Cybersecurity threats are becoming more sophisticated, more automated, and more intelligent, as well as harder to detect.
At the same time the enterprise attack surface CISOs are tasked to defend continues to expand.
That’s the reality security chiefs face in 2026 — a reality that has CISOs reordering their priorities for the year ahead.
Preparing for and defending against AI-enabled attacks is high on CISOs’ to-do list this year. As is securing their organization’s own AI deployments and advancing the use of AI in security operations.
Those priorities are in addition to many longstanding security undertakings as well as emerging areas of concern that will also dominate the CISO agenda in the upcoming year. Security leaders say these priorities reflect the ever-increasing challenges of defending their organizations.
Doubling down on core security tasks
Although AI has emerged as a top issue for security leaders, Foundry’s Security Priorities Survey recently found that CISOs remain focused on several core security tasks, with strengthening data protection the No. 1 priority, cited by 48% of security chiefs.
Amit Levinstein, who is both a CISO and a CISO advisor, specifically calls out data protection as a top priority for his own organization and his clients’ security departments.
Levinstein, CISO and vice president of professional services at cybersecurity firm CYE, acknowledges that data protection has been a key security task for a long time but says it has become more challenging in the age of AI, as the technology “creates a lot of different risks from a data leakage perspective.”
To counteract those risks, Levinstein relies on strong AI usage policies, robust AI governance, and employee training to establish and enforce when AI can be used and with what data and security controls.
To do this effectively, he says he and other CISOs must “understand what the business is doing, understand the business’ priorities and then devise the right approach.”
Other longstanding core security tasks CISOs list as top priorities include securing cloud data and systems, simplifying IT security infrastructure, and improving threat intelligence operations.
Other top 10 priorities from the Foundry survey include enhancing security awareness through end-user training; streamlining compliance and privacy efforts; reducing spending; and assuming responsibility for risks presented by operational technology systems, IoT devices, and/or endpoints.
Prepping for AI-enabled attacks
Although conventional tasks dominate the CISO priorities in the Foundry survey, interviews and other research show that AI-related issues are also high on the CISO priority list.
For example, 53% of security leaders ranked AI-enabled cyber threats as a top-three organizational risk in a global survey conducted by Boston Consulting Group. BCG also reported that 60% of organizations have likely experienced an AI-powered cyberattack in the past year, although only 7% have installed AI-driven cyber defense tools.
“Offense is scaling faster than defense. AI is accelerating attack capabilities far more quickly than organizations can strengthen their defenses,” BCG notes in its report.
While hype over AI-enabled threats has come under scrutiny, security experts warn that ignoring AI in the threat chain could be costly for CISOs, given the rise of real-world AI security threats in the wild.
Rolling out AI to enhance security operations
Although a sliver of organizations surveyed by BCG have deployed AI-driven cyber defense tools, the vast majority (88%) plan to implement them.
Foundry similarly found in its survey that 38% of security leaders listed accelerating use of AI to improve security effectiveness as a priority.
Aaron Momin, CISO of Synechron, a digital transformation consulting and solutions firm, sees AI as an essential security tool.
“CISOs are prioritizing AI systems that detect and neutralize cyber threats without humans in the loop to reduce the time to respond,” he says. “When AI-powered attacks hit in milliseconds, human-speed response is inadequate and requires AI to fight against AI.”
Momin also has prioritized deploying autonomous AI agents in security, noting that “these agents are expected to execute tasks on their own, such as automating access revocation based on risk factors or blocking the cyber threat before propagation. It comes down to speed. Attackers are using AI to iterate on their attacks faster than any human analyst can triage an alert.”
Securing enterprise AI deployments
Security experts say AI-enabled security operations and the speed AI brings are also critical for defending their organization’s growing AI deployments and the expanded attack surface those deployments create.
“AI is a big bang for the attack surface. The models are expanding the surface so quickly,” says Deloitte’s U.S. cyber AI leader Mark Nicholson.
Nicholson says the growing use of AI doesn’t change the fundamental responsibilities of the security program, “but it does change the urgency and the way security needs to be implemented. CISOs now see embedding cybersecurity and trust and transparency in the AI development process as a priority. CISOs must have as a priority secure AI and trust in AI by design.”
Reining in shadow AI
CISOs acknowledge they must also confront the risks that unsanctioned AI deployments create.
“When you look at risks of shadow AI, you’re looking at loss of control of data, an expanded attack surface, compliance and regulatory risk, lack of control and visibility, loss of intellectual property, and reputational damage,” says Lina Dabit, executive director of the CISO office at Optiv Canada. “And there is also the risk of inaccurate and biased outcomes, because if you’re employees aren’t using AI through a sanctioned process, then the question also becomes where are they getting their information from [to feed to the shadow AI system] and how reliable is it.”
