If there’s one common threat in every expert prediction for 2026, it’s this: the ground is shifting faster than most organizations realize. AI has moved from a “trend” sitting neatly on a roadmap, to a technology embedded in every part of the threat landscape. It is reshaping attacker behavior, stretching defensive playbooks, and exposing gaps we’ve been slow to confront.
At the same time, people remain the constant: still the primary targets, and point of failure or resilience. Across all the expert perspectives, there’s a shared recognition that security is entering a paradoxical era: one where automation accelerates everything, but our ability to pause, validate, and think critically becomes more important than ever.
This 2026 predictions series explores those tensions and the real-world implications behind them.
In this first article, our experts converge on a few themes: AI is making attacks faster, more adaptive, and harder to detect; identity is becoming even more fragile; traditional prevention models are cracking; and resilience (not perfection) is emerging as the defining measure of security maturity.
The message is that the businesses that keep up in 2026 will be the ones that rebalance their defenses, invest in investigation and response, scrutinize their dependencies, and are honest about both the promise and the risks of AI. The rest will be playing catch-up on attacker timelines.
AI in the Spotlight
Chloé Messdaghi, Founder & Principal Advisor at Thornbridge Advisory, says AI will continue to influence both offensive and defensive activity, in ways that build directly on patterns seen this year.
“This year demonstrated clear potential for AI to support offensive workflows, including vulnerability discovery, automated reconnaissance, and more convincing phishing attempts. These capabilities are becoming more accessible, inexpensive, and require less technical skill, suggesting attackers may increasingly use them. This pattern will likely continue in 2026, with growing confidence that AI is shaping attacker behavior. On the defensive side, organizations are increasingly deploying AI agents to support policy enforcement, credential hygiene, configuration checks, and application risk identification, a continuation of adoption trends already visible across the industry.”
Messdaghi believes reduced attention to AI safety could limit organizations’ ability to manage risk effectively. “This year, both industry and policy conversations have shifted noticeably toward AI security, securing models, monitoring access, and preventing leakage, while reducing attention on AI safety practices such as evaluation, transparency, misuse prevention, and system-level safeguards. While strengthening AI security is essential, minimizing safety considerations may create gaps. Many emerging risks (including overreliance on AI systems, unpredictable model behavior, and inadvertent information exposure) sit at the intersection of both fields. As a result, organizations may find that security controls alone are insufficient to manage these challenges.”
Identity: The Dominant Vector for Compromise
She also believes that identity remains the dominant vector for compromise, with AI increasing the sophistication of impersonation. “Identity-driven attacks continue to lead incident trends, and AI is making impersonation more convincing and more scalable. Deepfake-enabled social engineering is becoming increasingly accessible and may be used to target employees, executives, and high-risk roles to accelerate credential theft or influence sensitive actions. In 2026, we may see a broader adoption of behavior-based identity analytics, adaptive authentication, and tools designed to detect synthetic media as organizations respond to these trends. Friendly reminder: phishing-resistant MFA remains one of the strongest safeguards organizations can deploy.”
Organizations will become more discerning about where AI offers real value, she adds. “After two years of rapid AI feature releases, security teams are beginning to expect clearer evidence of measurable improvements, transparent model behavior, and genuine workflow enhancement. This shift toward outcome-driven evaluation may help the industry prioritize meaningful innovation over hype.”
Agentic AI: The Next Major Security Blind Spot
Ethan Smith, co-founder at Spur, says agentic AI traffic will create the next major security blind spot. “Significant issues will arise when agentic AI systems act on behalf of users. These agents will make purchases, create and manage accounts, and engage directly with various platforms, generating a new level of automated service-to-service traffic that few security teams can detect or validate. Existing methods of detecting cookie and session replay attacks will not hold up against federated automation. Organizations will need innovative ways to verify automated actions, as well as identify when AI activity routed through residential proxy networks is malicious.”
Residential Proxy Traffic
Spur’s co-founder Riley Kilmer, believes residential proxy traffic will emerge as a major AI risk vector. “Many AI firms will use residential proxy networks to scrape data and run real-time, agent-based tools. These proxy systems are often composed of everyday devices, such as phones, TVs, and apps, that quietly use someone’s internet connection — something most consumers aren’t aware of. Proxy companies are already using AI-driven demand to position themselves as legitimate infrastructure. As AI adoption increases, residential proxy services will proliferate, drawing more mainstream scrutiny to their sourcing and to how easily they can be exploited for fraud and the large-scale facilitation of cybercrime.”
Human Risk Management
Gary Hibberd, Co-Founder of Consultants Like Us, believes security in 2026 will be shaped largely by two factors: AI and Human Risk Management, and can be summed up in one word: Paradoxes. “AI is well understood – AI is on everyone’s radar, either as an opportunity or threat, and the paradox here is that it is both. The more we use AI to improve our businesses, the greater the risk of bias and misuse. In short, we don’t truly understand this technology we’re increasingly trusting with our education, health , and economic systems, and the more sophisticated the technology becomes, the more reliant we become upon it, and the greater the responsibility is placed upon us to act ethically with the systems.”
