Cybersecurity leaders have a lot to consider when trying to keep their organizations safe. But some things stand out more than others — or might be under the radar.
As a new year dawns, here are some things CISOs should avoid falling short on in 2026.
Get complacent about identity controls in the face of rising AI agents
The deployment of AI agents is growing rapidly, as enterprises look to take advantage of the automation and efficiency they offer. The global AI agents market size was estimated at $5.40 billion in 2024 and is projected to reach $50.31 billion by 2030, according to Grand View Research.
The increased use of AI agents presents a cybersecurity challenge for enterprises, especially in terms of identity controls. Potential threats include identity spoofing and over-permissioned access. Cyber criminals can exploit agents through prompt injection or malicious instructions to bypass controls and gain unauthorized access to systems and applications.
“Get identity — including AI agents — right and you control who can do what at machine speed,” says Morgan Adamski, deputy leader for cyber, data, and tech risk at consulting firm PwC.
“Adversaries increasingly log in, not break in, and AI agents are now making real changes to systems and data,” Adamski says. “What leaders can’t afford to miss is treating every human, workload, and agent as a managed identity, setting them up with their own accounts, phishing-resistant MFA [multi-factor authentication], minimum access for only as long as needed, passwords/keys that change automatically, and monitoring for odd permission changes or hijacked sessions.”
Enterprises need to build AI-agent governance into everyday workflows,
so that teams can move quickly without losing control, Adamski says. For example, require hardware-backed MFA for administrators, expire elevated privileges by default, and register each new agent as an application with its own policies.
“Identity and access controls for AI agents and AI platforms are one of the most important areas of concern for CISOs,” says Jason Stading, director at global technology research and advisory firm ISG. “Right now, permissions and access rights for AI are a black box in many areas. We will see a major push over the next couple of years for tools and methods for more transparency and control in this area specifically.”
Ignore increasingly complex supply chains
Supply chains have been a growing area of risk for enterprises, given the rise of digital business and the growing complexity of supply chains in today’s global business market.
This area is particularly important for companies in the manufacturing, retail, and logistics sectors. “In 2026, CISOs who overlook cybersecurity in complex supply chains and manufacturing environments risk catastrophic consequences,” says Greg Zelo, CTO of AMFT, a provider of metal products and components.
“Modern manufacturing is no longer confined to a single plant; it’s a web of interconnected suppliers, IoT [internet of things]-enabled machinery, and cloud-driven production systems,” Zelo says. “This complexity creates an expansive attack surface where one weak link can cripple entire operations.”
Recent incidents underscore the stakes, Zelo says. For example, in September 2025, Jaguar Land Rover suffered a supply chain cyberattack that halted production across the UK, Slovakia, India, and Brazil for weeks, costing an estimated $2.5 billion, he says. “The breach rippled through hundreds of suppliers, triggering layoffs and bankruptcies,” he adds. “This wasn’t just an IT failure; it was an operational crisis that exposed how deeply interdependent global manufacturing has become.”
Attackers increasingly target operational technology (OT) systems that control robotics, assembly lines, and quality checks because halting production forces companies to pay ransoms quickly, Zelo says.
“Beyond financial losses, the risks extend to intellectual property theft, regulatory penalties, and national security concerns,” Zelo says. “For CISOs, the lesson is clear: Traditional perimeter defenses are obsolete. Securing complex supply chains requires zero-trust architectures across IT and OT environments, continuous monitoring of third-party risk, including firmware and software updates, rapid patching and segmentation to isolate critical systems, [and] incident response drills involving suppliers and contractors.”
Downplay escalating geopolitical tensions
It’s easy to imagine CISOs being so laser focused on protecting their organizations from external and internal threats that they take their eyes off geopolitical tensions. Or maybe they dismiss them as being irrelevant to the cybersecurity issues at hand for their organizations. Either way, it’s a big mistake.
“Building systemic scenarios into organizational cyber resiliency plans is very important,” ISG’s Stading says. “This should include global developments and geopolitical friction that may affect the business.”
There is also an increasing push for industry-specific threat intelligence to give enterprises tailored indicators of compromise that might affect their business and their assets, Stading says. “Some of this can stem from potential advanced, persistent threats from malicious nation-states.”
The increasing intersection of cybersecurity and geopolitics is a reality, says AJ Thompson, chief commercial officer at IT consultancy Northdoor.
“Cyber attacks via nation-state actors are part of much larger conflicts that target critical infrastructure and global supply chains,” he says. “Failure to incorporate geopolitical intelligence into threat modeling disproportionately exposes organizations to high-impact state-sponsored cyberattacks.”
In addition, unintended involvement in such events can also have severe regulatory and reputational consequences, Thompson notes.
Be lax about organizational cloud use
As use of cloud services continues to increase, so do the security and privacy risks associated with the cloud. If CISOs neglect this area of cybersecurity they risk exposing their organizations to attacks.
“This is important for both cloud services and AI tools, which are often cross-pollinated with each other,” Stading says. “Appropriate and modern security awareness and training tied to roles and responsibilities is key, and it needs to factor in usage of AI tools and technologies that are so prevalent in the workplace now.”
