2026 Cyber Risk: How Leaders Can Tackle Evolving Security Challenges

Cybersecurity leaders have never had the luxury of moving slowly, but the second half of 2026 may test even the most mature security teams. AI is accelerating both sides of the fight: Attackers can find vulnerabilities, craft more convincing scams and move faster, while businesses (and employees) are racing to embed AI into products, workflows and everyday operations. That combination raises the stakes for every leader responsible for protecting data, systems, customers and trust.

The challenge isn’t just technical. As cyber risk spreads across engineering, finance, operations, legal, HR, procurement and executive teams, the old model of security as a separate checkpoint no longer fits how businesses actually run. The organizations that handle this next phase successfully will need to rethink cybersecurity as a shared operating discipline, not a last-minute review, compliance exercise, or problem for one department or leader to solve alone.

Members of the Senior Executive Cybersecurity Think Tank have deep expertise in enterprise cybersecurity strategies, risk management, threat detection and cybersecurity leadership. Below, a group of them discusses what they see as the biggest cybersecurity challenges for leaders in the second half of 2026 and how organizations can move from reactive defense to enterprisewide resilience.

“The opportunity to shape responsible AI deployment lies in collaborating directly with engineering, product and data teams during design and development, rather than conducting reviews after deployment.”

– Gaurav Kulkarni, Senior Security Manager at Microsoft

SHARE IT

Build Security Into AI From the Start

Gaurav Kulkarni, Senior Security Manager at Microsoft, says cybersecurity leaders can’t afford to treat AI projects as conventional internal tools with a late-stage security review. For him, of primary concern is the pace of AI development itself.

“The biggest challenge in the second half of 2026 is the speed at which AI is being deployed with zero security baseline,” he says. “Every week, teams are shipping LLM-powered workflows, agentic pipelines and MCP integrations into production environments with the same old security hygiene they applied to internal tools a decade ago.”

That pace changes the role security leaders must play. Rather than showing up after a workflow is already live, they need to be involved while business and technology teams are still shaping what the system will do.

“Security leaders must stop working in isolation. Meaningful AI governance happens upstream,” Kulkarni says. “The opportunity to shape responsible AI deployment lies in collaborating directly with engineering, product and data teams during design and development, rather than conducting reviews after deployment. Security can’t be a gate; it has to be a capability integrated into how AI gets built and deployed securely.”

Make Impersonation More Difficult and Expensive

Jamshir Qureshi, Vice President of DevSecOps Engineering for MUFG Bank Ltd., points to a more human-centered problem: As AI-generated deception becomes more convincing, organizations may have to rethink what “trust” looks like in daily operations.

“The biggest challenge for late 2026 is trust erosion,” he says. “AI can now generate convincing deepfake audio, video and code faster than any human can verify it. Traditional identity and approval processes are breaking down.” 

For Qureshi, the response requires more than new technical controls. Security leaders will need to work across functions that own approvals, continuity planning and employee identity.

“Security leaders can’t fix this alone,” he stresses. “Collaborate with HR and legal teams to rewrite approval workflows to require out-of-band verification for anything sensitive (money, access, code). No more trusting a voice call or Zoom meeting. Work with operations to embed ‘assume breach’ into business continuity. If your CFO’s deepfake authorizes a wire, what’s your kill switch? Finally, work with IT to deploy continuous identity verification using behavioral biometrics and hardware keys, not just passwords or MFA codes.”

Qureshi concludes that the goal isn’t perfect detection; it’s making impersonation attacks expensive and slow for adversaries. 

“Build human-in-the-loop friction where it hurts them most.”

Close the AI Capability Gap

Bill McSorley, President of WM3 Group LLC, sees multiple AI-driven risks converging at once, especially as employees and teams gain access to tools they may not fully understand from a security standpoint.

“I believe the single biggest challenge in 2026 is AI-driven attacks, coupled with widening capability gaps across organizations,” he says.

AI tools can expand what employees are able to build, but that speed can also broaden exposure.

“The rapid adoption of AI tools has also introduced substantial risk,” McSorley says. “Users who can ‘vibe code’ applications or workflows are often unaware of the associated security challenges and may inadvertently expose corporate data.”

He notes that this enhanced risk doesn’t sit in one neat category. It cuts across people, processes, suppliers and the technologies employees are using every day.

“Supply chain attacks, deepfakes, AI prompt injections and AI-driven phishing have created an unprecedented convergence of security vulnerabilities.”

Control What AI Agents Can Touch

Anand Salodkar, Co-Founder and COO of CompFly AI, says the next big challenge is balancing innovation with risk management. Organizations that want the productivity benefits of AI agents can’t afford to skip setting guardrails.

