CHICAGO, June 29, 2026 (GLOBE NEWSWIRE) -- NowSecure today released the 2026 Mobile App Risk Management Survey, an independent study of 485 senior mobile application security leaders across finance, healthcare, high tech and retail in North America, finding that AI adoption and third-party software have reshaped how mobile applications are built faster than many security programs have adapted to assess them.
Conducted by research agency TrendCandy, the research finds that security programs have matured significantly across all four sectors but the apps they are designed to protect have evolved even faster. Board visibility has grown, and most leaders rate their programs as effective. The research also reveals a more specific gap: as AI capabilities and third-party code now compose the majority of the typical enterprise mobile application, the tools and methods organizations use to assess readiness were largely built for simple, legacy mobile apps.
"Most mobile security programs have stagnated. The apps they are designed to protect have changed out from underneath them,” said NowSecure CEO Alan Snyder. “The question is whether organizations are measuring the right things and have the ability to keep up with the changes."
AI IS EMBEDDED FASTER THAN GOVERNANCE CAN FOLLOW
95% of organizations report AI capabilities in their mobile applications. Generative AI is the most widespread use case at 81%, followed by AI agents at 71%. 74% report having a formal AI governance policy. Yet 37% have not implemented AI behavioral monitoring as a security control.
"Most organizations can tell you what their AI policy says. Far fewer can tell you what their AI is actually doing inside a shipped application and even fewer can tell you if a third-party component is using AI,” said Snyder.
THIRD-PARTY CODE HAS BECOME THE MOBILE STACK
68% of surveyed organizations report that more than half of their mobile application code consists of third-party software development kits (SDKs) and libraries. As a result, many enterprises are deploying apps built mostly with third-party code that may not have been fully assessed before deployment.
Organizations whose apps contain more than 50% third-party code experienced security incidents at more than double the rate of organizations whose apps contain less than 50% third-party code. Yet only 49% always assess SDKs for security or AI-related risks before release. Mobile security leaders increasingly identify SDKs and partner integrations as among the most difficult parts of the attack surface to manage. (Note: NowSecure’s experience is that SDKs are very rarely vetted after initial inclusion into the application and the survey response of 49% is highly optimistic.)
WHERE AI MODELS AND SECURITY LEADERS DIVERGED
Before fielding the survey, NowSecure submitted each question to Claude Sonnet, ChatGPT and Gemini, asking the models to predict how enterprise security leaders would respond. On questions about external business risk, all three were well-calibrated.
On questions about internal program maturity, monitoring coverage and incident readiness, all three predicted significantly lower confidence than respondents reported by as much as 60 percentage points on individual items.
The models drew on the same external signals — published research, breach reports, industry frameworks — that organizations use to benchmark readiness. Because those predictions tracked more closely with actual incident outcomes than respondents' own program assessments suggests that how organizations measure their mobile security readiness may not fully reflect the risk environment and actual losses that they are experiencing today.
The full 2026 Mobile App Risk Management Survey report, including industry-specific findings and recommendations, is available here. Register for our upcoming webinar to explore the survey findings and receive access to the on-demand replay.
ABOUT THE RESEARCH
NowSecure commissioned independent research agency TrendCandy to survey 485 senior mobile application security leaders across finance, healthcare, high tech and retail in North America. All respondents hold IT responsibilities with direct involvement in mobile application risk management at organizations with 1,000 or more employees. Research was conducted April–May 2026. The margin of error is ±4% at the 95% confidence level.
Respondents were sourced in this double-blind, online survey using panels that comply with ESOMAR, MRS, CASRO, MRA, ARF, MRIA, AMA and AMSRO standards. All respondents were compensated for their participation, and data quality was verified using both manual and automated processes.
ABOUT NOWSECURE
NowSecure helps enterprises secure and govern AI risk inside mobile apps. As AI enters apps through generated code, agentic workflows, embedded SDKs, third-party models and opaque dependencies, security and risk teams need proof of what shipped apps actually contain and what data they move. NowSecure analyzes mobile app binaries and runtime behavior on real devices to surface hidden AI, map data flows, validate third-party components and produce evidence for remediation, compliance and governance. The result is mobile AI visibility that generic device, cloud, application security and AI governance tools cannot fully provide.
Media Contact:
Michelle Schafer
schafer@merrittgrp.com
703-403-6377
