In 2025, the industry conversation shifted from “security for AI/LLMs” to securing agentic platforms themselves. Early discussions focused on model risks such as prompt injection, hallucinations, and data leakage. But as enterprises moved beyond experimentation and began embedding AI into real workflows, the conversation rapidly shifted. LLMs stopped being static assistants or chatbots and began evolving into agents, capable of taking actions across systems, chaining tools together, and operating with increasing autonomy.

This shift reframed the security challenge: the problem was no longer just securing models, but governing the behavior, access, and execution of autonomous systems interacting with enterprise infrastructure. By the end of 2025, it became clear that the next phase of cybersecurity will center not simply on AI safety, but on securing agentic systems operating inside real enterprise environments.

As organizations began operationalizing agentic systems inside real enterprise environments, a deeper challenge quickly emerged: governing the identities and actions of machines operating at scale. Traditional IAM and SSO architectures, designed for predictable human logins, struggle to manage agents that execute high-frequency, non-deterministic tasks using long-lived credentials across multiple systems. As a result, 2026 will see the emergence of Agentic Identity Access Platforms (AIAP): a new identity control layer that acts as an “SSO for Agents,” brokering task-scoped, ephemeral identities based on agent intent. In the agentic era, identity security will shift from verifying who is acting to continuously governing why an action is occurring and how long access should exist.

In the agentic era, identity security will shift from verifying who is acting to continuously governing why an action is occurring and how long access should exist.

Across CISO dinners, closed-door forums, and year-end briefings, Shadow AI emerged as the most cited operational risk. AI tools proved useful enough that adoption quickly outpaced security’s ability to inventory and govern them. Employees uploaded sensitive data into copilots, browser extensions, and SaaS AI features with little visibility into data flow or retention.

Shadow AI is the unauthorized or unsanctioned use of AI tools within an organization without formal oversight from IT or security teams.

This wasn’t reckless behavior - AI was becoming embedded in everyday workflows, making its use inevitable. Blocking it outright didn’t work; it simply pushed activity into unmonitored channels. The real concern was the absence of control, logging, and policy enforcement. Shadow AI became a symptom of a deeper issue: security teams losing visibility into how work actually happens.

2025 was a transition year: security programs began a slow pivot away from non–AI-native stacks, just as adversaries operationalized AI tooling at scale. The resulting shift in attack patterns - faster iteration, lower-cost experimentation, and compressed time-to-breach - made legacy approaches objectively insufficient. For CISOs, this became an additional, concrete driver for modernization: when both sides are automated, advantage accrues to the party that closes the loop first.

In practice, “AI vs. AI” is simply competing automation cycles: faster learning, tighter feedback, and broader execution.

That acceleration also shifted the core risk from data theft to operational paralysis. Incidents like the Jaguar Land Rover attack (estimated $2.5B impact), SaaS-Jacking campaigns targeting major SaaS platforms, and the Salt Typhoon espionage activity showed attackers increasingly optimizing for continuity disruption and deep infrastructure access - not just exfiltration. The implication is blunt: security failures are now business-stopping events, not merely confidentiality breaches.

A 2025 cyberattack that forced Jaguar Land Rover to halt production for several weeks, disrupting global supply chains and causing an estimated $2.5B economic impact.

A Cyberattack in which attackers hijack SaaS accounts or cloud applications through stolen credentials, tokens, or misconfigured integrations, allowing persistent access to organizational systems

The cyber-espionage campaign linked to the Chinese state-backed group “Salt Typhoon”

This reality resulted in two new priorities for security teams: resilience and recovery.

Across virtually all sectors, vendors, customers, and domain experts are signaling the shift toward contextual security. Alert triage and enrichment are increasingly executed through the lens of business-critical context; just-in-time privileges are being issued and revoked based on usage context and behavioral pattern recognition; and secure coding is shifting toward context-aware guidance - surfacing prescriptive fixes directly from pull requests and code reviews.

Context is no longer merely an input to security decisions; it now underpins them

Its influence is pervasive today and is poised to become even more dominant over the coming year.

By 2025, security tooling fragmentation was becoming harder to justify: many teams were running broad stacks of overlapping tools across endpoint, identity, cloud, network, and detection. That sprawl added unnecessary costs and operational burden (more integrations, more policy surfaces, more triage), yet left teams with hard-to-trace visibility gaps.

At the same time, we started seeing clearer consolidation signals. Among others, Google’s acquisition of Wiz suggests that leading point solutions are increasingly being treated as “platform-grade” capabilities. Despite ongoing concerns around vendor lock-in, we expect 2026 to extend this direction: more stack rationalization and more vendor consolidation, with a stronger emphasis on fewer tools that drive prioritized remediation over noisy detection.

This trend is amplified by the previous topic - contextualization - as the trend of putting AI & organizational context in the core of each security product, brings the different tools - and traditionally-defined cybersecurity quadrantable categories - even closer together.

By mid-2025, CISOs were openly dismissive of generic AI and LLM claims. Many vendors added “AI” to their messaging without fundamentally changing their products, and hype alone no longer inspired trust. CISOs demanded both proof of the advantages of the LLM through clear KPIs and a measurable way to audit, understand, and control its behavior. Vendors that couldn’t provide precise answers, validation, or evidence quickly lost credibility. Adoption would no longer be driven by marketing claims - security leaders wanted results, not buzzwords.

During 2026, the term “AI agent” or “agentic LLM” is prone to suffer the same fate, as CISOs now see past the AI hype, demanding demonstrable value and explainability.