SOFIAH NICHOLE SALIVIO

News Editor

Large organisations are improving their cyber security only slowly, while AI-related defences remain limited, according to Wavestone. The consultancy said the UK is now experiencing four nationally significant cyber attacks each week.

Its seventh annual Cyber Benchmark assessed more than 200 large organisations, representing nearly 7 million employees, against the NIST CSF v2.0 and ISO 27001 standards. Across the group, average cyber security maturity reached 55.3%, up 1.3 points from the previous year.

The findings show a sharp gap between AI governance and practical protection. While 76% of large organisations said they have a dedicated AI security policy, only 10% have put defences in place against AI-specific attacks such as prompt injection.

The disparity comes as companies face a shifting threat landscape, with attackers using AI tools to automate phishing and refine attack methods. Dedicated AI response teams remain uncommon, though Wavestone identified their emergence as an early trend among larger organisations.

Regulated sectors

The benchmark shows regulated industries ahead of the wider market. Financial services recorded cyber security maturity of 67.6%, up 5.1 points, which Wavestone linked to regulation, including DORA, and continued spending.

By contrast, non-regulated sectors showed no significant improvement. The gap between regulated and non-regulated organisations widened to 8.8 points, up 2.1 points from the previous year.

The data suggests regulation is helping to raise standards, but not uniformly across the economy. That uneven progress may deepen concerns for policymakers and company boards as reporting requirements and resilience expectations expand.

Compliance gap

The survey also found that none of the organisations assessed could yet fully and sustainably meet the requirements of the EU’s NIS 2 cyber security directive. Large organisations averaged 60% maturity against those requirements.

The shortfall is notable in the context of the UK’s Cyber Security and Resilience Bill, now at Report Stage in the House of Commons. The benchmark indicates that many organisations still face a substantial gap between current practice and the level of readiness expected under tougher resilience rules.

Overall progress appears to be slowing. Although the average maturity score rose, the annual increase was modest, suggesting many large organisations are struggling to keep pace with a threat environment evolving faster than internal controls and operating models.

For businesses, the findings point to a broader problem than technology spending alone. Policies are being written and governance structures are taking shape, but controls for new AI-related risks remain at an early stage of implementation.

That leaves organisations exposed in an area where attackers may move faster than defenders. Prompt injection and other AI-specific attack methods remain relatively new concerns for many corporate security teams, particularly those still focused on more established threats such as phishing, ransomware and supply-chain compromise.

Florian Pouchet, Partner and Head of Cybersecurity and Operational Resilience at Wavestone, said: “The threat environment is changing faster than most organisations can adapt. Geopolitical tensions and AI-powered attacks are intensifying precisely as regulatory pressure mounts. What the benchmark tells us is that the market knows this. The next step is to accelerate security measures.”

Located in Oxfordshire, the mobility and technology campus is proposing up to a further one million square feet of workspace to support further growth and investment in the region.

Plans also include around 200 new apartments, alongside an enhanced hotel offering with lodges and a clubhouse.

Daniel Geoghegan, chief executive officer at Bicester Motion, said: “As custodians of the estate, we’re proud of the world-leading mobility cluster we have created by investing in Bicester and Oxfordshire, creating skilled jobs, remarkable opportunities and unique experiences.

“We remain driven to deliver a dynamic and inclusive environment, with thoughtful design, community wellbeing and long-term sustainability all coming together to shape a vibrant place for generations to enjoy.

“We now look ahead to the next 10 years and welcome people’s feedback as we look to further invest in and enhance this unique place.”

Today, more than 500 people are based across the estate, with around 200 apprentices trained each year.

Recent arrivals at Bicester Motion include Audi’s Revolut F1 Team, Polestar, Motorsport UK, Skyports Infrastructure, and Zero.

A four-week public consultation is now underway to gather community feedback on the proposals.

A public exhibition will be held at Bicester Motion on Friday, June 12, from 2pm to 7pm.