CISOs are monitoring their environments for shadow AI and educating the workforce on its risks, Dabit says, but many continue to encounter uses of unsanctioned AI in their organizations.
Some research predicts the security risks of shadow AI will be an even bigger issue in the coming year. Researchers for Google Cloud Security’s Cybersecurity Forecast 2026 report write that “by 2026, we expect the proliferation of sophisticated AI Agents will escalate the ‘Shadow AI’ problem into a critical ‘Shadow Agent’ challenge. In organizations, employees will independently deploy these powerful, autonomous agents for work tasks, regardless of corporate approval. This will create invisible, uncontrolled pipelines for sensitive data, potentially leading to data leaks, compliance violations, and IP theft.”
Google researchers say that “banning agents is not a viable option, as it only drives usage off the corporate network, eliminating visibility.” Instead, they advise “a new discipline of AI security and governance” and, like Nicholson, advocate for “a secure-by design approach, integrating protection from the start.”
Rethinking identity and access management
The growing use of AI has CISOs in 2026 prioritizing another longstanding area of security work: identity and access management. This came in No. 6 on Foundry’s survey of top CISO priorities for the coming year.’
Jon France, CISO of ISC2, a cybersecurity training and certification organization, says there’s a heightened importance to identity management as organizations start to deploy agentic AI — a move that will require organizations to manage “not just human identities but thing identities as well.”
France is using zero trust and multifactor authentication to help ensure only authorized entities — whether humans or machines — gain access to systems. He’s also evaluating the use of passkeys instead of tokens for authentication.
Still, he recognizes that he and others have a big challenge around identity and access management as agents become more common and where the proliferation of agents introduces more potential for some agents to gain unauthorized permissions to access systems from other agents in the chain.
Defending against deepfakes
Mike Baker, CISO at DXC Technology, is also prioritizing identity — but he’s specifically concerned with verifying the identity of people in an era of deepfakes.
“We want to make sure the person you’re talking to or emailing is really the person you think it is,” he says, noting that AI advancements enable hackers to make a deepfake that is nearly indistinguishable from the real McCoy.
Baker says he’s using various security tools (including multimodal authentication) and strategies (such as employee training) to counteract the deepfake threat and help ensure his organization’s employees can spot a deepfake scam.
Tackling third-party management
Baker also lists improving third-party risk management as a priority. It’s one shared by many CISOs, coming in at No. 11 on Foundry’s survey.
Third-party risk has always been there, France says, but it’s coming to the fore as organizations have an increasing number of suppliers and an increasing reliance on them to operate. Major outages at AWS, Azure, and Cloudflare in 2025 should indicate to all organizations the importance of strengthening third-party risk management, he says.
Baker adds that AI also fuels the need to improve third-party risk management practices. As a CISO, he wants to understand the AI models built into the software products his organization is using to ensure they’re protecting his company’s data, that their models are secure, and that they’re reliable.
Bolstering resiliency
France says third-party risk management can also bolster corporate resiliency — another priority for him and other CISOs. It came in at No. 13 on Foundry’s CISO priorities list.
Research firm Gartner lists resiliency as one of three key themes for CISOs in 2026, noting that “cyber resilience goes well beyond IT recovery plans — it includes legal, public relations, market disclosures, and supplier readiness. It’s about full, end-to-end coordination and readiness across departments.”
Aaron McCray, field CISO for technology solutions and services company CDW, says more CISOs are focused on resiliency as security leaders work to align with business strategy and see security as a business enabler.
“CISOs are looking at how they can recover from operational events, not just cyber events, they’re looking at how to retain functions during crises and how to restore functions in real-time,” McCray adds.
Grappling with geopolitical risk
CISOs in 2026 are paying more attention to geopolitical risks, says Betsy Soehren Jones, a partner at technology consulting firm West Monroe.
There is good reason for the heightened interest in international affairs, as global events can spur those nation-states already engaged in cyberattacks to ramp up their activities, Soehren Jones explains. Global events can also disrupt supply chains and resources, including offshore workers and software services, she adds, which can have implications for CISOs and their teams.
Soehren Jones, who formerly worked as director of security strategy at an energy company, advises CISOs to join intelligence communities, such as industry ISACs, as well as to review White House executive orders, federal directives, and similar material to glean information on emerging geopolitical risks and threats.
She also advises CISOs to work with their company’s federal affairs office, if their company has one, to better understand and prepare for the global issues that concern the company. CISOs should also work with trade associations and follow the US Chamber of Commerce to stay abreast of geopolitical risks, she adds.
PwC’s 2026 Global Digital Trust Insights found that 60% of the 3,887 business and tech executives across 72 countries surveyed for the study ranked cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty.
No Responses