IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
NowSecure warns of AI oversight gap in mobile apps

NowSecure warns of AI oversight gap in mobile apps

Thu, 2nd Jul 2026
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

NowSecure has published research showing that 95% of organisations use AI in mobile applications, while 37% have not implemented AI behavioural monitoring as a security control.

The findings are based on a study of 485 senior mobile application security leaders in North America across finance, healthcare, high tech and retail. All work at organisations with 1,000 or more employees.

The data points to a gap between the pace of AI adoption in mobile software and the controls used to oversee it. While 74% of respondents said they have a formal AI governance policy, many also reported limited visibility into what AI systems are doing once an application is released.

Generative AI was the most common use case cited, with 81% of organisations reporting its use in mobile apps. AI agents followed at 71%.

Third-party software was another focus of the research. The survey found that 68% of organisations said more than half of their mobile application code consists of third-party software development kits and libraries.

That reliance appears to carry greater risk. Organisations whose applications contained more than 50% third-party code reported security incidents at more than twice the rate of those whose apps contained less than 50%.

Despite that, only 49% said they always assess software development kits for security or AI-related risks before release. Mobile security leaders also increasingly see software development kits and partner integrations as among the hardest parts of the attack surface to manage.

Alan Snyder, Chief Executive Officer of NowSecure, said many security teams have not adapted to the way mobile applications are now built.

"Most mobile security programs have stagnated. The apps they are designed to protect have changed out from underneath them," Snyder said.

He added that many organisations may be tracking the wrong indicators when assessing mobile software risk.

"The question is whether organizations are measuring the right things and have the ability to keep up with the changes," Snyder said.

AI oversight

The survey suggests written policies are more common than technical monitoring. Although nearly three-quarters of respondents reported a formal governance framework for AI, more than a third said they have not introduced behavioural monitoring to track AI activity inside applications.

That distinction matters because AI can enter mobile software in several ways, including directly coded features, embedded models and third-party components. In these environments, security teams may know a policy exists while lacking a clear picture of how AI behaves in a live product.

"Most organizations can tell you what their AI policy says. Far fewer can tell you what their AI is actually doing inside a shipped application, and even fewer can tell you if a third-party component is using AI," Snyder said.

Confidence gap

NowSecure also tested how large language models predicted the answers of security leaders before the survey was conducted. Claude Sonnet, ChatGPT and Gemini were each asked to forecast how enterprise security leaders would respond to the questionnaire.

On questions tied to external business risk, the three models were described as broadly well calibrated. But on questions covering internal programme maturity, monitoring coverage and incident readiness, the models predicted much lower confidence than human respondents reported, by as much as 60 percentage points on individual items.

Those predictions were based on the same kinds of external signals organisations often use to benchmark readiness, including published research, breach reports and industry frameworks. NowSecure argued that the closer fit between those predictions and actual incident outcomes may indicate that many organisations overestimate their own preparedness.

Sector patterns

The survey covered four large sectors where mobile apps often handle sensitive data and customer transactions. It found that security programmes have matured across finance, healthcare, high tech and retail, with board visibility increasing and most leaders rating their own efforts as effective.

At the same time, the research argues that mobile applications have changed faster than the programmes meant to secure them. A typical enterprise mobile app now includes AI functions and a large share of external code, while many assessment tools were designed for simpler, older app architectures.

The survey was conducted by research agency TrendCandy using a double-blind online method. The reported margin of error was plus or minus 4% at a 95% confidence level.