Cybersecurity is no longer confined to the SOC. By 2026, decisions regarding digital security will influence AI adoption, business continuity, supply chains, regulatory compliance, geopolitics, and the real role of the CISO within organizations. The latest KPMG report in Spain, Cybersecurity Considerations for 2026, identifies eight priorities that can no longer be treated as isolated projects.
The underlying idea is clear: AI is expanding the attack surface while offering new defensive capabilities. Autonomous agents are beginning to perform tasks, non-human identities surpass human ones in many environments, IT and OT systems are increasingly interconnected, and post-quantum cryptography is shifting from technical discussion to a strategic matter for sectors like finance, defense, and critical infrastructure.
Autonomous security reaches the SOC, but also compliance
KPMG highlights that one of the priorities will be preparing cybersecurity teams for autonomous security. This isn’t just about automating alerts or enriching events—something many organizations have been doing for years. The shift is that AI agents are starting to assume more advanced, intelligence-based tasks: incident investigation, regulatory compliance, risk management, evidence correlation, or supervision of non-human identities.
This progress can help overwhelmed teams but also requires redesigning controls. An agent that executes actions cannot be treated as a passive tool. It needs boundaries, traceability, minimum permissions, decision review, and mechanisms to stop unpredicted behaviors. The promise of autonomous security works only if the organization understands what each agent can do, what data it can access, which systems it can modify, and who is accountable when something goes wrong.
AI is also transforming vulnerability management. Discussions around models like Claude Mythos have shown that advanced systems can analyze large code bases, hypothesize about failures, validate attacks, and develop operational exploitation chains. KPMG warns that the key issue isn’t an increase in vulnerabilities but that the pace of identification and exploitation could outstrip traditional patching cycles.
This necessitates revisiting a common practice: managing vulnerabilities within weekly windows, manual prioritization, and reliance on CVSS scores. In environments where AI accelerates both offensive and defensive actions, some patches will need to be evaluated and deployed within 24 to 48 hours. Decision-making capacity will be as important as the technical tool itself.
Non-human identities and agents: the new perimeter
The proliferation of AI agents, service accounts, machine credentials, bots, APIs, and automation has created an inventory challenge many companies have yet to address comprehensively. Non-human identities now outnumber human users in many settings, but their governance tends to be less mature.
The risk is clear: a human account might be protected with MFA, periodic reviews, deactivation upon leaving, and role-based access policies. Annon-human identity can remain forgotten for years, with embedded secrets, excessive permissions, and limited monitoring. When these identities connect to AI agents capable of acting upon tools and data, controlling the perimeter becomes increasingly difficult.
KPMG emphasizes that AI security must extend beyond protecting the model itself. It’s necessary to secure the entire agent environment: the tools it can use, the APIs it invokes, the stored memory, the data retrieved via RAG, and the actions it performs. Data is no longer a static resource but part of the execution process, requiring rigorous handling—traceability, versioning, explicit purpose, access controls, and expiration policies, similar to code.
AI supply chains add another layer of risk. External models, third-party APIs, toolchains, libraries, connectors, and corporate data may introduce opaque dependencies. Organizations will need AI supply chain programs akin to those for critical cloud or software components: version control, API audit, vendor evaluation, exit plans, and the ability to replace critical components promptly without being blocked for months.
Geopolitics, IT/OT, and post-quantum cryptography
Cybersecurity in 2026 will also be shaped by a more hostile geopolitical landscape. KPMG notes that digital defenses and physical assets are vulnerable to potential attacks from hostile states. This impacts sectors like energy, transportation, industry, healthcare, telecommunications, government, and financial services. Security will shift from solely data protection to encompassing operational continuity.
The increasing interconnection between IT and OT amplifies this pressure. Embedded sensors, IoT devices, industrial plants, and digitalized physical environments make the boundary between cyber and physical increasingly indistinct. An incident might no longer be limited to data loss or application downtime; it could affect production, personnel safety, logistics, maintenance, or supply chains.
The report also underscores that post-quantum cryptography is a priority that cannot be postponed. The threat of future quantum computers breaking current cryptographic algorithms compels organizations to inventory, assess exposure, and plan migrations. For defense, banking, or critical infrastructure sectors, this is not a technical fad but a strategic necessity. Today’s encrypted data could be captured and decrypted in the future once quantum capabilities mature.
Migrating to post-quantum cryptography will be complex due to its impact on certificates, legacy systems, communications, devices, embedded software, vendors, and long-term processes. It’s insufficient to simply swap algorithms in modern applications; organizations must understand where cryptography is used, which data must remain protected for decades, and which systems cannot be easily upgraded.
The evolving role of the CISO: more influence but also more pressure
The CISO’s role continues to expand. It’s no longer enough to report incidents, manage tools, and present technical metrics. Security is now embedded in innovation, compliance, operations, AI, supply chains, resilience, and strategic planning. The CISO must translate technical risk into business language while preventing organizational resistance to adopting necessary technologies.
Striking this balance will be challenging. Leadership seeks automation, AI, efficiency gains, and deployment of agents. Security teams must enable these initiatives without opening unmanageable attack surfaces. The default response cannot be to block everything, nor to accept every integration unconditionally. KPMG advocates building trust and fostering innovation, which requires governance, architecture, observability, and operational capacity.
Observability will be one of the most significant changes. For AI systems, monitoring isn’t limited to the model itself but must encompass the full action cycle: what data the agent retrieves, which tools it calls, the memory it creates, decisions it makes, permissions it uses, and actions it executes. This will require new logs, SIEM integration, tailored playbooks, and teams capable of interpreting incidents that depart from traditional patterns.
Training will also be crucial. Protecting AI with teams untrained in model security, RAG, agents, prompt injection, persistent memories, or AI red teaming risks poorly designed controls. Security in AI demands hybrid profiles, labs, simulations, and targeted practices.
The message for 2026 is clear but challenging: cybersecurity cannot continue operating with workflows, controls, and structures designed for a world before agent-based AI. Organizations treating these changes as isolated issues will be late; those viewing them as structural evolution will be better positioned to innovate without losing control.
Frequently Asked Questions
What are the main cybersecurity priorities for 2026?
KPMG identifies eight areas: autonomous security, geopolitics and compliance, AI system protection, non-human identities, IT/OT hyperconnectivity, post-quantum cryptography, supply chain security, and expanding the role of the CISO.
Why does AI fundamentally change cybersecurity?
Because it introduces agents capable of acting, RAG architectures connected to corporate data, new attack surfaces, greater automation, and increased speed for both defenders and attackers.
What are non-human identities?
Service accounts, machine credentials, bots, AI agents, APIs, and automation that access systems and data without being direct human users.
What should companies do now?
Inventory agents and models, review permissions, accelerate patching, enhance observability, prepare for post-quantum migration, control AI supply chains, and develop specialized AI security teams.