As we end the first quarter of the year and go into April, we asked a series of cybersecurity thought leaders the open question of "What do you see as the biggest threat to organizations in 2026?"
The responses below highlight the following:
- The need to reassess changing business functions, risk levels, and expiring controls to ensure security remains aligned with business needs and cost-effective technology choices.
- The erosion of trust is a growing threat, driven by AI-enabled deception, data integrity concerns, post-quantum risk, and uncertainty around AI-agent accountability.
- Non-human identities and faster AI-driven attacks are creating a more urgent perimeter and resilience challenge for enterprises.
- The main concern is the speed and complexity of the threat landscape, with AI and geopolitical instability forcing faster, higher-quality decision-making.
- Distraction is a major risk, because chasing headline threats can pull organizations away from the fundamentals that actually reduce cyber risk.
- AI-powered attacks, stronger social engineering, ransomware, shadow AI, insecure AI-assisted coding, geopolitical risk, and post-quantum migration are all converging at once.
What do you feel are the biggest threats to organizations in 2026? Join the conversation in our community slack channel.
"In 2026, I am looking at our business and how it has changed over the last year. Did the business functions change? Do we have the same risk level for the business function, or has it changed? Are the controls that enable the business still needed, or should we modify the ones already in place? For any controls expiring this year, we confirm they're still needed and assess whether there are faster, better, more cost-effective alternatives. If it hits all three, we look to change the control that is expiring and to determine whether it enables that business function. Lastly, do we have any new business functions that require controls or systems? If so, what is the risk, and is there an existing control we can use, or should we implement a cost-effective new technology for that specific business function? We control the technology; the technology does not control the business."
Anthony Biegacki, CIO/CISO, Covelli Enterprises
"The biggest threat I see starting this year and continuing is the erosion of trust. It varies from AI powered disinformation (AI powered phishing to deep fakes) to a loss of trust in data integrity due to post quantum crypto risks to nonrepudiation of actions by an AI Agent acting on behalf of a user."
Mike Calvi, CISO, Arvest Bank
"For me 2026 should be this and many leaders would probably agree,
Every security leader should be prioritizing the pressure-testing of Non-Human Identity. Service accounts, API keys, pipeline credentials, and AI agents are proliferating at a pace that governance simply cannot match. These identities are often over-privileged, long-lived, and insufficiently monitored. For most enterprises, this has become the primary perimeter concern rather than a secondary one.
The risk is further amplified by the increased speed of AI-driven attacks. Incidents that previously unfolded over weeks now occur within hours—dwell times are decreasing, response windows are narrowing, and there is no longer any margin for error. In this context, discussions around blast radius and recovery readiness are not theoretical—they are urgent necessities."
Doug Mayer, CISO, WCG
"In 2026, it's not any one threat that concerns me most, it's the pace at which they're moving. Threat actors are moving faster than most organizations are built to handle, and AI is only widening that gap. Add in the geopolitical chaos bleeding into corporate environments, and you've got a threat landscape that looks nothing like what most programs were designed for. The organizations that come out ahead won't be the ones with the biggest budgets, they'll be the ones who can cut through the noise, make sound decisions with incomplete information, and act before the window closes."
Michelle McCluer, Vice President, Global Fusion and Intelligence, Security Threat Response Management
"In my view, the biggest threat to organizations in 2026 is distraction. With news cycles moving at full speed, it’s easy for leaders to chase the “threat of the month”, latest zero-day or newest AI model and lose sight of the fundamentals that determine resilience.
Most breaches still stem from familiar weaknesses, such as identity gaps, poor hygiene, misconfigurations, and inconsistent security operations. Organizations that fail to consistently execute the fundamentals never properly manage their cyber risk and operate with a false sense of security that crumbles under pressure.
In summary, the most significant threat is allowing noise to overshadow what actually matters. The organizations that stay grounded in fundamentals, and execute them relentlessly, will be more resilient to threats in 2026."
Joseph Post, CISO, BIC
"First for me would be AI-Powered Attacks and Agentic AI. Think about controls like DLP and CASB that look for actors making discrete, observable requests... Agents (using Birthright account credentials) are dynamic and continuous, and their actions are often implicit rather than explicit – effectively bypassing traditional controls.
Social Engineering remains a major threat, especially against organizations that have not implemented baseline controls to reduce the impact of the risk. AI deepfakes, voice spoofing, and hyper-personalized spear phishing only serve to make the attacks that much more convincing.
Other areas would be Ransomware (again AI powered auto-morphing Ransomware), Shadow AI and the AppSec risks of Vibe Coding, Geopolitical threats, and of course the shrinking quantum timeline forcing a complex migration to post-quantum cryptography."
Andrew Wilder, CISO, Vetcor
