The previous success metrics now not survive contact with actuality.
There’s a specific form of readability that comes from strolling out of three days of analyst classes and realizing that the convention didn’t change your thoughts — it confirmed one thing you’d been reluctant to say out loud.
I used to be on the Gartner Safety & Threat Administration Summit in Nationwide Harbor this week. By the top of it, what struck me wasn’t any single session or information level. It was the cumulative weight of a career reckoning truthfully with the hole between the way it has outlined success for a decade and the way success must be outlined now.
The hole is actual. And it’s widening.
Prevention is the mistaken goal
Leigh McMullen’s opening keynote set a tone that held for the remainder of the convention.
The framing wasn’t refined: organizations that measure safety success by breach prevention have already misplaced the argument, as a result of prevention at scale is now not achievable. The goal floor is simply too massive, the adversary tooling too succesful, the assault cadence too steady.
The trustworthy reframe — and McMullen made it plainly — is that resilience is the metric that survives contact with actuality. If you happen to can restrict impression, preserve essential operations, and get better rapidly, you may have functionally achieved what prevention promised. The distinction is that resilience is measurable and could be improved. Pure prevention is a guess that your defenses are higher than no matter an attacker hasn’t tried but.
I’ve heard variations of this argument for years. What made it land otherwise at Gartner SRM 2026 was who was saying it and the place: a Gartner Fellow, within the opening keynote, on the largest safety convention in North America. The career is lastly prepared to arrange technique round one thing it might management.
The risk panorama has a brand new attribute
John Watts introduced the ThreatScape evaluation for 2026-2027, and the framing price maintaining is the excellence between threats which might be troublesome and threats which might be each troublesome and structurally advantaged for the attacker.
4 fell into that second class: deepfake identification impersonation, software program provide chain compromise, immediate injection in opposition to AI programs, and AI-enabled assault acceleration throughout all of the above.
What they share is a standard property: the attacker’s value of execution has dropped sooner than the defender’s value of detection. Deepfakes that after required studio-grade gear and technical ability now take minutes on commodity {hardware}. Provide chain assaults ship attain that will beforehand have required compromising dozens of particular person targets. Immediate injection turns enterprise AI deployments into insider threats with none insider involvement.
The attacker’s benefit right here isn’t a operate of the defender’s incompetence. It’s structural. Which is strictly why the resilience reframe issues — and why ‘we’ll forestall this’ is the mistaken premise.
AI brokers are the architectural downside no person has solved
Dennis Xu’s session on agentic AI safety was the one which stayed with me longest.
Not as a result of the content material was new — the vulnerabilities are documented, the dangers are seen to anybody paying consideration — however as a result of the room’s response made one thing clear: CISOs are more and more being requested to safe programs they didn’t design, didn’t approve, and in lots of instances didn’t know existed.
Each group represented at that convention has AI brokers on its roadmap. A big quantity have already got them working in manufacturing. These aren’t chatbots processing queries in a sandboxed interface. They’re autonomous programs that provoke actions, entry information repositories, name exterior APIs, and execute enterprise logic — constantly, and not using a human within the loop for many steps.
The safety problem isn’t that the brokers are malicious. It’s that they inherit danger at each integration level, and most organizations don’t have visibility into which integration factors these are. Immediate injection exploits this. So does identification spoofing. So does any attacker who figures out that the quickest path to delicate enterprise information isn’t via a human credential — it’s via an agent that already has one.
Gartner’s steerage on Mannequin Context Protocol safety mirrored the maturity stage of the issue: we’re in early innings, the assault patterns are clear, and the defenses usually are not but commensurate. That hole is the place the following wave of incidents will originate.
Identification isn’t infrastructure anymore… it’s technique.
McMullen’s three priorities for CISOs included modernizing identification as foundational infrastructure, however the framing understates the shift. Identification isn’t turning into foundational. It already is, and most organizations are working their AI technique on an identification mannequin designed for human customers authenticating to static functions.
AI brokers create identification issues that IAM distributors haven’t absolutely solved: machine actors that want entry at scale, in actual time, throughout programs spanning organizational boundaries, with variable privilege necessities relying on the duty context. The standard mannequin of provision, authenticate, authorize breaks down when the actor is a fleet of brokers that may be spun up by any developer with API entry and an inexpensive use case.
Getting identification proper for agentic AI just isn’t a 12-month challenge. Organizations that begin now can have a structural benefit over people who deal with it as a later downside. The convention made that sequence specific.
Should-read safety protection
The info layer is the one enforcement level that doesn’t transfer
Right here’s what I stored coming again to because the convention wound down: each session that touched agentic AI ultimately arrived on the similar unsatisfying conclusion. The mannequin could be manipulated. The perimeter will get crossed by design — that’s what brokers do. The identification layer is catching up, nevertheless it isn’t there but.
What persists, no matter which mannequin an agent runs on or which API it calls, is the information itself. And the information layer — the enforcement level that sits between an agent and the content material it’s making an attempt to succeed in — is the one management that doesn’t depend upon the agent behaving.
It doesn’t ask the mannequin to police itself. It doesn’t depend on a system immediate the agent could be instructed to disregard. It enforces entry choices, function limitations, and audit logging in the intervening time of contact, independently.
This isn’t a novel thought in safety. The precept of implementing controls near the asset you’re defending is foundational. What’s novel is what number of organizations have constructed their complete AI safety posture on layers that sit above the information — mannequin guardrails, perimeter controls, community segmentation — whereas leaving the information layer itself comparatively unaddressed.
Gartner’s classes didn’t use that actual framing, however the logic of each agentic AI safety advice pointed in the identical course: get governance as near the information as attainable, as a result of every thing else is negotiable.
For safety leaders, that’s an architectural conclusion, not only a product determination. The query isn’t whether or not to manipulate on the information layer. The query is what number of incidents it takes to get there.
The aggressive body is the best one
Probably the most sturdy takeaway from Gartner SRM wasn’t a vulnerability class or a framework advice. It was a shift in how safety leaders started speaking about their operate.
The language of obligation — we should safe this, we’re required to conform — was nonetheless current. However beneath it was one thing totally different: safety leaders more and more framing governance and resilience as aggressive inputs relatively than compliance burdens.
Organizations with mature resilience postures can take in disruption and proceed working whereas rivals reply to incidents. Organizations with real AI governance visibility can scale agent deployments with out the guide danger assessment overhead that slows everybody else down.
McMullen explicitly referred to as out the compressed determination cycle. The subsequent 18 months are the window wherein the structural choices get made — on identification, on AI governance, on what resilience truly means operationally. Organizations that make these choices now gained’t simply be safer. They’ll be sooner.
That reframe is the one that may outlast this yr’s convention. Safety as aggressive infrastructure. Governance as a velocity benefit. Resilience is the metric that tells you whether or not you’re profitable.
I left Nationwide Harbor extra satisfied of that argument than after I arrived.
That, at minimal, is a productive three days.
Additionally learn: Verizon’s 2026 DBIR discovered vulnerability exploitation overtook credential abuse as the highest preliminary entry vector.
