Key Takeaways
- Non‑human identities (AI agents, service accounts, machine credentials) now exceed human users in most enterprises, making lifecycle governance a foundational risk.
- Autonomous security agents are entering SOCs, compliance, and identity management, shifting required skills toward agent oversight.
- Post‑quantum cryptography (PQC) migration is an explicit, multi‑year regulatory program; finance and defense face existential pressure to act now.
- Supply‑chain attack surfaces are expanding into AI and IoT, necessitating continuous monitoring rather than annual reviews.
- The CISO’s mandate has broadened to cover physical‑cyber convergence, AI safety, and board‑level resilience reporting, requiring a single accountable executive for the eight priorities.
Overview of the KPMG 2026 Cybersecurity Report
KPMG’s 2026 cybersecurity report, distilled from interviews with more than 20 KPMG cyber leaders and senior executives at Google, Microsoft, Palo Alto Networks, and ServiceNow, identifies eight load‑bearing risks for the year. The report is offered as a downloadable PDF and organizes its findings around: preparing the cyber workforce for autonomous security; navigating geopolitics, resilience, and compliance; safeguarding AI systems; managing non‑human identities; enabling trusted IT/OT hyperconnectivity; transitioning to post‑quantum cryptography; protecting the supply chain through detection and response; and broadening the role and influence of the CISO. A common thread tying these considerations together is operational scale—hyperconnected IT and OT environments, rapidly evolving supply chains, and the imminent need for cryptographic agility.
Why Non‑Human Identities Form the Load‑Bearing Axis
The report argues that non‑human identities are the central risk because AI agents, service accounts, and machine credentials already outnumber human users inside most enterprises, and the gap widens with each automated workflow. Traditional identity‑governance practices—human‑centric onboarding, periodic access reviews, and quarterly attestations—cannot keep pace with this ratio. Consequently, service‑account sprawl becomes the mechanism by which AI safeguards fail, supply‑chain compromises propagate, and SOC analysts struggle to differentiate legitimate automation from stolen credentials. Without a governance layer that can name what is acting and on whose behalf, AI safety remains a set of model‑level promises unenforceable in practice, and autonomous security tools make decisions about identities they cannot trace.
Prerequisite: Inventory Non‑Human Identities Before Scaling Autonomous Security
Sequencing matters because identity governance unlocks the other seven priorities. The first step is to create a complete inventory of every AI agent, service account, and machine credential, assigning a registered owner, documenting purpose, and defining a lifecycle endpoint. Only with this baseline can autonomous‑SOC and AI‑safety initiatives operate on known, accountable identities. Skipping this step leaves security teams blind to the very entities they seek to manage, undermining trust in automated defenses.
Building a Post‑Quantum Cryptography Migration Program
The second priority is to launch a PQC migration program with a named timeline this quarter. KPMG flags PQC as existential for finance and defense, noting that national regulatory deadlines are already arriving. Because the effort spans multiple years, organizations must produce a cryptographic inventory and a migration roadmap in 2026, even if full execution extends beyond. Early planning ensures compliance, avoids costly retrofits, and preserves the confidentiality of long‑lived data.
Extending Supply‑Chain Monitoring Beyond Annual Reviews
Third, the report urges moving from periodic third‑party assessments to continuous monitoring of supplier infrastructure, AI components, and embedded device firmware. Supply chains now carry AI models and IoT endpoints whose risk profile can shift weekly; annual reviews are insufficient to catch emergent vulnerabilities. Treating third‑party risk management as an operational telemetry feed enables rapid detection, timely response, and sustained trust in extended ecosystems.
Reframing the CISO Role for Board‑Level Resilience
Fourth, the CISO’s mandate must expand to encompass physical‑cyber convergence, AI safety, and enterprise resilience reporting at the board level. This broadened scope creates a single accountable executive who can oversee the identity‑governance program, the PQC migration plan, and the supply‑chain monitoring telemetry. When one leader owns these interconnected areas, fragmentation across functional silos is avoided, and the seven other considerations become executable rather than isolated projects.
Operational Scale as the Unifying Theme
Throughout the report, operational scale recurs as the underlying challenge. Hyperconnected IT/OT environments demand dynamic mesh architectures and clear ownership across cyber‑physical boundaries. Supply chains now incorporate AI components and embedded devices that evolve rapidly, making traditional periodic assessments obsolete. Simultaneously, the migration to post‑quantum cryptography is presented as a multi‑year program that cannot be deferred, especially in sectors where data longevity is critical. Each of the eight priorities is framed as a 2026 imperative that the CISO must personally own, because success in any one area depends on the strength of the others.
Practical Steps for CISOs to Execute the 2026 Priorities
To translate the report’s insights into action, CISOs should:
- Establish a non‑human identity registry – automate discovery, enforce ownership tags, and integrate lifecycle workflows (provisioning, attestation, decommissioning) with existing IAM tools.
- Launch a PQC task force – appoint a lead, conduct a cryptographic asset inventory, define migration milestones, and secure budget for algorithm testing and deployment.
- Implement continuous supply‑chain telemetry – deploy sensors for firmware integrity, AI model provenance, and third‑party network behavior; feed data into a SIEM or XDR platform for real‑time alerting.
- Align the CISO charter with board resilience metrics – define KPIs that cover identity governance coverage, cryptographic readiness, supply‑chain incident response time, and AI safety validation; report these quarterly to the board.
- Upskill the security workforce – create training tracks for agent oversight, cryptographic agility, and AI risk assessment, ensuring staff can manage autonomous security tools effectively.
By following this sequenced, identity‑first approach, organizations can address the eight load‑bearing risks identified by KPMG, build a resilient security posture, and position the CISO as a strategic enabler of enterprise‑wide trust in 2026 and beyond.