As organisations move into 2026, cybersecurity priorities are undergoing a visible shift, from experimentation with new technologies to a sharper focus on resilience, speed and exposure reduction. According to perspectives shared by security leaders at Tenable, the coming year will be less about chasing novelty and more about adapting operating models to the realities of AI-accelerated threats and increasingly complex digital environments.
One of the most significant changes anticipated is the evolution of how organisations approach artificial intelligence in security operations. Bob Huber, Chief Security Officer at Tenable, argues that the industry is moving beyond the experimentation phase of generative AI and into a more pragmatic era of agentic AI.
“We are moving past the novelty phase of Generative AI into the utility phase of Agentic AI. As a result, I anticipate seeing more and more CISOs shift their mindset from buying AI tools to building their own to fit their unique organisational needs. When implemented and designed with care, custom-made AI tools will transform security operations and alleviate pain points that lead to burnout. CISOs mindsets are shifting in 2026.”
This shift, however, does not imply unchecked automation. Instead, it reflects a growing recognition that security teams need tailored capabilities that align with their environments, workflows and risk tolerance, rather than one-size-fits-all tools.
Rethinking long-held security assumptions
Another change expected in 2026 is a reassessment of long-standing security practices, particularly around automation. Huber believes the industry is reaching a point where traditional caution around automatic remediation may no longer be sustainable.
“Automatic remediation, mobilisation, and mitigation are no longer forbidden. For years, teams have been hesitant to automatically remediate, but I believe that to keep pace with the threat and expansion of the attack surface, teams will start to defy that long-held belief that automatic is forbidden. This is also a commonly held cybersecurity assumption or outdated practice.”
As attack surfaces expand and threats move faster, the balance between control and speed is becoming harder to maintain. For many organisations, this may mean accepting calculated automation in areas where manual response can no longer keep up.
Resilience takes centre stage
Beyond AI and automation, resilience is emerging as a board-level concern. High-profile outages over the past year have underscored how operational disruptions can quickly escalate into reputational and financial crises.
“Next year, resilience will bubble up as a critical business objective. Global-scale outages, such as those experienced by Cloudflare, Amazon, Microsoft, and CrowdStrike, have highlighted just how damaging downtime is to both the bottom line and brand reputation. As a result, the focus will expand beyond avoiding an outage to include ensuring operations can be restored before it goes viral on Twitter. This is also an overlooked issue that may bubble up next year and take over mindshare.”
This signals a shift from purely preventive thinking to recovery-centric strategies, where the speed and effectiveness of restoration become as important as stopping incidents in the first place.
AI accelerates attacks, but doesn’t reinvent them
While AI continues to dominate security discussions, Eric Doerr, Chief Product Officer at Tenable, offers a more grounded assessment of its impact on threat techniques.
“There will be no new attack vectors in 2026. AI is not a magic wand; it supercharges traditional attack methods. It will drive down the cost of attack generation and increase the volume, and it might even find a new zero day or two, but it’s not finding novel attack techniques. At the end of the day, cybersecurity is a numbers game and AI broadens the attackers’ canvas. Basic cyber hygiene remains the best defence.”
According to Doerr, the real danger lies not in new forms of attack, but in the pace at which existing ones can now be executed. This acceleration compresses response windows to the point where reactive models struggle to remain effective.
“The biggest threat to organisations is acceleration. Organisations that do not prioritise and accelerate their proactive security programs to counter the speed of AI-fueled attacks are at heightened risk. The who, what, how and why of an attack does not matter because AI-fueled attacks start and end before a ticket is even created. Proactive defense makes speed obsolete.”
Consolidation and exposure management reshape cloud security
Cloud security is also expected to undergo structural change. Liat Hayun, SVP Product Management and Research at Tenable, predicts that tool consolidation will redefine how organisations manage cloud risk.
“Cloud Security Posture Management (CSPM) will disappear as a standalone category in 2026. Under pressure to cut tool sprawl and duplicated spend, CISOs will consolidate identity risk, posture, runtime, and network context – a shift only unified exposure management platforms can deliver.”
A critical driver behind this consolidation is the rise of non-human identities (NHIs), which Hayun describes as an emerging dominant risk factor.
“Non-Human Identities (NHIs), now outnumbering humans by 80:1, will decisively become the number one cloud breach vector. The core problem is no longer misconfigurations or missing patches. It’ll be billions of unseen, over-permissioned machine identities that attackers (or autonomous agentic AI) will leverage for silent, undetectable lateral movement.”
As a result, she expects CISOs to redirect spending towards permissions governance and identity cleanup efforts, as traditional cloud security approaches struggle to keep pace with machine-identity sprawl.
Hayun also cautions against over-reliance on runtime-only security models.
“The 2025 hype that runtime detection is the only thing that matters and could replace posture or identity analysis will fade in 2026. Runtime-only tools miss most attack paths because identity abuse and misconfigurations occur long before anything reaches runtime. Runtime will remain important, but it won’t replace CNAPP or exposure management, it’ll be another data source inside a broader prevention-first approach.”
Agentic security: promise deferred, not denied
Despite growing interest in agentic security tools, Hayun does not expect widespread adoption in the near term.
“Despite the hype, agentic security tools won’t see meaningful adoption in 2026. Most organisations won’t be ready to hand real security decisions over to AI given gaps in data quality, platform consolidation, governance, and trust. 2026 will be a year of small pilots and controlled experiments, laying the groundwork for a genuine breakout will be seen in early 2027.”
The bigger picture
Taken together, these perspectives suggest that 2026 will be less about radical new threats and more about operational maturity. CISOs will be forced to confront uncomfortable realities, automation trade-offs, identity sprawl, resilience gaps and the sheer speed of AI-enabled attacks. The organisations that succeed are likely to be those that focus less on chasing tools and more on building coherent, exposure-aware security strategies that can operate at machine speed.