2025 Security & Compliance Reflections: What Leaders Need to Prepare for in 2026
As the countdown to New Years Eve draws closer, I wanted to take some time to reflect on the major shifts I’ve seen across cybersecurity, compliance, and risk management, especially as they relate to the AI wave reshaping our entire ecosystem.
Whether you’re a team lead at a growing startup, a director in the regulated enterprise space, or a founder scaling an AI-driven organization, you’ve likely felt the same thing I have: this year brought evolving (and honestly often confusing) expectations from regulators, attackers, and even our own teams.
In my work as a Security and Compliance Business Leader, I make it a priority to stay ahead of these shifts so I can guide the organizations I partner with toward resilient, future-ready strategies. To close out the year, here are the themes that defined 2025, how they’re shaping leadership conversations, and what I believe leaders must prepare for to meet the moment in 2026.
The Big Cybersecurity and Compliance Themes of 2025
Europe Has Been Shaking The Table, Reshaping Global Compliance Expectations
One of the biggest shifts this year has been the sheer volume and ambition of new regulations out of the European Union. NIS2, DORA, the Cyber Resilience Act, and the Artificial Intelligence Act have collectively redefined what “baseline security” looks like across industries. And to be fair, each regulations is responding to a clear pattern: our digital ecosystems are too interconnected and too vulnerable for traditional, reactive security models to work.
Rising supply-chain breaches, systemic weaknesses across critical sectors, and growing concerns around unregulated AI adoption have pushed regulators towards continuous governance, secure-by-design engineering, and clear leadership accountability. Even if you don’t operate in the EU, you will still feel the downstream effects through your vendors, cloud providers, and AI tools.
And if international expansion is even remotely on your company’s roadmap, familiarity with these frameworks is no longer optional, its strategic positioning.
I also want to make an honorable mention regarding U.S Regulation that has impacted organizations this year:
The enforcement of PCI-DSS 4.0 began in March and reinforced the same mindset shift: annual validation isn’t enough
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) is coming and its narrow reporting windows will require operational readiness long before enforcement begins.
SEC Cyber Disclosure Enforcement Raised The Bar For Board-Level Transparency
The was the first full year of SEC’s cyber disclosure and it has fundamentally changed expectations for public companies. The requirement to disclose material cyber incidents within four business days, along with mandatory reporting on cybersecurity strategy and governance, has put real pressure on boards and executives.
This rule exists because regulators noticed years of vague disclosures, inconsistent reporting, and downplayed incidents. At the same time, organizations were leaning more into digitizing company operations, increasing the risk landscape and the frequency of attacks. Enter in: standardization.
The result? Security leaders are being pulled into a more strategic, business-facing role. Your communication now matters just as much as your controls.
One trend I think worth watching: an increasing number of companies are now disclosing AI as a material risk. That should tell us where expectations are heading. Let’s keep an eye on this shall we?
NIST Cybersecurity Framework 2.0’s Accelerated Adoption
NIST’s update to their Cybersecurity Framework felt like the industry’s official acknowledgement of something many of us have known for quite some time: security is a leadership and governance discipline, not only an engineering or technical function.
The introduction of the Govern function clarified expectations around accountability, risk appetite, third-party oversight, and AI considerations, all tied to measurable business outcomes. I’ve used CSF extensively this year in gap assessment and in designing more intentional governance structures for clients. It’s become a practice way to structure conversations that were previously scattered.
Organizations that adopt CSF early will have an advantage next year. Not because it’s a compliance checkbox but because it’s a leadership framework. Here’s a useful resource for you to deep dive into the benefits of this framework for security and compliance teams.
Automation and Continuous Monitoring Are Becoming Non-Negotiable for GRC Teams
I’ve been observing, and experiencing, the industry move away from the compliance-as-a-paperwork exercise and towards a mindset where compliance moves and integrates as more of an engineering function. This shift is largely being driven by the aforementioned regulations, which expect organizations to prove ongoing operational effectiveness of programs rather than the static documentation we have been providing. To meet the moment, organizations need systems that continuously monitor the health of their controls, not just confirm compliance once a year. And this is a good thing in my opinion; cloud environments change too quickly for static assessments and the complexity of environments are too much for compliance teams to track manually. When my team and I embraced automation and continuous monitoring, I’ve found that compliance becomes lighter, faster, and more embedded in daily operations versus something bolted on at the end because someone remembered before product launch. As leaders, we need to be provided time and resources for our compliance teams to up-skill in this area.
Supply-Chain and Third-Party Breaches Doubled, Highlighting Systemic Dependency Risk
This year made one thing abundantly clear: our biggest risks often sit outside of our own walls. Supply-chain and third-party breaches doubled in frequency, and it’s not just the “big vendors” anymore, it’s small service providers, those niche SaaS platforms, and ecosystem partners that have become high-value targets. The 2025 Verizon Data Breach Investigations Report, along with other threat intelligence, all point to the same pattern: attackers follow the path of least resistance, and that’s almost always a trusted integration or a vendor with weaker controls.
