As one year comes to a close and another begins, security leaders naturally take stock of what has changed — and what lies ahead. For a better understanding of the challenges and opportunities shaping the year to come, I asked a group of security executives and practitioners for their perspectives on the trends, risks, and priorities that could define security in 2026.

What Are The Biggest Security Challenges That Organizations Will Face in The Coming Year?

Colin Daugherty, Program Manager at Convergint: Biggest challenges will be the evolving depth and range of the already complicated poly-risk and poly-threat environments and landscapes. Cyber, Privacy, Travel, Physical, Executive Protection, Drone, Supply Chain, Business Continuity... there is so much to keep up with from local to global!

Kristen Devitt, Director of Campus Safety at Oak Park River Forest High School: Cybersecurity in schools, we’ve been so focused on active assailants that we have failed to properly address other types of threats.

Rosario Mastrogiacomo, CSO at SPHERE: As we head into the new year, security leaders are staring down a fundamental shift: AI is no longer a feature — it’s an actor. Organizations are now operating alongside autonomous systems that make decisions, take action, and in some cases delegate work to other agents. That’s the biggest change to identity security in more than two decades, and it’s reshaping how CISOs think about risk.

The challenges in 2026 won’t be about the volume of threats — we’ve lived with that for years. The challenge will be accountability in environments where not every decision was made by a human. The rise of AI identities means we’ll see more invisible privilege escalation, ownerless automation, and cascading effects when AI systems drift from expected behavior. Most enterprises already struggle with basic identity hygiene; layering autonomy on top of that is a force multiplier for risk.

Frédéric Rivain, CTO at Dashline: The traditional network perimeter will continue its collapse in 2026, replaced by browser-based security controls as the primary enforcement point. Organizations are realizing that protecting credentials at the browser level is more effective than trying to secure every endpoint or network. Browser extensions and browser-native security capabilities offer real-time protection against phishing, credential theft, and unauthorized access, precisely where attacks happen.

What Emerging Trends or Technologies Do You Believe Will be Transformative?

Colin Daugherty: Emerging technologies are endless right now, no shortage of shiny and fancy stuff... the real questions and issues are what actual value and benefit are they bringing and at what costs.

Rosario Mastrogiacomo: The most transformative trend isn’t a single technology — it’s the convergence of AI agents with identity governance. The organizations that succeed will treat AI agents as first-class identities with owners, access boundaries, decision transparency, and lifecycle controls. Frameworks like RAISE — Reveal, Assign, Interpret, Secure, Evaluate — are emerging because traditional IAM and PAM tools were never designed for actors that learn and adapt.

What Skills, Strategies, or Mindsets Will Security Teams Need Most in 2026?

Colin Daugherty: Skills, Strategies, and Mindsets... we need good people, better people, people who will show up day in and day out, people with grit and resilience, people who act and lead with curiosity, creativity, and courage, people who build trust and confidence and lead the industry forward.

Rosario Mastrogiacomo: Security teams will need two mindsets in 2026: Architectural discipline — least privilege, continuous discovery, containment boundaries, and explainability will define mature programs. Operational humility — we’re governing systems that don’t behave like code. They behave like coworkers. That requires new skills in oversight, telemetry, and interpretation.

Frédéric Rivain: AI agents will be prime targets for cyberattacks. They have broad access to data, can make decisions without human oversight, and operate across multiple systems simultaneously, making them both valuable but vulnerable. It’s up to security teams to address critical gaps including zero-trust architectures extended to non-human identities and credential management for AI agents interacting with internal systems.

What Gives You Optimism for the Future of Security?

Colin Daugherty: Optimism is tough in our industry; I see no shortage of "opportunities" for us to be put to the test and show up in meaningful and impactful ways. I see a growing landscape of opportunities for consulting and advisory services.

Rosario Mastrogiacomo: What gives me optimism? We’re finally seeing CISOs integrate identity, AI governance, and risk into a single strategic conversation. There is a growing recognition that autonomy doesn’t have to erode accountability — if we govern AI identities with the same rigor we apply to humans. When organizations build visibility, ownership, and behavioral review into AI systems from the start, they don’t slow innovation — they secure it. 2026 will be the year we stop asking whether we can trust AI systems and start proving why we should.

Frédéric Rivain: I am hopeful that next year, we’ll see the first Fortune 500 companies announce total password elimination initiatives. We’re already seeing major enterprise providers prioritize passkey workflows. And as phishing and credential-stuffing attacks continue to skyrocket, so will passkey usage in parallel.