Gartner Security Risk & Management Summit 2026: Day 1

Day one of the 2026 Gartner Security & Risk Management Summit covered a lot of ground. I was only able to attend six of the many sessions. A few that should make every security leader uncomfortable in exactly the right way.  This article summarizes what I took away, along with some key points.

Leadership Vision for 2026: Cybersecurity — Fadeen Davis

Fadeen Davis opened with a number that should be on every CISO’s slide deck: 98% of boards agree that cyber threats will grow in the next two years. That’s about as close to consensus as boards ever get on anything. The problem is that agreement on the threat doesn’t automatically translate into agreement on the budget.

For the first time in three years, cybersecurity is no longer the top funding priority for CIOs. Generative AI has taken that spot. Projects that were planned are being shelved to make room for AI investments, which is ironic, because securing AI is itself a cybersecurity problem. Davis made the point clearly: many CIOs don’t yet realize that investing in AI means their data and security costs will go up, not down.

Davis identified three areas where CISOs have urgent action items but low confidence in their ability to deliver. Scaling zero-trust technologies across the enterprise. Securing data in third-party AI applications. Evolving governance frameworks for AI risk. These aren’t new ideas; they’ve been circulating for years. The fact that confidence remains low across all three suggests a gap between strategy and execution.

The framing she offered for the path forward centers on four imperatives worth examining: influence, agility, resilience, and the shift in how security is positioned. Influence means becoming a sensemaker, someone the board sees as the person who explains threats in terms of shareholder value, not just technical risk. Agility means being able to reprioritize quickly when the business shifts. Resilience means keeping operations running under pressure and baking supply chain risk into the broader cyber risk picture.

“Cybersecurity needs to be seen as the catalyst for delivering shareholder value. Only then will it shift from skepticism to confidence.” — Fadeen Davis

The underlying message is that CISOs who want more influence have to earn it by speaking the business language. Security for security’s sake doesn’t get funding. Security as a business enabler does.

Top Trends in Cybersecurity for 2026 — Alex Michaels

Alex Michaels used a mountain-climbing analogy: cybersecurity is a steep, rugged ascent, and the point of the session was to hand people a map. It’s a good framing. The mountain isn’t going anywhere. The question is whether the team has the right gear.

His presentation is organized around Normalized AI Adoption, Securing New Frontiers, and Transforming Governance. The most actionable piece came from the first theme. Traditional security awareness training is, by his assessment, no longer sufficient. Teaching employees how to spot phishing emails was useful a decade ago. Now, with generative AI producing highly convincing content at scale, the game has shifted from awareness to behavior management. Dynamic interventions matter more than annual training modules.

On post-quantum cryptography, Michaels was direct: this is no longer theoretical. Organizations need to start inventorying their encryption systems now, before quantum computing makes current standards obsolete. Most organizations have no idea what encryption they’re running or where. That’s a significant problem with a very clear first step.

The governance section focused on AI agents as a new category of digital worker entities that require unique identities and fine-grained authorization policies, rather than access inherited from the humans who deployed them. The operational shift he pointed to is worth paying attention to: security leaders need to move from ownership to influence. As the scope of what security teams are responsible for grows, the only sustainable model is one in which security shapes decisions rather than directly controlling everything.

AI Drives New Cybersecurity Architecture — Mary Ruddy

Mary Ruddy used a cheetah to make her point. Zero to 60 in 3.4 seconds. That’s the speed security teams need to aspire to, not because it’s impressive, but because AI-powered threat actors are already moving at machine speed. Human-paced response is no longer competitive.

The practical implication is a shift from periodic processing to continuous processing. Security checks that happen once a day or once a week leave windows of exposure that didn’t exist when threats moved more slowly. Continuous processing closes those windows. It also requires more automation, which is where the architecture changes start to compound.

Ruddy named several pitfalls worth avoiding. Using AI agents for every task instead of the right task for the right job. Treating AI as a single, monolithic thing when protecting a customer-facing chatbot is entirely different from protecting an agentic AI system running an e-commerce operation. And perhaps most telling, trying to stop AI adoption entirely. Security teams that refuse to enable safe AI tools for employees will find those employees building their own workarounds. “Bring Your Own Agent” is already happening, just like BYOD was already happening before IT acknowledged it.

“AI can weaponize technical debt. A lot of breaches are really just exploiting common gaps in what people don’t do.” — Mary Ruddy

The identity angle is central to her architectural argument. An identity-first security model with continuous authentication and authorization is not optional when AI agents are acting on behalf of users and systems. The basics of patching, access control, and credential management matter more now, not less, because AI gives attackers a faster path to exploit every gap that exists.

How to Secure Enterprise AI Agents — Jeremy D’Hoinne

Jeremy D’Hoinne started with the definition Gartner is using for AI agents: autonomous or semiautonomous software entities that use AI techniques to perceive, make decisions, take actions, and achieve goals in their digital or physical environments. It’s a broad definition. That’s intentional. The category is broad.

