Why BYOD Stops Working At Enterprise Scale

Mobile devices became an attack surface before governance caught up.

Security leaders have long understood a simple principle: You can’t protect what you can’t see. Concerning mobile devices, visibility has never been consistent.

IBM’s Cost of a Data Breach Report 2025 shows phishing remains the most common initial attack vector in confirmed breaches, accounting for 16% of incidents. The same report notes that phishing-driven breaches are also among the most expensive, averaging roughly $4.8 million per incident.

At the same time, Verizon’s 2025 Mobile Security Index highlights a troubling gap. The majority of organizations surveyed (80%) report experiencing mobile phishing attacks, yet only a fraction (4%) have implemented comprehensive mobile security best practices. Confidence in recovery is high, but real-world consequences like downtime, data exposure and operational disruption continue to rise.

So, what? Well, gaps in governance tend to compound on mobile endpoints. Variability in devices, operating systems, app permissions and enrollment status cause exceptions that create blind spots where attackers do the most damage.

AI changed the risk profile, especially on mobile.

AI has changed both cloud economics and software development. For attackers and their victims, it’s rewriting social engineering.

Roughly one in six breaches now involve attackers using AI, and in those incidents, it’s most often used to generate phishing content or impersonation attempts, including deepfakes and highly tailored lures, according to the IBM Cost of a Data Breach Report 2025. These attacks succeed more by influencing human behavior than exploiting software flaws.

Mobile amplifies that risk. Back to Verizon’s 2025 Mobile Security Index, nearly all respondents (93%) say that employees are already interacting with generative AI apps on their devices. Meanwhile, most organizations lack visibility into which AI apps are installed on employee-owned devices, what data they access or how they’re used.

This isn’t to say that AI apps are inherently unsafe. With AI adoption outpacing governance—especially in BYOD environments—enterprises often can’t consistently enforce permissions, updates or acceptable use policies across personal devices. Mobile devices are part of IT infrastructure, and as AI becomes embedded in everyday workflows, programs designed around flexibility cave under the weight of what they’re asked to govern.

BYOD often costs more than expected.

BYOD is frequently justified as a cost-saving measure, but in practice, enterprises end up paying for mobility twice. Direct costs include stipends, reimbursements and licensing complexity. Indirect costs include higher support volume, longer resolution times, inconsistent security enforcement and riskier off-boarding. Although BYOD can reduce upfront hardware spend, it often introduces hidden administrative and security costs that erode those savings over time.

Then, there’s breach impact. IBM reports the average cost of a data breach in the U.S. now exceeds $10 million. Even a single incident can negate years of incremental mobility savings.

As organizations grow, predictability starts to matter more than theoretical efficiency. That shift is driving renewed interest in corporate-liable and hybrid device models that restore consistency across the device life cycle.

Why are corporate-liable models regaining momentum?

The return to corporate-liable mobile devices is about security, reflecting a more honest accounting of where enterprise risk lives.

Device pricing has stabilized relative to prior years, and carrier economics increasingly allow enterprises to negotiate devices and service plans separately. That improves forecasting and life cycle planning. More importantly, enterprise ownership enables standardized enrollment, patching, monitoring and decommissioning. Those controls are difficult to guarantee when the device itself is outside the organization’s authority.

This doesn’t mean every organization should abandon BYOD entirely. Hybrid approaches such as corporate-owned, personally enabled (COPE) or tightly governed BYOD programs still make sense in specific contexts. The key shift is that BYOD is no longer assumed to be the safest or most scalable default.

Where BYOD still works, and where it breaks down.

BYOD can work when:

• Organizations are smaller or early-stage

• Mobile access is narrowly scoped

• Compliance and audit requirements are limited

• IT teams can manually manage exceptions

BYOD risk climbs when:

• Organizations operate across regions or regulatory schemes

• Mobile access extends to sensitive systems and data

• AI-enabled tools are widely used on personal devices

• Visibility and enforcement can’t be applied consistently

This is why many enterprises are reassessing their mobility strategies as part of broader security and risk reviews.

Conclusion

​At two prior companies, I experienced going both to and from BYOD and corporate-liable models. In both cases, the reasons for the change—weak governance and hidden costs—are more relevant today than five-plus years ago.

It’s also a stubbornly long-held IT mindset that mobile device security comes secondary to desktops and laptops. In 2026, I’m seeing many more enterprises finally push back against this attitude, given the undeniable cost and risk factors.

And although hybrid models will linger, IT leaders should require a heaping dose of endpoint management and mobile threat defense to fortify those devices, while also limiting corporate app and data access to far fewer employee-owned devices.

The future of enterprise mobility isn’t a BYOD free-for-all. The days of loose mobile access to corporate applications and data are over.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?