2025 was a tumultuous year for cybersecurity professionals. A change in political leadership in the US introduced instability within federal cybersecurity agencies and had a worldwide ripple effect; the focus on AI technology shifted from generative AI (genAI) to agent and agentic AI for productivity, cybersecurity, and malicious actors; and the variety of cyberattacks targeting critical infrastructure markets as well as average businesses, reaching all four corners of the globe, kept security and risk teams on their toes.

In 2026, continued political instability coupled with technological advancements being used by cybercriminals will force security, risk, and privacy leaders to not just adapt their defensive technologies to respond but to also prepare their workforce for these shifts to reduce the risk to the business. To help business and security leaders understand where to focus their attention in the year ahead, here are three of Forrester’s 2026 cybersecurity and risk predictions:

  • An agentic AI deployment will cause a public breach and lead to employee dismissals. Since its launch in 2022, genAI has caused several data breaches or affected the integrity or availability of sensitive data. As companies begin building agentic AI workflows, these issues will only become more prevalent. Without the right guardrails, systems of autonomous AI agents may sacrifice accuracy for speed of delivery, especially when interacting directly with customers. When these failures occur, some treat AI agents as their own entities while others point fingers at individual employees, but breaches like these are due to a cascade of failures, not a single individual. To prevent these failures, and scapegoating, security organizations must enable the business to develop agentic applications with minimum viable security. Follow the AEGIS framework, securing intent, ensuring appropriate identity and access management controls to track agent activity, and implementing data security controls to track data provenance.
  • Five governments will nationalize or place restrictions on critical telecom infrastructure. The Salt Typhoon cyberespionage campaign, attributed to nation-state actors, breached over 600 orgs across 80 countries, exposing the vulnerability of commercial telecom as hackers went undetected for years. Governments responded: Australia reinforced SOCI (Security of Critical Infrastructure) Act reforms, mandating direct oversight of telecom assets; Italy advanced a €22 billion restructuring of Telecom Italia’s network while planning its own satellites for encrypted comms; and the US banned Chinese and Russian ownership of subsea cables and bolstered cybersecurity standards. Telecom, however, relies on vast internet-of-things ecosystems (notoriously insecure and frequently exploited), while the rapid rise of space infrastructure such as low-Earth-orbit satellites adds new attack surfaces. To counter, governments will assert unprecedented control over telecom security. To stay ahead of new security regulations, CISOs must strengthen continuous monitoring of critical ecosystem risks while evolving to continuous control monitoring.
  • Quantum security spending will exceed 5% of the overall IT security budget. Forrester estimates that commercial quantum computers will break today’s asymmetric cryptography in less than 10 years and, given regular advances, sooner. Meanwhile, NIST guidance dictates that RSA and ECC support will be deprecated in 2030 and disallowed in 2035. In response, security teams will ramp up quantum security spending overnight in several areas. First, many will retain consulting services to help plan quantum security migrations. Second, product security teams will work with development counterparts to replace outdated cryptographic libraries and components. Third, security teams will work with risk and procurement colleagues to track vendor and partner quantum migration plans. Finally, teams will invest heavily in cryptographic discovery and inventory tools to prioritize high-impact systems for migration, and many will pilot cryptographic agility solutions. Quantum security is no longer just a concern for banking and critical infrastructure; all CISOs must consider similar spending.

Forrester clients can read our full Predictions 2026: Cybersecurity And Risk report to get more detail about each of these predictions, plus two more bonus predictions. Set up a Forrester guidance session to discuss these predictions or plan out your 2026 security strategy.

If you aren’t yet a Forrester client, sign up to get alerted when you’ll be able to download our complimentary Predictions guide, which covers our top technology and security predictions for 2026. And check back for additional complimentary resources, including upcoming webinars, on the Predictions 2026 hub.