The Vanta Trust Maturity Report was sourced from aggregated, anonymized first-party data, mapped to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Each company was categorized across four maturity tiers using criteria such as policy coverage, AI adoption, incident response planning, and risk assessments—providing an objective benchmark for organizations to assess and advance their security programs.
Download the Vanta Trust Maturity Report to explore the full findings.
About Vanta
Vanta is the leading trust management platform that helps simplify and centralize security for organizations of all sizes. Over 11,000 companies including Atlassian, Duolingo, Icelandair, Ramp and Synthesia rely on Vanta to build, maintain and demonstrate their trust—all in a way that’s real-time and transparent. Founded in 2018, Vanta has customers in 58 countries with offices in Dublin, London, New York, San Francisco and Sydney. For more information, visit www.vanta.com.
Contacts
Press Contact
[email protected]
