Security leaders are already dealing with a growing crisis that most boards haven’t recognized yet.
We surveyed 200 U.S. cybersecurity leaders to understand how organizations are handling sensitive, high-risk digital work in an era when business moves faster than infrastructure can support.
What we found was striking: 100% of organizations surveyed granted security or compliance exceptions in the past year to keep high-risk digital work moving.
Not most. Every single one.
These policy “exceptions,” once reserved for emergencies, have incrementally become standard procedure. Companies don’t always slow down when secure solutions don’t exist. They’re finding workarounds, trading some safety for speed. Now that tradeoff has become systemic, and it’s costing more than most leaders realize.
Exceptions are the New Norm
100% of companies in our survey bent or broke their own security rules in the past year to get work done. What used to be rare is now routine.
Speed Kills
Short-term workarounds help projects move fast, but the majority of leaders surveyed had little confidence in the protection of their teams’ high-risk work.
A Hidden Disconnect
Senior execs are 4x more likely than their security teams to believe proper protections are already in place, a blind spot that keeps the problem under the radar.
High-Risk Work That Won’t Wait
From AI evaluations to M&A deals, high-risk digital projects touch every corner of today’s organizations. Over half of companies surveyed are deploying advanced AI or automation on sensitive data, and a similar number are tackling other high-stakes initiatives like innovation programs, infrastructure upgrades, and cyber-threat investigations.
These valuable endeavors can’t afford to wait–and many move at full tilt, whether security is ready or not. When secure infrastructure can’t keep up, businesses face a painful dilemma: slow down and risk falling behind or find another way.
Patchwork Infrastructure
The research shows teams often operate in a patchwork of environments outside the traditional IT umbrella. They spread sensitive work across team-run cloud accounts, personal devices, standard corporate machines, and even third-party platforms. In other words: they work wherever they can get the job done. It’s no surprise that nearly half of organizations admit their most sensitive projects are happening in places that aren’t fit for purpose.
When Safety Isn’t Available, Tradeoffs are Forced
This is where the Exception Economy takes shape. When a team needs to conduct sensitive work, but no approved environment exists, teams resort to difficult workarounds and painful alternatives:
- 46.5% proceed on corporate systems despite reservations
- 44% delay the work until a suitable environment can be created
- 44% cancel or significantly reduce the scope
- 43.5% use unofficial or ad-hoc environments (personal devices, shadow cloud accounts)
- 43% transfer the work to a third party
The percentages cluster close together because there’s no standard playbook. Organizations have no clear default. Some teams push forward on corporate systems. Some wait for infrastructure. Sometimes the work is abandoned, or a large investment is made in building an ad-hoc solution or outsourcing to an external service provider.
Each choice carries a cost: corporate systems increase exposure, delays stall business, cancellations abandon work, ad-hoc removes oversight, third-party handoffs create dependencies and new risks.
The Leadership Blind Spot
The visibility problem runs deep. When researchers asked VPs of Cybersecurity whether secure environments were ready before work began, only 5.3% said yes.
Their C-suite counterparts told a different story:
- CISOs: 20.7%
- CIOs: 20%
- CTOs: 27%
The people performing the day-to-day work and the people funding infrastructure aren’t seeing the same operational reality. These two groups are also measured by risk and action differently. That disconnect keeps the friction invisible to the people who could fix it.
Exceptions are the New Default
When 100% of organizations grant exceptions, the language starts to break down. Exceptions aren’t so exceptional.
The Exception Economy reflects a system under pressure. Organizations are trying to execute work at a pace and scale their infrastructure was never built to support.
What The Data Reveals
The full report breaks down:
- Impact by industry and role
- Specific business activities being delayed or canceled
- Comparison of formal and informal approvals
- Confidence gaps that matter most
- What organizations moving fast on sensitive work are doing differently
We’re all living in the Exception Economy: the tradeoff is real, but losing on it is not inevitable. To stay out of that position, companies need to understand the implications of their choices, where the pressure is building fastest, and how to support business speed without creating more exceptions.