“I think the biggest challenge is access versus control,” Salodkar says. “Agentic AI delivers value only when citizen developers can wire agents into real systems: CRMs, ticketing, internal APIs and data stores. But agents are nondeterministic, often run with delegated credentials, and can chain tool calls in ways the builder never explicitly authorized.”

For Salodkar, the answer is a dedicated layer of oversight that can govern agent activity while preserving the value those systems are meant to provide.

“The answer is an agentic gateway: a control plane every agent routes through, enforcing identity, scoping tool access per workflow, applying runtime policy, and logging every action for audit.”

“Partner with engineering to track where every agent runs and what it can touch, make least privilege the default, and put kill switches on anything touching money or production, with clear accountability for who answers when an agent acts on its own.”

– Rashid Feroze, Head of Security Engineering at CRED

SHARE IT

Assign Clear Ownership for Internal AI Risk

Rashid Feroze, Head of Security Engineering at CRED, says the enhanced risk from the AI explosion doesn’t just come from attackers moving faster; it also stems from the speed of internal AI adoption.

“The hardest task in the second half of 2026 isn’t fighting attacks; it’s that your own business is shipping AI agents faster than anyone can govern them, with the same access as the people who built them and no clear owner,” he says.

Feroze says the real challenge for leaders is enabling that pace without becoming a bottleneck—and that’s not a challenge security can solve alone. He recommends close cross-functional collaboration.

“Partner with engineering to track where every agent runs and what it can touch, make least privilege the default, and put kill switches on anything touching money or production, with clear accountability for who answers when an agent acts on its own.”

Turn AI Governance Into Shared Accountability

Senthil Muthu, CISO at ICISO LLC, says AI is stretching traditional models of security ownership.

“The biggest challenge for cybersecurity leaders in late 2026 is controlling AI-driven risk faster than AI expands it,” he says. “As automation accelerates identity sprawl, data movement and decision-making, CISOs must shift from siloed security ownership to shared accountability.”

The practical response, he says, is a coordinated governance model that brings technology, data and legal leadership into the same conversation.

“Partnering with the CIO, CDO and legal team to build unified AI governance, enforce task-based access and embed real-time guardrails is the only way to stay ahead of machine-speed threats.”

Move Toward Collective Adaptive Defense

Threat actors are using automation to operate faster and at a greater scale. Arun Kumar Elengovan, Director of Security Engineering at Okta, Inc., details the scope of the challenge.

“In my opinion, the biggest challenge in 2026 is the explosion of AI-powered attacks,” he says. “Adversaries are now using smart AI agents, deepfakes and automation to move incredibly fast, slip past traditional defenses and hit us at a scale we have never seen before, especially with our expanding cloud environments, supply chains and identity systems.”

Elengovan says that scale makes cybersecurity a business priority, not just a security priority. The key to successful risk mitigation? He says it’s better collaboration, both internally and externally.

“Inside our organizations, we need to work hand in hand with business, IT and risk leaders to make security a real business priority and invest wisely in resilience,” he says. “Externally, we should share threat intel more openly through ISACs, build talent pipelines together with peers and universities, and create joint response plans across our supply chains. Ultimately, we win by moving from solo prevention to true collective adaptive defense.”

“Align security, risk and business teams around continual improvement of their shared understanding, and support fast experimentation on what does and doesn’t work.”

– David Etue, Chief Strategy Officer of Cyberbit

SHARE IT

Build a Collaborative Workforce With a Learning Mindset

David Etue, Chief Strategy Officer of Cyberbit, says the pressure on cybersecurity leaders in late 2026 comes from several factors evolving at once—and more rapidly than ever before.

“In the second half of 2026, the real challenge is that cyber risk is running on a faster clock than most organizations can handle,” Etue says. “AI is rapidly changing attacker and defender tradecraft and tooling, geopolitical fractures and supply chain tensions are changing who targets you and why, and business digitization is accelerating with generative and agentic AI.”

That pace makes organizational learning a core part of cyber resilience. Etue says companies need teams that can experiment, learn and adjust together as the threat environment changes.

“The only sustainable answer is readiness built on a collaborative workforce with a learning mindset,” he says. “Align security, risk and business teams around continual improvement of their shared understanding, and support fast experimentation on what does and doesn’t work. The faster an organization gets at turning new threats into shared decisions, the better prepared it will be to defend itself.”

Beware the Risk of Defensive Complexity

Pavel Mishchenko serves as a Manager of Security and IT Infrastructure Systems for large-scale critical infrastructure projects. He says that in the second half of 2026, the biggest challenge for CISOs may no longer be a lack of visibility.

