The future rarely announces itself. But if you know where to look, you can see the shape of what’s coming.

Speak with those working closest to today’s security challenges, and you’ll get the sense that something big is shifting.  

The rules that defined the last decade of cyber are showing their age. Cloud costs are under scrutiny. AI is moving faster than teams can track. Boards are finally waking up to their own accountability.

To help make sense of it all, we sat down with several of our Zero Trust Hub contributors to hear their predictions for 2026.

Here’s where they see the industry heading next.

John Kindervag, creator of Zero Trust and Illumio chief evangelist

As costs rise and AI risks become harder to ignore, he sees many organizations starting to move sensitive workloads from the cloud back on-premises.

“Companies will keep what makes sense in the cloud and bring home the workloads that do not,” he said. “This shift will create more hybrid models that help organizations cut waste, tighten security, and make more informed decisions.”

But cloud strategy isn’t the only thing shifting. The org chart is, too.  

Kindervag believes cybersecurity accountability is finally moving where it belongs: the boardroom.

“For too long, CISOs have taken the fall for breaches they could not prevent,” he said. “That era is ending. CEOs, not CISOs, will be held accountable.”

Raghu Nandakumara, VP of industry strategy

According to Raghu, 2026 will be the year Zero Trust fades quietly into the background because it’s everywhere.

“What was once seen as aspirational is now essential for operational resilience,” he said. “Modern architectures will inherently include Zero Trust controls, including identity-based access, network segmentation, and continuous verification.”

Raghu also sees a shift in roles at the executive level. With cyber-physical integration on the rise, he expects the CISO role to evolve into a broader CSO.

“The CSO is emerging not just as a successor to the CISO but as a strategic force,” he said. “They’re going to be accountable for the full spectrum of organizational security and continuity.”

Michael Adjei, director of systems engineering

Michael is sounding the alarm on agentic AI.  

As organizations embrace AI agents to automate tasks, he believes they may be handing over more control than they realize.

“Depending on how people use AI agents, they are, in a way, relinquishing part of their identity to autonomous AI,” he said.  

He expects cybercriminals will target the autonomous capabilities of agentic AI. They’ll exploit them to commit cyberattacks by compromising agent-to-agent communication.

He’s also keeping a close eye on APIs. Specifically, he warns about the growing number of unsupervised and unmonitored connections that AI agents create behind the scenes.

“Any unsupervised pathways AI agents use will become prime targets for attackers to exploit,” he said. “This will force organizations to rethink identity, access, and accountability in a world where machines act faster, and more dangerously, than humans ever could.”

Trevor Dearing, director of critical infrastructure

Trevor doesn’t think checking cybersecurity compliance boxes will be enough anymore. In 2026, the real test will be how well an organization can bounce back from cyber threats.

“Effective resilience depends on much more than simply ticking boxes or passing audits,” he said. “It will be about the practical ability to keep services running for society.”

He believes the smartest CISOs in 2026 will double down on segmentation, response speed, and limiting the damage when attackers inevitably get in.

And he has a warning for underfunded industries: the threat is coming for you next. “Utilities, retailers, transportation — any sector with tight margins and legacy systems will be a prime target,” he said. “Attackers know where the gaps are, and they’ll exploit them.”

2026 will demand more than just good intentions

In 2026, the difference between leading and lagging will come down to preparation.  

The organizations that have truly absorbed the lessons of the past decade will be the ones that hold their ground when threats break through. As Kindervag put it, “Cybersecurity is not optional, and prevention without containment is not enough.”

Good intentions will not carry anyone through the year ahead. Progress will come from decisive action, smarter investments, and a clear commitment to containment.  

What leaders choose to prioritize now will shape whether their organizations merely endure the next wave of threats or rise above it with resilience.