Residents can also view the plans and submit comments online during the consultation period.

Bicester Motion has become a popular destination, attracting around 150,000 visitors a year to its events, including the well-known Scrambles.

Find out more and share your views here: https://consultation.bicestermotion.com.

Lucid Software has introduced integrations with LeanIX and Ardoq to help businesses prepare their systems and documentation for broader AI use.

The move focuses on enterprise architecture and process documentation, two areas companies often struggle to connect when moving AI projects from isolated trials into day-to-day operations. The integrations give enterprise architects a way to visualise current technology estates, plan changes, and keep records aligned as systems evolve.

The announcement comes as companies face growing pressure to show returns from AI spending. Lucid cited MIT research finding that 95% of generative AI pilot projects produce no measurable return on investment, and said many organisations still lack the shared operational context needed to deploy AI in real workflows.

A separate UK finding pointed to the same issue from a workforce perspective. Lucid said 39% of UK knowledge workers believe their employer’s AI strategy is only somewhat aligned with wider operations, highlighting a gap between AI experimentation and broader organisational coordination.

Architecture view

At the centre of the latest product changes is a closer link between Lucid and systems used to map enterprise architecture. By connecting LeanIX and Ardoq data into Lucid, architects can turn structured records into visual models and work on proposed changes in a shared environment.

This matters because AI systems often depend on a clear understanding of applications, dependencies, and processes across an organisation. Without that underlying map, businesses can struggle to determine where AI tools should connect, what data they should use, and how changes in one system may affect another.

Users outside architecture teams will also be able to embed LeanIX and Ardoq data into diagrams through Lucid’s Process Accelerator product. The aim is to reduce manual interpretation of technical information and give wider teams access to up-to-date architecture data when designing operational changes.

Process records

Lucid also outlined updates to its Process Agent and Process Accelerator products, which focus on the creation, storage, and governance of process documentation. One recurring obstacle to AI deployment, it said, is that business knowledge remains fragmented across tools or held informally by individuals, leaving automation systems without a reliable guide to how work is actually done.

Process Agent, introduced earlier this year, now includes a context frame that lets teams attach supporting documents such as architecture standards. It also includes a decision log designed to show how a process document was created. Users will also be able to create diagrams from screen captures through Process Capture, adding to existing text, audio, and file-based inputs.

For Process Accelerator, the updates focus on governance and control. Organisations will be able to centralise documentation in restricted repositories, manage sequential approvals, compare current and historical versions, and use approved components across multiple diagrams so changes remain consistent.

Those functions are designed to create a single reference point for both employees and AI systems. In practice, that means companies can maintain an auditable record of how processes are defined, updated, and approved, while reducing the risk that different teams work from conflicting versions.

Wider challenge

The broader challenge for software providers and their customers is that AI deployment has moved beyond experiments with chatbots and individual productivity tools. Companies increasingly need to connect AI to core processes, internal rules, and existing systems if they want to deliver operational impact.

Lucid is positioning its software around that need by focusing on visual collaboration tied to operational and technical records. It argues that better visibility into processes and systems can help organisations align teams before introducing AI into business-critical workflows.

Jamie Lyon, Chief Product & Strategy Officer at Lucid Software, said the gap between individual gains and institutional results remains a central problem in AI rollouts. “Most organizations are seeing AI lift individual productivity, but that gain is not compounding into institutional impact. The missing ingredient is a shared, trusted view of how the business actually operates,” Lyon said.

He added: “Lucid is where leaders see, align on, and build the operational foundation AI needs to scale, by making it easy for teams to capture, connect, and govern this documentation with trusted context and clear processes.”

Zendesk is among the companies Lucid cited as using its tools in this area. “[Lucid] AI speeds architecture decision-making and reduces technical debt by converting specs into consistent, versioned diagrams with smart suggestions and collaboration built in,” Tiwari said.