“Large organizations are already capable of seeing almost everything through telemetry, behavioral analytics and AI-driven detection,” Mishchenko says. 

The new risk security-conscious companies must be aware of? He says that, ironically, it may be self-inflicted: the growing complexity of security architecture itself.

“As the number of controls, automation layers and orchestration systems continues to grow, companies risk losing the one thing that matters most during an incident: the ability to act quickly and decisively,” Mishchenko cautions. “At a certain point, the complexity of the defensive system itself becomes an operational risk.”

Transform Security From a Gate Into a Shared Steering System

Maman Ibrahim, Founder of Ginkgo Resilience LTD, says cybersecurity leaders are facing an environment where new tools and automations can reshape risk faster than organizations can document or govern it.

“The biggest challenge is machine-speed change outpacing machine-speed control,” he says. “Agentic tools, AI-written code and employee-built automations expand the attack surface faster than teams can inventory, govern or prove what’s safe.”

His recommendation is to move accountability closer to the services and workflows where risk actually lives. That means bringing multiple functions into shared planning, shared drills and shared evidence.

“Security leaders win by moving from ‘security owns it’ to ‘services own it,’” Ibrahim says. “Name owners for critical workflows, agree on risk appetite, bake controls into CI/CD and run joint drills with engineering, ops, legal and procurement. Share one risk language, one backlog and one evidence trail. Collaboration turns security from a gate into a steering system.”

Respond to Exploits Faster Together

Bhavya Bhandari, Cybersecurity Risk Management Leader, Financial Services at Ernst & Young US LLP, says that as AI compresses the window between discovery and attack, traditional prioritization models may not be fast enough.

“The biggest challenge for cyber leaders in the second half of 2026 is simple to describe, but harder to manage: AI is reducing the time between finding a vulnerability and exploiting it,” he says.

For Bhandari, cyber resilience depends on how quickly teams can understand shared exposure and respond as a unit.

“Risk is no longer confined to a system or a function,” he says. “The aggregation of risk across multiple environments makes the risk management and prioritization process challenging. Resilience is becoming more about how collaboratively and quickly teams can respond to exploits.”

How To Meet New Era Cybersecurity Challenges

• Build security into AI workflows before they reach production. Bring security, engineering, product and data teams together during design and development so responsible deployment isn’t reduced to a late-stage review.
• Rethink identity and approval processes for an era of deepfakes. For sensitive actions involving money, access or code, add out-of-band verification, human-in-the-loop friction and clear kill switches.
• Close the gap between AI adoption and security awareness. As more employees build AI-enabled apps, workflows and automations, leaders need to ensure they understand the risks tied to data exposure, prompt injection, phishing, supply chain compromise and other AI-driven threats.
• Govern what AI agents can access and do. Use a dedicated control layer to enforce identity, limit tool access by workflow, apply runtime policies and log agent activity for audit.
• Assign ownership for every internal AI agent. Track where agents run, what they can touch and who is accountable when they act, especially when they interact with money, production systems or sensitive data.
• Make AI governance a shared executive responsibility. CISOs should work with CIOs, chief data officers, legal leaders and other stakeholders to build unified governance, task-based access and real-time guardrails.
• Treat cybersecurity as a collective defense effort. Internally, align business, IT and risk leaders around resilience; externally, strengthen threat intelligence sharing, talent pipelines and supply chain response planning.
• Build a workforce that can learn as fast as risk changes. Security, risk and business teams need shared context, a willingness to experiment and a process for turning new threats into decisions quickly.
• Simplify defensive architecture where complexity slows response. More telemetry, controls and automation won’t help if teams can’t act quickly and decisively during an incident.
• Move from “security owns it” to “services own it.” Name owners for critical workflows, agree on risk appetite, build controls into development pipelines, and maintain a shared backlog and evidence trail.
• Respond to exploits as one organization. As AI shrinks the time between vulnerability discovery and exploitation, resilience will depend on how quickly teams can understand aggregate risk and coordinate action.

From Reactive Defense to Enterprisewide Resilience

Effective cybersecurity in the second half of 2026 will require organizations to move faster without becoming reckless. AI-powered attacks, internal AI adoption, deepfake-enabled fraud, identity sprawl, architectural complexity and supply chain exposure all point to the same larger reality: Security can’t operate as a standalone function while risk moves across the enterprise.

The path forward is not simply more tools or tighter control. It’s clearer ownership, stronger cross-functional governance, better verification, simpler response paths and a shared understanding of risk. As AI accelerates both business innovation and threat activity, the most resilient organizations will be the ones that make cybersecurity part of how every team builds, approves, operates and adapts.