Your security stack looks fine from the dashboard and that’s the problem

One in five enterprise endpoints is operating outside a protected and enforceable state on any given day, according to device telemetry collected across tens of millions of corporate PCs. That figure, drawn from Absolute Security’s 2026 Resilience Risk Index, has barely moved in a year, even as organizations continue to add security tools and increase spending.

The report, which draws on multi-year endpoint telemetry alongside external research, finds that the gap between security deployment and security enforcement is widening. Controls are installed. Dashboards report coverage. The underlying devices are frequently in a different condition.

Control drift is constant, not episodic

The share of endpoints operating in a protected state increased from 78% in 2025 to 79% in 2026 among devices tracked without active resilience enforcement. That one-point gain means the average enterprise device spends approximately 76 days per year outside a state where its security controls are reliably enforceable.

The data covers three major control categories: Endpoint Vulnerability Management, Endpoint Protection Platforms (EPP/EDR/XDR), and Security Service Edge. Vulnerability management showed the steepest deterioration, with the out-of-compliance rate rising from 20% to 24% year over year. EPP and EDR controls held flat at 23% out of compliance. SSE controls moved from 13% to 14%.

The platforms analyzed dominate analyst quadrants and anchor enterprise security budgets across endpoint management, protection, and network security categories. Vendor identities are anonymized in the performance charts, but the dataset represents the largest names in the industry by deployment and spending share.

Across the endpoint management category, vendor-level performance ranged from protected-state integrity near 99% at the top to 55% at the bottom. One vendor in the endpoint management tier saw its protected-state rate drop from 64% to 55% year over year, leaving nearly half of devices outside an enforceable state.

The cost of being down

The financial context behind these numbers is substantial. Splunk research estimates that companies lose an average of $49 million in annual revenue due to downtime. Across the Global 2000, the aggregate figure exceeds $400 billion per year, roughly 9% of total corporate profits. High-impact outages affecting core systems carry a median hourly loss of approximately $2 million, with recovery times frequently extending to two weeks or longer.

Researchers draw a distinction between security coverage and operational continuity. An organization can have licenses active, dashboards green, and agents installed on every device, and still be unable to remotely restore those devices at scale when disruption occurs. In one case study, a large global enterprise with extensive security platform coverage found fewer than 40% of its devices were remotely recoverable during an incident. Mean time to recover stretched between five and ten days. Estimated annual downtime exposure ran from $28 million to $40 million. After implementing persistence-based resilience capabilities, remote recovery reached over 95% of endpoints, mean recovery time fell below 24 hours, and annual downtime exposure dropped below $5 million.

Vendor consolidation creates concentration exposure

Enterprise security architecture is consolidating around fewer platforms. A 2025 Gartner survey found that 62% of organizations are actively reducing their vendor count, and 36% plan to continue consolidation over the next three years.

Fewer vendors mean fewer integrations and lower coordination overhead, which is the operational logic driving consolidation. The structural consequence is that a single configuration error, update failure, or service disruption can propagate across an entire device fleet simultaneously.

The 2025 Verizon Data Breach Investigations Report found that 30% of breaches now involve a third party, roughly double the prior-year figure, pointing to the degree of ecosystem dependency in enterprise environments.

The 2024 global endpoint outage affecting millions of systems within hours is cited as an example of how architectural concentration can convert a single vendor-layer failure into a synchronized enterprise-wide disruption.

Patch cycles are slipping, including on newer systems

Windows 10 patch age more than doubled year over year across every sector analyzed. That increase is largely attributable to Microsoft ending general security updates for Windows 10 in October 2025. By early 2026, patch age for Windows 10 endpoints largely reflects the number of days since that final update, approximately 150 days.

The more significant signal is that approximately 10% of enterprise endpoints in the dataset continue to run Windows 10, placing them permanently outside the security update cycle with no path to remediation short of OS migration.

Windows 11 patch age also increased across every vertical in the dataset. In Media and Telecom, Windows 11 patch age reached 78 days. In Education, it reached 81 days. Finance showed the smallest increase, with Windows 11 patch age at 32 days in 2026. The increases indicate that patch discipline is weakening on current-generation systems, not only on legacy hardware being wound down.

Generative AI usage grows 2.5x on enterprise devices

Visits to generative AI platforms from enterprise PCs grew from approximately 150 million to over 350 million year over year, a 2.5x increase. ChatGPT continues to account for the largest share of traffic, with 97.8% of observed visits in 2025 declining to 78.3% in 2026. Google’s Gemini went from no measurable presence in 2025 to 16.1% of enterprise AI visits in 2026. Claude, OpenAI developer services, and DeepSeek also registered enterprise activity in 2026.

Over 99% of this AI usage occurs through web browsers, not locally installed applications. That delivery method bypasses many application control policies, allowing AI access to expand outside formal IT oversight channels. Employees can transmit sensitive prompts, internal data, and intellectual property through browser-based AI tools without triggering traditional endpoint controls.

DeepSeek traffic declined significantly year over year, yet the platform continued to appear in enterprise networks despite restrictions from multiple governments and security agencies.

Enterprise hardware is becoming an AI execution platform

Enterprise PC hardware has shifted significantly toward AI-capable configurations. In 2025, 57% of enterprise devices had at least 16GB of RAM, the baseline for AI-assisted local workloads. By 2026, that figure reached 75%. Devices with 32GB or more, sufficient for more intensive local AI workloads, grew from 11% to 21%.

Chip manufacturers are shipping processors with dedicated AI accelerators, and operating systems are integrating AI functionality into the desktop environment. Gartner forecasts that AI-capable PCs will represent more than half of global PC shipments by 2026.

The practical consequence is that endpoint stability is now a prerequisite for automated workflows, not just for individual user productivity. An endpoint that drifts out of an enforceable state, or falls beyond management visibility, becomes a potential failure point for AI-driven processes running on or through that device.

The emergence of what the report calls “fully entitled digital agents,” AI systems that operate with user-level permissions, access enterprise applications, and persist across workflows, adds an additional governance layer. Organizations must now account for autonomous software operating with the same access rights as the employees who deployed it.

Sector-level risk is uneven

The financial services sector showed a sharp increase in sensitive data exposure, rising from 23% to 40% of endpoints year over year. Encryption and dark device metrics improved in the sector, which means the risk concentration came from data accumulating faster on individual endpoints than controls tightened.

Healthcare showed a similar pattern. Dark device rates declined slightly, and encryption gaps widened, even as regulated data per device continued to grow.

Retail showed improvement across all three risk metrics, with reductions in unencrypted devices, dark devices, and sensitive data exposure.

Manufacturing remained stable in data density and made incremental gains in control coverage, with distributed dark device risk persisting in operational environments.

Measuring resilience as a business metric

The researchers propose four metrics for quantifying resilience in financial terms: mean time to recover, the percentage of endpoints recoverable remotely, downtime cost per hour of disruption, and labor plus incident response costs required for recovery. An enterprise generating $500,000 per hour in operational revenue would preserve approximately $4 million in value by reducing downtime by just eight hours per year.

Webinar: The True State of Security 2026