2026 predictions: Agentic AI is breaking identity and data security as we know it

AI has changed how work gets done and how risk materializes. What once felt experimental is now operational: GenAI in the hands of employees, autonomous agents executing workflows and sensitive data moving across SaaS and GenAI apps, clouds, on-prem systems, endpoints and emails at machine speed.

As we look toward 2026, security leaders will be forced to confront a hard truth. In an AI-driven world, treating data and identity as isolated silos will break all the models we know, creating blind spots that are easy to miss and hard to manage.

Historically, identity and data lived in separate domains. Different teams. Different tools. Different success metrics. Identity answered who could access systems. Data security focused on what was being accessed. Together, they defined when and where access occurred.

AI breaks that model.

AI agents operate across identity and data simultaneously. They act, generate, analyze and transmit sensitive information, sometimes without a human in the loop. Risk no longer fits neatly into IAM or DLP alone.

Looking ahead to 2026, I think we will see 5 trends in cybersecurity. Each points to the same imperative: security must become more unified, more adaptive and more context-aware.

As environments grow more complex, security will come full circle.
In 2026, organizations will realize that most modern controls are abstractions layered on top of two foundational truths: who or what is acting and what data is being used. Networks, perimeters and destinations will matter less than identity and data context.

Identity defines intent and accountability.

Data defines value and risk.

Everything else becomes an implementation detail.

This shift won’t be nostalgic. It will be pragmatic. AI introduces too much speed and autonomy for surface-level controls to keep up, forcing security teams to rethink what they anchor on.

Traditional security assumes predictable behavior. But AI is a 'non-deterministic' wild card.

AI agents and systems learn, adapt and evolve. They introduce risk that static policies and Boolean logic can’t keep up with. Rules like “if X, then block Y” will generate more noise than signal as AI-driven workflows accelerate.

In 2026, organizations will move away from rigid policies toward adaptive risk models. These models will evaluate behavior, identity (human, non-human, AI systems, agents) and data sensitivity in real time, factoring in context rather than relying on predefined assumptions.

Instead of guessing risk based on patterns, column headers or lineage alone, security systems will understand content and intent and respond accordingly.

The role of the CISO is definitely changing and this will only accelerate in 2026.

For years, security leaders were positioned as gatekeepers, responsible for saying no to risky behavior. In the era of AI, that posture won’t scale. The mission won’t be to stop everything. It’ll be to guide innovation safely.

In 2026, effective CISOs will focus on designing trust into systems that enable their business to thrive. That means embedding policy awareness into AI workflows, enabling agents to operate autonomously while respecting data sensitivity, compliance requirements and ethical boundaries.

Security will become a design discipline, not just a control function.

Agentic AI will move from experimentation to execution faster than most organizations expect.

Next year, AI agents won’t just assist users. They’ll provision access, move data, generate content and make decisions on behalf of the business and its people. Adoption will accelerate because the value is real.

Reliability will lag.

Early deployments will suffer from over-privileged agents, incomplete context and weak guardrails. The result won’t always be dramatic breaches. It’ll be frequent, subtle failures: unintended data exposure, policy drift and autonomous actions that violate intent without malicious behavior.

The problem won’t be AI itself. It will be the lack of sufficient context or understanding of how a non-deterministic system operates at scale in the organization.

In 2026, AI regulation will become a reality.

It won’t be elegant. It won’t be uniform. But federal, state and local governments will introduce guidelines focused on accountability, explainability and data protection. These rules won’t dictate architectures, but they’ll demand clearer answers to basic questions: Who acted? What data was used or exposed? Why was a decision made?

Organizations relying on opaque, siloed controls will struggle to respond, especially as regulatory expectations continue to evolve.

As we move into 2026, the lines between user and agent, access and action, data content and context and traditional IT environments will continue to blur.

What matters isn’t visibility or control in isolation. It’s understanding risk continuously and in real time. Identity and data are no longer separate problems. They’re part of the same challenge and must be part of the same solution.

Companies that embrace convergence and enable innovation with trust will unlock a new era of resilience, productivity and innovation for their overall business.

And in 2026, security leaders will be at the helm of this transition.