Five Security and Compliance Trends to Look Out for in 2026

By Phil Muncaster • 6 January 2026

What might the coming 12 months look like for cybersecurity and compliance professionals? We’ve scoured the news, absorbed the predictions of industry experts, and spoken to some directly to bring you our take on 2026. In no particular order, here are five trends that will shape the sector as we work our way through the year.

AI Everywhere Benefits Attackers and Defenders

As we observed in our State of Information Security Report 2025, AI represents both a threat and an opportunity to network defenders. A threat, in that malicious actors are already using large language models (LLMs) to assist with vulnerability research and exploit development, social engineering, victim reconnaissance, and more. But an opportunity, from both a business growth and cyber defence perspective.

Agentic AI will be at the forefront of this dynamic in 2026. Although it was widely criticised as over-exaggerating AI’s role, the risks Anthropic flagged in November – of fully AI-orchestrated cyber-attacks – could become reality this year. On the other side, great strides are being made in SecOps, to bridge skills gaps and help to mitigate alert overload through use of agentic systems. Expect the journey to the “autonomous SOC” to gather pace.

We can also expect the ISO 42001 standard to grow in popularity as more organisations look to manage their AI systems securely, ethically and transparently. Business take up has already grown from 1% to 28% between 2024 and 2025, according to IO data. The coming 12 months could see it hit mainstream adoption, as threat actors single out the AI attack surface for special treatment.

The Compliance Burden Builds

In our report, we warn of a “compliance crunch” for many organisations as they struggle to meet a growing regulatory burden with limited resources. Some 37% admit that compliance is a challenge, and two-thirds (66%) say that they’re finding it difficult to manage in house. Some 85% say more alignment across jurisdictions would help, while two-thirds (66%) argue that the speed of regulatory change makes it difficult to stay compliant.

Unfortunately, things aren’t going to improve on this front in 2026. Given that it’s over 12 months since DORA came into force, we’ll see regulators start to sharpen their claws. NIS2 will also get real after being transposed into local law across much of Europe. Then there’s the Data Use and Access Act, the UK’s GDPR update, which will come fully into force by June. And the UK’s answer to NIS2, the Cyber Security and Resilience Bill, which is expected to pass into law.

Some deviations from NIS2 will “require scrutiny”, Charles Russell Speechlys partner, Mark Bailey, tells IO.

“For example, the bill introduces a broader definition of incidents, meaning organisations may need to reassess what qualifies as reportable and ensure internal processes are calibrated accordingly,” he explains. “Customer communications and contractual obligations will also need to be revisited, particularly where reporting may impact third-party data or expectations of confidentiality.”

Software Supply Chain Risks Will Proliferate

The open source ecosystem is creaking. Over the latter half of 2025 we witnessed several major threat campaigns spreading across npm. Key among these was IndonesianFoods, a prolific, automated campaign that flooded the registry with tens of thousands of spammy packages. Experts warned the same techniques could be used for more malicious ends. Perhaps even more worrying was the Shai-Hulud worm, whose two waves led to the exposure of developer and cloud secrets on a similarly massive scale.

“Open source ecosystems make perfect testbeds for this kind of automation: frictionless publishing, minimal gatekeeping, and an enormous attack surface,” Sonatype CTO, Brian Fox, tells IO. “Attackers have figured that out. Unless we evolve our defences just as quickly, these self-propagating worms will become the default playbook, not the exception.”

Randolph Barr, CISO at Cequence Security, adds that AI will accelerate the trend.

“The fact that the [IndonesianFoods] payloads were inactive makes this scenario even more worrying,” he tells IO.

“The attackers took their time, building trust and distribution over time so they could use it as a weapon later. That’s a big change: you don’t need malicious code on the first day to create considerable risk down the line. So certainly, efforts that are highly automated and worm-like that take advantage of the size and availability of package registries will grow, not shrink.”

Skills and Budgets Set to Lag

According to the latest ISC2 Cybersecuity Workforce Study, skills shortages in cyber remain worryingly common. Over a quarter (27%) of global respondents cited governance, risk and compliance (GRC) skills as in high demand. Stalling budgets and a dearth of talent aren’t helping. According to ISACA’s State of Cybersecurity research, over half of professionals (54%) say teams are underfunded, while 58% report ongoing understaffing.

ISACA chief global strategy officer, Chris Dimitriadis, tells IO that the gap between fast-evolving threats and slow-moving investment will grow in 2026.

“Cyber and compliance teams will be expected to take on far greater responsibility for AI governance and regulatory alignment as new standards come into force. While regulation is a welcome step toward strengthening digital resilience, it also introduces significant operational pressure, particularly when over a quarter of organisations have no plans to hire for digital trust roles in 2026,” he adds.

“For cyber-compliance teams, 2026 will bring heavier workloads, rising expectations and increasingly complex landscapes. AI tools will be essential, but technology alone cannot close the vulnerability gap. Resilience will hinge on people – organisations that invest in wider talent pathways, continuous upskilling and AI-literate teams will be the ones able to turn powerful technologies into meaningful, real-world protection.”

Continuous Compliance and Automation Unlock Value

With the threat landscape evolving so rapidly, attack surfaces expanding, and regulatory burden growing, standards like ISO 27001 will increasingly be prioritised in 2026. Their best practices underpin most of the cybersecurity legislation hitting the statute books these days, which will help to simplify compliance. But, in the case of ISO 27001 at least, they’re also moving towards a model of “continuous compliance” that will help organisations enhance cyber resilience in the coming years.

The Plan-Do-Check-Act (PDCA) cycle promotes continuous monitoring, measurement and adaptability — critical endeavours in these volatile times. With limited skills and resources to hand, many organisations will turn to automation to help them harness these benefits. By letting machines do the grunt work of security controls monitoring, audit trails, reporting and deadline reminders, stretched teams can focus on the work that matters.

This is just a small taste of what to expect in the coming 12 months. Security and compliance teams will no doubt face some formidable challenges over the year. Those best placed to ride them out will be the ones that view compliance as a journey of continuous improvement, not a once-a-year effort.

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

WEF Report: Fraud Is Now CEOs’ Biggest Cyber Concern, but It’s Not the Only One

Five years is a long time in cybersecurity. Yet that’s how long the World Economic Forum (WEF) has been polling CEOs for its Global Cybersecurity O...

Phil Muncaster

Cyber security 27 January 2026

Privacy Matters: What Compliance Teams Can Expect in 2026

January 28 is Global Privacy Day – an occasion to celebrate the right to data privacy and protection that many of us take for granted today. It was...

Phil Muncaster

Cyber security 20 January 2026

Closing the AI Governance Gap with ISO 42001

The UK has an AI governance problem. This might not have been an issue a few years ago, when projects were piecemeal in most organisations. But tod...

Phil Muncaster