There is often a lack of training and education for cloud administrators and engineers around proper cloud security practices and procedures, Stading says. “Tool adoption and usage is also a key area many cloud teams are trying to improve,” he says. “Many organizations have invested in security tooling for clouds that is underutilized.”
The traditional security perimeter no longer exists, “especially with multicloud adoption,” Thompson says. “Organizations relying on reactive cloud security often miss sophisticated threats.”
Proactive cloud security posture management (CSPM) and clear user security guidelines are critical steps toward the prevention of costly breaches and operational disruptions, Thompson says. “Safe user practices must be instilled continuously in order to minimize risks from human error in complex cloud environments,” he says.
Overlook growing compliance burdens
Some companies, particular in heavily regulated industries such as financial services and healthcare, have long faced the need to comply with data security and privacy regulations such as the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).
But these days, just about every type of business has to comply with a growing number of data privacy and protection laws around the world. Overlooking or underestimating these regulations could lead to fines and other repercussions.
“It’s true that heavily regulated organizations take on a lot of extra overhead for compliance activities, and compliance fatigue is not unheard of,” Stading says. “Because the CISO role has evolved over the past few years to take on more accountability and responsibility for compliance, CISOs really cannot afford to overlook or undervalue compliance efforts.”
CISOs at global enterprises in particular need to be up on the latest developments. “The regulatory landscape for cybersecurity in the UK and Europe is escalating rapidly,” Northdoor’s Thompson says. “Frameworks such as the GDPR [General Data Protection Regulation] and DORA [Digital Operational Resilience Act] are setting new benchmarks that require organizations to demonstrate not only documented controls, but also empirically verifiable cybersecurity effectiveness.”
Regulators will want to see robust evidence that cybersecurity and operational resilience are deeply embedded within all layers of business processes, rather than handled as a compliance checkbox, Thompson says.
“Equally important is the management of third-party risk, for which regulators increasingly hold organizations accountable,” Thompson says. “As supply chains become more complex and distributed, vulnerabilities from external providers represent serious compliance and security liabilities. Failure to integrate these regulatory expectations into security strategies proactively risks not just heavy financial penalties, but also operational disruption and lasting reputational harm.”
Underestimate AI chatbots and the legal exposure they create
AI chatbots are an emerging risk for data privacy, says Daniel Woods, principal researcher at Coalition, a cybersecurity insurance provider. In Coalition’s analysis of nearly 200 privacy-related claims and scans of 5,000 business websites, 5% of claims targeted chatbot technologies, he says.
“These claims alleged unlawful interception of customer conversations under state wiretap laws enacted long before such AI tools existed,” Woods says. “All the chatbot-related claims followed the same template, stating that the chat’s opening message should have disclosed that the conversation was being recorded.”
The claims alleged violation of the decades-old Florida Security of Communications Act, Woods says. About 5% of websites deployed chatbot technologies, which equates to the same percentage of web privacy claims that focused on chatbots, he notes.
“Chatbot use was particularly common in the IT and financial industries, with 9% and 6% of sites in these industries using chatbots, respectively,” Woods adds. There will likely be an increase in usage of these chatbots and therefore, a potential increase in future claims, he contends.
“The risk of getting chatbots wrong is that these systems can be easily manipulated with tactics like prompt injection, which has been documented dozens of times leaking customer data,” Woods says.
Neglect to secure the cloud
By now, nearly every business relies on cloud services to support at least some of their operations. Neglecting the security of these services is asking for trouble.
“Cloud and SaaS will keep expanding — so pre-wire ‘golden’ landing zones with guardrails for identity, encryption, logging, and egress, and use policy-as-code so the compliant configuration is the default,” PwC’s Adamski says.
CISOs need to use tools to continuously inventory assets, spot misconfigurations, flag anomalous behavior, and auto-remediate where prudent, Adamski adds.
“The act of firefighting alerts coming in from everywhere won’t keep up with multicloud sprawl and identity-centric attacks,” Adamski says. Modernize the security operations center with automation and AI to reduce the noise and correlate signals across cloud services.
Forget about the human factor
With so many cybersecurity tools and services in place, it’s easy to sometimes forget about the human side of cybersecurity. That can lead to all kinds of things going wrong.
“In my experience, the proximate cause of security breaches is usually human error,” says Beth Fulkerson, technology and cybersecurity partner at law firm CM Law. “Usually someone falls for a scam and opens the door [to] malicious code.”
It’s human nature to want to react to a message or open a document, and this is what gets users into trouble. “The primary solution is not more tech, but more training to help employees feel comfortable pushing back on requests for access to their machines or for information,” Fulkerson says.
An example of human error would be if someone fails to remember that a printer or fax machine is on a network, and does not install security protections or doesn’t remove it from the network, Fulkerson says.
“Another issue is failure to properly use the security technology available or already in place,” Fulkerson says. The most recent litigation she worked on involved a defendant that claimed it was using file integrity management software as required by the Payment Card Industry Data Security Standard (PCI DSS), but either didn’t set the alerts up or failed to heed the alerts.
“It doesn’t matter if a company has tremendous security software if they do not set it up correctly and maintain it,” Fulkerson says.
The original article found on 8 things CISOs can’t afford to get wrong in 2026 | CSO Online Read More