Hibberd says, of course, cybercriminals will utilize the technology to become ever more effective and efficient in their activities – and all without the same constraints that governments and businesses have. “I fully predict that this is a Tsunami that will engulf anyone who is not paying attention, and although this sounds pessimistic, it is a wake-up call that too many people are not paying attention to. Technology is neither good nor bad – the paradox is that it is neither, but it is also both at the same time.”
The real paradox for him is that as we rely upon AI to ‘be more human’, and we fear it will replace us, we need to be more human and understand our susceptibility to coercion and manipulation. “The rise of misinformation and disinformation will continue, and only by focusing on Human Risk Management will we be in a position to combat the ‘rise of the machine’. The true paradox is that AI allows us to do things quickly and be more efficient, but we must learn to slow down and be more discerning in our engagement with technology. The saying “People are the weakest link’ is largely avoided in Cybersecurity, with people preferring to say “People can be your strongest defense”, but the paradox is that both are true, and it is only true if we focus as much on human risks as we do on technological risks.”
Rebalancing Security Budgets
Lee Sult, Chief Investigator at Binalyze, believes security budgets will finally rebalance as leaders accept that attacks are inevitable
“For years, cybersecurity budgets have been heavily skewed towards prevention, with organizations spending on average twice as much on keeping threats out as they do on investigation and response. But recent attacks, like those on Jaguar Land Rover and M&S, have shown the real cost of delayed response and recovery – adding to an estimated $48.1bn in losses for US organizations alone.
Sult says next year, we’ll see a major rebalancing in cyber budgeting. With 84% of enterprises saying successful cyberattacks are “inevitable”, they will shift to a 50/50 split in their security spend, opting for more investigation, response, and recovery capabilities. When visibility is lost, insight is incomplete and recovery stalls – bringing operations to a grinding halt. The financial and reputational impact of these failings can become more of a disaster than the actual attack.”
Response Time Will Define Cyber Resilience
Response time will become the defining measure of cyber resilience, Sult adds. “As cyber threats evolve and intensify, especially with the help of AI, organizations, regulators and stakeholders have accepted a hard truth: attacks aren’t just a possibility anymore, they are inevitable. Even organizations with the deepest pockets for cybersecurity find themselves breached. That’s because even the most rigorous controls can’t completely ensure you can keep attackers out. Prevention alone simply isn’t working.”
Sult says it’s time we reset the definition of security. Success isn’t “never getting breached” anymore; that ship sailed a long time ago. “The real question is: how fast can you detect it, stop the bleeding, and get back on your feet? And can you prove what happened with enough clarity to make regulators and insurers nod instead of dig? Every hour of delay costs $100,000 or more in operational costs – and that’s before legal actions, headlines, or board meetings.
“This is the new standard: resilience over prevention. That’s what your investors care about, what regulators are starting to measure and where security teams are placing their bets.”
Stop Waiting for Regulations to Drive Better Behavior
Organizations will also stop waiting for regulations to drive better behavior, continues Sult. “In 2026, CISOs will stop waiting for regulation and instead take the lead on security. Regulations move too slowly to keep pace with today’s threat landscape. This year alone, we’ve seen CIRCIA delayed and CISA expire, delaying best practice in sharing intelligence.
“By the time rules are updated to meet the status quo, attackers have already forged a new weapon. Recent breaches have shown that following rules and regulations can’t protect organizations from attacks. The ability to investigate incidents, understand what happened, and share intelligence is what truly strengthens defense.
“Many organizations will come to the conclusion that compliance is only a starting point and is not going to save them during a major incident. Recognizing resilience against attacks depends on internal maturity rather than external rules; they will build their own operational capability for investigation and response.”
Passive Security
For Alastair Parr, Spur CTO, passive security will become a core requirement for reducing user friction. “Organizations are making efforts to reduce CAPTCHA usage, repeated logins, and other controls that aren’t user-friendly and slow down conversions. As security teams look to reduce user friction, they will rely more on passive signals (such as location integrity, network quality, and obfuscation checks) to determine who gets an easier path with less friction and which sessions require targeted verification.”
Parr adds that accurate geo-verification will rise to the forefront of compliance and risk management. “Companies in regulated industries will face greater pressure to verify the geographic location of users, not just where the IP address appears to indicate they’re located. As it becomes easier for users to hop resources and mask their location, teams will require precise real-time geographic signals to enforce gaming rules, Office of Foreign Assets Control (OFAC) restrictions, financial controls, content streaming restrictions, and state-based consumer protections. Geo-resilience will shift from a background check requirement to a priority on the frontline for security and compliance.”