The attack surface model he presented breaks down into four categories: the harness (the application stack the agent runs on), the model itself, the agent’s access to data and resources, and the agent’s access to tools. Each requires a different security discipline. Application security for the harness. Model security for the AI component. Data security and access management for resources. Something new entirely for tool access, especially when agents can use “computer use” capabilities to interact with other systems as a human would.

Prompt injection got significant attention, and rightfully so. D’Hoinne’s position is that it cannot be patched. It’s a social engineering attack against the AI layer, malicious instructions hidden in content the agent processes, redirecting its behavior without triggering conventional security controls. The response is management and containment, not elimination.

“Treat third-party agent components as semi-hostile.” — Jeremy D’Hoinne

The “least agency privilege” principle maps cleanly from least privilege in traditional access control: agents should have exactly the permissions needed to complete their task and nothing more. In multi-agent systems, where agents interact with and hand off to other agents, segregation of duties becomes critical. Discovery is the starting point for all of this. Security teams cannot secure AI agents they don’t know are running.

CYERA: Rethinking Security in the Age of Agentic AI — Nate Smolenski

Nate Smolenski, CISO of CYERA, drew a direct line from the shadow SaaS era to what’s happening now with AI. The number he cited is striking: 95% of AI tools currently in use at organizations are unsanctioned. That’s not a rounding error. That’s nearly the entire AI footprint operating outside of governance, oversight, or security controls.

The comparison to the SaaS explosion is useful because the industry has been here before. When cloud applications proliferated faster than IT could manage them, security teams faced the same choice: get ahead of it or get worked around. Most got worked around. The question now is whether organizations are willing to make a different decision with AI or whether they’ll repeat the pattern and spend the next decade cleaning up the consequences.

The edge is no longer a perimeter. Smolenski described it as an amoeba shapeless, expanding, impossible to defend with a fixed boundary. AI agents operating across distributed systems and third-party platforms make that even more pronounced. The data stores most organizations are working with are vast, poorly understood, and growing faster than anyone is cataloging them.

He also raised legal implications that most security teams haven’t started thinking about yet. New rulings are changing what’s considered confidential when AI systems are involved in workplace interactions. That’s a compliance exposure that doesn’t show up on a threat model but absolutely shows up in a lawsuit.

The practical response is a continuous inventory of AI tools and a tiered data access model that limits what any given agent can reach based on the sensitivity of the data involved. Security and data governance teams working in isolation won’t get there. They need to be working from the same playbook.

What Public Sector Leaders Are Getting Wrong About AI — Michael McFerron

Michael McFerron’s session was aimed at public sector audiences, but the problems he described apply well beyond government. By 2027, half of operational decisions will be augmented or automated by AI agents. By 2028, 15% of day-to-day work decisions will be made autonomously. These aren’t projections from an AI optimist they’re Gartner’s planning assumptions. And 47% of government organizations are already moving on to AI without a coherent plan.

The first mistake McFerron flagged is treating AI as a static service rather than an evolving asset. Most procurement contracts are written as if the AI being purchased today will work the same way in three years. It won’t. Models drift. They need retraining. The system that performed accurately at deployment may quietly degrade over time, producing outputs that nobody inside the organization is equipped to detect because the contract didn’t require transparency and the workforce was never trained to look for it.

That connects directly to the second mistake: building users instead of evaluators. Organizations that train employees to log into an AI platform and write a basic prompt are producing users. Users cannot detect model drift, cannot pressure-test vendor claims and cannot identify when a system is producing biased or degraded outputs. Evaluators can. The difference matters operationally and it matters from a security perspective, because a workforce that understands the technology is the first line of defense against adversarial threats like data poisoning and prompt injection.

“We can outsource the development of a tool, but we can never outsource the ultimate accountability of our mission.” — Michael McFerron

Governance as an afterthought was the third problem. Current models apply the same level of scrutiny to every AI application regardless of risk, which creates bottlenecks, slows deployment, and incentivizes teams to route around the process entirely. Proportional governance calibrated to the actual risk level of each application solves the bottleneck without sacrificing oversight on the things that genuinely matter.

The fourth issue is fragmented roadmaps. Departments chasing short-term wins with no connection to mission outcomes end up with redundant systems, wasted resources, and a collection of tools that don’t talk to each other. The fix is alignment not just to budget cycles, but to the actual purpose of the organization.

Day one covered a remarkable amount of territory for a single summit day. AI agents, post-quantum cryptography, shadow AI, governance reform, identity architecture, all of it pointing in the same direction. The organizations that are going to handle this period well are the ones treating security as a function that shapes how the business operates, not one that reacts to what the business has already decided.

The real question isn’t whether AI will change how security works. It already has. The question is what after it’s done.