2026 U.S. Risk Survey

Economic volatility and AI-driven technological upheaval are deepening dispute exposure for U.S. companies.

Between major market swings, whipsawing trade policy, and record class-action settlements, it’s no surprise that more than 6 in 10 respondents (63%) expect corporate disputes—commercial litigation and arbitration outside of government regulatory actions—to increase in the next 12 months.

That forecast follows an eventful year with plenty of fuel for business disagreements, from securities and shareholder litigation to contract disputes to patent and intellectual property cases.

Other risk areas include continued momentum in class-action filings from the plaintiff’s bar as federal regulatory enforcement eases and some states enact stricter laws governing data privacy, AI, and labor and employment matters. Additionally, 2025’s surge of M&A deals could also spur private antirust fights and post-close disputes.

Critically, escalating cybersecurity and data breach risk is creating significant corporate vulnerability to disputes—as is the accelerating adoption of AI and cryptocurrencies.

Federal policy on AI has shifted significantly since the change in administration, with emphasis pivoting to “innovation-first” approaches and reducing regulatory oversight.

Other jurisdictions, including the EU, are advancing more prescriptive AI requirements, while some U.S. states are also enforcing increasingly stringent guidelines.

The result: a fragmented regulatory landscape that 80% of respondents say puts their compliance efforts at risk.

Concerningly, even as AI penetrates further into U.S. businesses, almost half of respondents still lack key elements of AI governance—deepening their exposure in a fractured regulatory environment.  

Yet 45% don’t have the following in place:

• AI governing body/committee
• Board engagement
• External AI consultants
• Head of AI/AI leader

Adding to the compliance complexity: after the administration’s December 2025 executive order seeking to establish a “minimally burdensome national standard” for AI regulation, the White House in March 2026 released a national artificial intelligence legislative framework. It directed Congress to regulate AI on a sector-specific basis via existing rulemaking bodies—instead of creating a new federal entity to do so—and directing it to preempt state AI laws “that impose undue burdens.”

2025 marked a significant reorientation in U.S. financial crime enforcement. The Department of Justice and other agencies are placing more emphasis on investigating fraud involving public funds as well as on tariff evasion and customs issues, while scaling back efforts in some traditional white-collar crime areas like foreign bribery. However, the Trump administration is also cracking down on money laundering tied to drug trafficking and terror financing—including the use of cryptocurrency networks, an area it had previously backed away from.

The shifts are creating compliance and operational challenges for U.S. companies in 2026: fewer than half (48%) of respondents feel “very prepared” to address financial crime and fraud in the year ahead, despite the potentially significant consequences.

Meanwhile, fraud is on the rise. According to a recent report, U.S. business leaders say their companies lost nearly 10% of their revenue to fraudulent activity in the past year—a 46% increase from 2024. While U.S. fines for money-laundering and sanctions breaches fell an estimated 61% last year, other countries are stepping up enforcement in those areas—a concern for U.S. multinationals.  

And though our research shows technology is the leading tool of choice for combatting financial crime, the share of respondents who rate their risk technologies as “very effective” fell substantially in 2026—underscoring the arms race to stay ahead of criminals armed with AI and other increasingly sophisticated tools. 

The past year saw major ransomware attacks by state-sponsored actors, supply-chain incursions exploiting third-party software, and a surge in AI-powered phishing scams.

It’s no wonder such incidents are top of mind for U.S. risk leaders. Nearly two thirds (65%) of respondents cite cybersecurity incidents and 58% cite data privacy events among the most concerning risk events for their organization over the next 12 months. 

The cost and reputational stakes of such attacks are only rising in an increasingly digitized and volatile world: in the U.S., the average cost of a data breach jumped to more than $10 million Iast year, a record global high. Geopolitics have also become a central cybersecurity focus, one likely to intensify as adverse regimes around the globe continue to target U.S. and allied interests.  

Given the complex regulatory landscape, which includes a growing body of state-level requirements, fewer than half of respondents (48%) say they are “very prepared” to address cyber threats in 2026, with 52% saying the same of data privacy.  

AI-powered cyberattacks are a critical risk frontier. Our respondents cited it as a top cybersecurity concern, with that share doubling from 2025 to 34% from 17% last year—yet nearly 75% have not yet completed system upgrades to address such threats.

Data privacy has emerged as a defining risk and compliance challenge—and the pressure on U.S. companies is intensifying on multiple fronts. Data breaches in the U.S. reached record levels in 2025, hitting an all-time high of 3,332 data compromise incidents. While federal data privacy approaches have shifted toward more voluntary compliance, many states have moved forward with their own laws, creating a regulatory patchwork of varying requirements.

Given this backdrop, it’s concerning that the measures respondents say are most important to address data privacy challenges for companies in their industry are also the ones that the fewest individual organizations have embraced. 

Nearly three quarters (73%) of leaders say enhancing data encryption is one of the most important measures on an industry level—but only half are already doing this or planning to at their own companies in 2026. That’s a 23-percentage-point shortfall between belief and action. We found similar gaps for the second- and third-ranked measures: deploying privacy-enhancing technology and working with the government or regulators, with the latter helping companies keep abreast of pending enforcement actions and ensure companies are proactively following the rules. 

Sanctions enforcement remains a priority for the federal government in 2026. In recent months, the U.S. Department of the Treasury’s Office of Foreign Asset Control sanctioned entities and individuals linked to activities ranging from stealing U.S. trade secrets to funding terrorism to narcotics trafficking. 

Yet the majority of organizations we surveyed aren’t fully prepared to respond to potential changes in sanctions in 2026. Only about a third (35%) say their organization are “very prepared”—down from 44% who said the same in 2025. That’s concerning, given that sanctions, a flashpoint for geopolitical financial crime risk, impact virtually every sector.

Corporate preparedness is eroding for other risks related to international and trade tensions. Sixty-five percent of organizations are not “very prepared” to address geopolitical and trade impacts on operations, up from 61% in 2025. More than two thirds (68%) are not very prepared to address supply chain disruptions, versus 59% last year.

More and more U.S. companies are accepting cryptocurrency as Congress weighs legislation to clarify regulatory frameworks and create a comprehensive market structure and the Securities and Exchange Commission and Commodity Futures Trading Commission issue new guidance clarifying how crypto is treated under federal law. 

The majority of respondents (59%) are either already using crypto for payments or settlement architecture (26%) or testing uses (33%); another 27% are considering use, but don’t have a defined timeline for implementation. 

However, the uneven application of crypto-specific controls could deepen exposure to risk in an area that has historically attracted a significant amount of fraud and financial crime. While nearly 7 in 10 of those who are currently using or testing crypto use cases have real-time or near-real-time monitoring for high-risk activity (69%) and enhanced due diligence for crypto-related clients or partners in place (67%), the share who have more involved risk controls is considerably lower. Only 45% have escalation and off-ramp procedures in place, while just 44% have third-party risk assessments for BaaS/fintech partners.