Agentic Attacks Go Operational
Tom Findling, co-founder and CEO of Conifers, says agentic attacks will go operational. “Bad actors are using AI agents that can adapt to defenses and perform complex task sequences to enable an attack. These AI systems will move from experimental to fully operational by 2026. Agentic AI malware will explore environments, adapt to thresholds, and exploit vulnerabilities faster than any human-driven campaign, and will be able to run continuously to overload static defenses. As a result, security teams using static thresholds or manual investigation will find their tools obsolete. The next generation of defenses will need to include AI systems that can learn, reason, and respond in real time.”
Security AGI Takes Its First Real Steps
Findling says another development will begin in 2026. “Security artificial general intelligence (AGI) describes systems that understand the entire environment of an organization, including assets, controls, behavioral patterns, and previous incidents. These systems will integrate institutional knowledge with global threat intelligence systems to take action with minimum human involvement. Like the early days of autonomous driving, they will still require human supervision, but their ability to manage nearly all security scenarios will alter the economics of defense. Security teams will no longer spend their time on investigations, but rather on verifying and improving complex, AI-driven outcomes.”
The SOC Workforce Turns into AI Enablers
The security operations center (SOC) will enter a new phase in 2026, Findling adds. “AI systems will handle the multiple stages of detection and response, while human analysts will focus on model training, oversight, and performance measurement. Roles centered on manual triage or routine investigation will fade. A smaller group of highly skilled professionals will emerge who understand how to guide and evaluate AI behavior. These new analysts will earn more, think more strategically, and spend their time on quality assurance and escalation management. The SOC will operate as a control hub where people and AI systems work in tandem.”
Industry-Specific Security AI Agents Take Hold
Specialized security agents designed for particular sectors will gain momentum in 2026, he continues. “Oil and gas operators, airport authorities, and financial institutions are already seeking AI tuned to their unique needs. These agents will interpret data through the context of industry protocols, regulatory frameworks, and risk priorities.
“They’ll enhance detection and response precision, reducing false positives that stem from generic models. Demand is especially strong in fraud detection and operational technology environments, where the mix of legacy systems and critical uptime creates distinctive risks. This wave of specialization will mark the next stage in cybersecurity AI, where effectiveness depends on the depth of domain knowledge rather than broad capability alone.”
Expanding Digital Ecosystems
Brian Sibley, Virtual CTO at Espria, warns that organizations are entering a cybersecurity environment defined by AI-driven attacks, opaque supply chains, expanding digital ecosystems and rising insurance scrutiny. “Yet many businesses still rely on fragmented tools, manual processes or outdated perimeter defenses that cannot withstand the speed and sophistication of emerging threats.
“Threat actors are innovating faster than ever. AI has changed the economics of attack; the supply chain has become a target in its own right, and insurers are placing unprecedented pressure on businesses to demonstrate resilience. In this environment, security can no longer be something organizations revisit once a year, it must be embedded, automated and constantly learning.”
Sibley concludes that 2026 will be a tipping point for cybersecurity maturity, separating organizations that modernize from those that remain dangerously reactive. “Those whom succeed in 2026 are the ones prepared to rethink their operating model, not just their technology stack. Zero Trust, MDR and continuous monitoring are no longer advanced capabilities; they are the baseline for keeping pace with today’s threat landscape.
“Security and business performance are now inseparable. Clients, partners and insurers expect clear evidence of resilience. Those that view cybersecurity as a strategic enabler rather than a cost center will be best positioned to grow, innovate and maintain trust in 2026 and beyond.”
Drawing on Espria’s analysis of threat intelligence, market behavior and technology adoption across the UK, Sibley has identified five trends that will dominate 2026:
AI-powered attacks will outpace human response: Cybercriminals are increasingly deploying AI to conduct reconnaissance, craft convincing phishing campaigns and develop adaptive malware capable of rewriting itself to bypass detection. These ultra-fast, self-evolving attacks are expected to surpass the pace at which human responders can operate.
AI-Driven social engineering will escalate: Advances in generative AI are enabling attackers to create highly personalized impersonation attempts, synthetic voice calls, and hyper-realistic email scams. These techniques exploit human trust and are set to become one of the most prevalent causes of breaches in 2026.
Supply chain may be the weakest link: As businesses adopt more cloud services and rely on a broader network of suppliers, smaller vendors are becoming the preferred entry point for attackers. Many organizations still lack visibility into the cyber risks posed by interconnected systems.
Zero-trust will become the baseline for every business: With hybrid workforces and distributed infrastructure now standard, perimeter-based security models are no longer viable. Continuous verification of every user and device is expected to become the industry norm.
Cyber Insurance will drive security maturity: Cyber insurers are significantly tightening underwriting standards, increasingly requiring demonstrable evidence of active monitoring, incident response capability, and continuous oversight.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.