2026 is already on the horizon, and if you haven’t already been thinking about how cybersecurity will shift next year, now is the time to start. 

Earlier this year, I had the opportunity to hear security leaders reflect on 2025’s cyber trends. Now, five experts share their predictions for 2026 below. 

1. Shadow AI Will Emerge as a Top Threat

Dr. Darren Williams, Founder and CEO of BlackFog: 

The explosive growth in AI usage represents the single greatest operational threat to organizations, putting intellectual property (IP) and customer data at serious risk. While AI adoption is growing rapidly, enterprises are increasingly exposed to risks related to data security, third‑party AI tools, shadow AI usage, and governance issues. When sensitive IP or Personally Identifiable Information (PII) is entered into unsanctioned AI systems, the data may be used for model training, stored externally, or exposed in unexpected ways, leading to compliance, IP, and reputational risk.  

Organizations must monitor not only sanctioned AI tools but also the growing ecosystem of “micro‑AI” extensions and plugins that can quietly extract or transmit data. A global KPMG and University of Melbourne survey of 48,340 individuals across 47 countries found that 48% of employees admitted uploading company data into public AI tools, and only 47% received formal AI training, underscoring real and growing risk of unsanctioned AI use. 

2. Compliance and Security Will Converge

Chris Radkowski, GRC Expert at Pathlock: 

In 2026, three regulatory shifts will dominate the compliance and security agenda. The EU AI Act’s full release in August will require organizations to classify systems by risk, complete conformity assessments, and maintain documentation that reshapes how AI is deployed.

At the same time, state level AI bills in Colorado, California, and New York are advancing, creating a fragmented U.S. landscape that demands careful navigation. Beyond AI, data localization and digital sovereignty mandates are accelerating worldwide, with China’s PIPL enforcement maturing, India’s Digital Personal Data Protection Act gaining traction, and governments across APAC, LATAM, and Africa tightening rules on where data resides and how it moves.

Supply chain and third party risk transparency also becomes non negotiable, driven by Europe’s DORA, the SEC’s cybersecurity disclosure rules, and expanding critical infrastructure mandates globally. The era of trust without verification for vendors is ending, and continuous visibility into resilience is now expected. 

Security practices will evolve in parallel. Continuous controls monitoring is bifurcating, with leading organizations in financial services and regulated technology operationalizing real time monitoring, while many others remain in pilot phases and struggle with foundational data gaps. Infrastructure and identity controls such as access monitoring, configuration drift, and patch compliance are increasingly automated, while process and judgment controls like segregation of duties reviews remain periodic.

SOX compliance is also expanding into API driven environments, where gateways, identity providers, automation platforms, and data pipelines all touch financial data. Automated preventive controls are replacing manual detective ones, but new risks emerge around securing the automation itself. Auditors must now ask who approves the bot posting accruals or how segregation of duties applies when service accounts execute transactions. Together, these shifts signal that compliance and security are converging into a model of real time assurance, where resilience depends on both regulatory navigation and technical execution.

3. Disinformation Security Will Become an Enterprise Priority

Sandy Kronenberg, Founder and CEO of Netarx: 

Deepfakes are no longer limited to fake videos. They have evolved into a multimodal disinformation security threat spanning AI-generated voices, images, texts, emails and any channel where trust can be exploited. In the next year, enterprises will move from early exploration to wide-scale deployment of disinformation defense platforms, spurred by the fact that 62% of organizations have already encountered deepfake-based social engineering attacks. 

Forward-looking organizations are establishing dedicated “trust operations” and appointing Chief Trust Officers to ensure authenticity and guard against AI-generated fraud and impersonation. Boards and regulators are also raising the stakes with global policies pushing for transparency and clear labeling of synthetic content. Gartner predicts that by 2026, 30% of enterprises will abandon vulnerable verifications like facial recognition as deepfakes render them unreliable, and new laws (such as the EU’s AI Act) will require clear labeling of AI-generated media.  

2026 marks a pivotal shift — from general awareness of disinformation and deepfake threats to decisive enterprise action. Disinformation defense will emerge as the next cybersecurity battleground, recognized as core infrastructure and an operational necessity for maintaining organizational trust. The companies that act now will be the ones that avoid the costly impact of the next wave of cyber-enabled deception.

4. Quantum Computing and AI Convergence Will Lead to a New Era of Security 

Arjun Kudinoor, Quantum Security Advisor at Protegrity:

As quantum computing and AI converge, we are entering into a new security era, where human-designed intelligence and the laws of nature work together to make digital security a matter of physical truth, not just promised trust. 

We are already witnessing the transition of quantum technologies from experimentation to practical deployment. For example, self-verifying quantum random number generators (QRNGs) are now being used to generate cryptographic keys whose unpredictability can be proven using the laws of physics themselves. QRNGs such as Quantinuum’s Quantum Origin employ Bell-test-based statistical checks to confirm, in real time, that the randomness they produce cannot be explained by any classical process. In doing so, they transform randomness from something merely assumed into something physically proven. This new class of self-verifying systems marks a shift from just asserting trust to engineering it. 

Furthermore, the merging of quantum devices and AI marks a pivotal moment in the evolution of digital security — an evolution that is grounded not only in computational power but also the physical laws of nature. In 2026 and beyond, AI will play a central role in this evolution. Agentic AI will enable quantum devices to mitigate errors in a self-adaptive way, making systems not only more reliable but also more scalable. Once they are significantly more developed, quantum processors will begin to accelerate AI workflows, unlocking new possibilities in data analysis, optimization, and modeling. This growing feedback loop between quantum technologies and AI is laying out the groundwork for digital security that can learn and evolve faster than the threats it faces.

5. Biometrics Will Be More Utilized as an Access Credential 

Jake Leichtling, Senior Director of Access Control at Verkada: 

Biometrics will become the next mainstream access credential. While fingerprints, facial recognition, and iris scans have long been used in high-security environments like airports, advances in cloud-based access control and identity management are making biometrics far easier to deploy at scale. Consumers already use biometrics every day to unlock their phones or verify purchases, but enterprise adoption has lagged due to management complexity. As organizations look for secure, frictionless ways to manage identity, biometrics offer convenience and assurance — no badges to lose, passwords to forget, or phones to carry. As biometric identities become easier to manage within unified access control systems, they will move from specialized deployments to everyday use, redefining how organizations think about secure, seamless access.

Looking Forward to 2026

From shadow AI to biometric security, it seems cybersecurity grows more and more complex with each passing year. While the landscape may be challenging and the threats persistent, security leaders are always looking ahead, staying prepared, and learning from each other in order to better protect their companies, assets, and people.