Marsh Identifies Cyber Literacy and AI Disruption as Top People Risks

Marsh released its 2026 People Risks report on April 29, 2026, drawing on survey responses from more than 4,500 HR and Risk professionals across 26 markets, per Marsh's media release and Mercer coverage. The report ranks inadequate cyber threat literacy as the top global people risk and identifies mindset barriers to AI adoption and technology skills shortages (including cyber and AI skills) among the leading workforce-related threats, according to the Marsh/Mercer announcement. The research also highlights labor shortages and inadequate leadership as prominent people risks. Marsh-cited survey results indicate that 40% of respondents reported increased workforce productivity after managing people risks, and 36% reported faster progress on strategic initiatives such as AI adoption.

Editorial analysis - technical context: The report frames cyber resilience as a socio-technical problem: human factors such as phishing susceptibility and social engineering remain central drivers of cyber incidents. Marsh's materials and coverage note that improving cyber threat literacy is positioned as complementary to technical controls, not a replacement. The sources do not publish a detailed methodology for the literacy metric in the press release; the numeric findings derive from the aggregated survey of HR and Risk professionals described by Marsh and Mercer.

Marsh's findings align with recent insurer and consulting surveys that elevate cyber and AI among top operational priorities for risk leaders. Reporting by ReinsuranceNews and EY survey summaries shows insurers and CROs are also prioritizing cyber, integrating third-party cyber oversight, and exploring generative AI for risk management. For practitioners, this convergence highlights two linked pressures: organizations are accelerating AI and digital initiatives while acknowledging workforce gaps in both cyber awareness and AI-capable skill sets.

Editorial analysis: Organizations pursuing rapid AI deployment without parallel investment in user training and process redesign often encounter friction that reduces expected productivity gains. Multiple sources in this coverage cite concerns that treating AI as a plug-in to existing workflows can create inefficiency; Ravin Jesuthasan is quoted warning that such approaches create "real risk and inefficiency." This pattern is consistent with prior industry reporting that pairs technology adoption with increased demand for change management and reskilling.

For practitioners: track three indicators that would show how organizations respond to the report's findings. First, whether companies translate survey concern into measurable training programs and phishing-resilience metrics. Second, whether AI projects include formal work redesign and human-in-the-loop controls rather than purely tool-centered rollouts. Third, whether boards and risk functions integrate people-risk metrics (cyber literacy, AI readiness, leadership alignment) into enterprise risk frameworks, mirroring recommendations found in EY and Marsh coverage.

Hervé Balzano, Mercer's President of Health and Benefits and Mercer Marsh Benefits' Global Leader, is quoted in Marsh's release: "People risks cannot be secondary concerns, as they impact the health and well-being of the workforce and the business." Ravin Jesuthasan, global leader for transformation services at Mercer, is quoted in Insurance Journal saying, "AI will only deliver value when organizations rethink how work is done and how people are supported," and that treating AI as a simple add-on "creates real risk and inefficiency."

Editorial analysis: The press materials summarize survey aggregates but do not publish full methodology details or the underlying survey instrument in the public release covered by these sources. The reporting does not provide granular regional splits for the cyber-literacy ranking in the material reviewed here.

For practitioners: the Marsh report underscores that technical defenses and model deployments alone are insufficient. Organizations and teams implementing AI or security controls should expect increased stakeholder attention on measurable user literacy, training outcomes, and the integration of human-centered design into AI deployments. These are generic industry observations based on the report and parallel surveys, not claims about any individual organization's internal plans.