Mobile apps have already made the jump to AI. Security programs haven’t. NowSecure’s 2026 Mobile App Risk Management (MARM) Survey of 485 senior security leaders across finance, healthcare, high tech and retail found that every single respondent now rates mobile apps as very important or critical to the business, and 95% deploy AI inside them today.
What hasn’t kept pace is outcomes: 65% of organizations that rate their own security program as advanced still report experiencing a security incident. Self-reported program strength isn’t translating into fewer incidents, and that mismatch plays out differently in every industry, as the data below shows.
What does the mobile app risk landscape look like by industry?
The MARM survey breaks results out across finance, healthcare, high tech and retail, and no single industry tells a clean story:
- Finance: 81% of finance security leaders rate their mobile security program as advanced, yet 44% report experiencing a major security incident.
- Healthcare: 57% report full incident readiness, while 38% report experiencing a major mobile app security incident.
- High tech: Just 43% perform security testing on every app release, while 32% report experiencing a mobile app security incident.
- Retail: 44% test apps for security no more than once per quarter, but only 8% report a major incident, the lowest of any sector.
Read across all four, and self-reported program strength and testing cadence don’t show a consistent relationship with reported incident rates.
The industry results resist a simple maturity narrative. Finance reports both the highest program maturity (81%) and the highest major-incident rate (44%). High tech tests every app release less often than any other sector (43%) yet reports a lower major-incident rate (32%) than finance or healthcare. Retail combines one of the lightest testing cadences with the lowest major-incident rate (8%). The findings suggest that reported program maturity and testing practices alone do not consistently explain differences in major security incidents.
Confidence and maturity ratings do not consistently correspond with lower reported incident rates.
What else shapes mobile app risk?
Two more numbers from the survey point at why. 68% of organizations say more than half their mobile codebase consists of third-party SDKs and libraries, and 96% of organizations that test only some of their apps report experiencing an incident.
Together, the findings show how quickly visibility can weaken as third-party code and AI capabilities spread across mobile portfolios. Organizations that test only part of their portfolio may leave significant changes and dependencies unassessed.
What should security leaders do next?
The full MARM report goes well beyond this overview, covering program ownership, AI-specific governance controls, and how AI models’ own predictions about this survey compared to what security leaders actually reported. The pattern holds up section after section: confidence in a program doesn’t automatically translate into fewer incidents, and closing that gap takes more than a policy on paper.
A mature security program doesn’t guarantee fewer incidents. Program strength and reported incident rates do not follow a consistent pattern across the sectors surveyed.
FAQ: 2026 Mobile App Risk Management Survey
How many organizations were surveyed for the 2026 MARM report?
NowSecure commissioned independent research firm TrendCandy to survey 485 senior mobile application security leaders across finance, healthcare, high tech and retail organizations in North America.
What percentage of organizations use AI in their mobile apps?
95% of respondents say they deploy AI within their mobile apps today.
Does having an advanced security program prevent mobile app security incidents?
Not reliably. 65% of organizations with a self-reported advanced security program still experienced an incident, and the relationship between program maturity and incident rate varies by industry, most pronounced in finance.
Which industry reported the highest mobile app incident rate?
It depends on the measure. High tech reports the highest overall incident rate at 70%, despite only 43% saying they test every app release. On major incidents specifically, finance is highest at 44%, despite 81% of finance security leaders rating their own program as advanced, the highest self-reported maturity of any sector.
TL;DR
NowSecure’s 2026 Mobile App Risk Management (MARM) Survey of 485 senior security leaders found that every organization surveyed rates mobile apps as very important or critical to the business, and 95% report deploying AI within them. Yet a strong self-reported security program doesn’t reliably predict fewer incidents, and that mismatch plays out differently by industry. The full report digs into why, and what closing that gap actually takes.
Download the Report
See the full findings and strategic recommendations behind these numbers, including industry-specific benchmarks and the AI prediction analysis, in the 2026 Mobile App Risk Management Survey.