And 2025 has added a new layer to an already-fragile ecosystem: AI agents, plugins, and model integrations. Companies are adopting AI tools that can access internal systems, process sensitive data, or chain together multiple APIs, often without meaning security oversight. These tools effectively create a second, faster-moving supply chain that most governance programs aren’t prepared to evaluate. An AI agent isn’t just a user; it’s a super-user stitched together with code, permissions, and external dependencies that multiply your exposure.
The days of treating vendor risk as a simple questionnaire has to come to a close. AI is making that process obsolete and ineffective. Every year, vendor’s talk about emerging threats but the beaches tell a simpler story: lackadaisical identity management, unpatched systems, and poorly governed partners remain the root cause of most incidents If leaders don’t strengthen these three, they will continue solving the wrong problem while the real risk surface expands underneath them.
Boards Now Expect Security Leaders To Communicate Resilience, Not Activity
If there’s one shift I think security leaders underestimated this year, it’s this: boards no longer want updates on activity. They want clarity on resilience. They want to know whether the organization can detect, respond, recover, and keep the business running when something breaks. And if you can’t articulate that with confidence, the four-day SEC disclosure requirement will expose the cracks in your operating model faster than any audit ever could.
The conversations I’ve had this year with CISOs and compliance leaders all reflect the same pressure point: boards are asking harder questions, regulators are expecting clearer answers, and internal stakeholders are less tolerant of vague cybersecurity narratives. The bar is no longer “Are we compliant?” or “What tools do we have?”. The bar is: “Can we take a hit without losing operational integrity, customer trust, or investor confidence?”
This expectation is reshaping the role entirely. Security leaders who can’t translate technical issues into business impact are going to struggle. And leaders who haven’t modernized their governance, metrics, and decision processes are going to find themselves outpaced by the new reporting and transparency landscape.
And in my opinion, this theme matters the most because everything else discussed above (AI-driven risk, third-party fragility, and accelerated regulatory pressure) is ultimately converging on a single question: Can your organization withstand a disruption? If the answer isn’t a confident yes, that’s the real risk you need to solve in 2026.
Predictions for 2026: What Leaders Must Prepare For
AI Governance Will Become a Required Competency, Not An Optional Curiosity
Right now, most organizations are experimenting with AI tools without understanding the risks baked into the models, plugins, and data flows they rely on. That luxury ends in 2026. Between early signals from regulators, increasing AI-related disclosures in SEC filings, and the growing number of AI-enabled fraud incidents, leaders will be expected to demonstrate control over how AI is adopted, monitored, and integrated into their systems.
My prediction: AI governance becomes the new “cloud security”, a domain every leader must understand well enough to manage risk and communicate trade-offs to executives and boards.
Third-Party Risk Programs Evolves Into AI-Aware Ecosystem Governance
In 2026, the rise of AI agents, plugins, and model integrations hasn’t created a “new” supply chai, it has expanded and accelerated the one many organizations are already struggling to govern well. The real issue isn’t that AI needs its own vendor list. The issue is that most third-party risk programs were never designed to evaluate how a vendor’s models are trained, what plugins they rely on, how autonomous their agents are, or how quickly their ecosystems change. The organizations that succeed won’t split AI vendors into a new silo. They will upgrade their existing TPRM programs to account for AI-specific risks: model provenance, plugin dependencies, data retention behaviors, training data quality, cross-model integrations, and the blast radius of autonomous actions. This means expanding vendor questionnaires, enriching risk scoring, adding AI-specific control requirements, and integrating AI governance into change management and continuous monitoring.
My prediction: By the end of 2026, the most effective organizations will integrate AI risk directly into their existing third-party governance frameworks, moving from siloed vendor lists to a unified, ecosystem-level approach that reflects how modern businesses actually operate.
Identity Becomes the Defining Security Priority
Identity has been the leading attack vector for years, but 2026 will be the year it becomes the center of gravity for nearly every security program. Why? Because AI is supercharging the very tactics that exploit weak identity governance. AI-driven phishing, deepfake-enabled fraud, real-time MFA fatigue orchestration, session hijacking automation, and model-generated impersonation are making identity compromise easier, faster, and far more scalable.
My prediction: By 2026, identity will become the defining security priority of 2026..AI is making identity-based attacks faster and more convincing, and organizations will be forced to mature their IAM practices, tighten access governance, and bring machine identities into the fold.
How I’m Strengthening My Skillset and Mindset as a Leader
As security leadership evolves, I’ve been just as intentional about evolving with it. Over the last few months, I’ve invested heavily in strengthening the parts of my craft that matter most in this new era of cybersecurity, and not just my technical skillset but the executive presence, decision-making clarity, and influence required to guide organizations through rapid change.
Here’s where I’ve focused:
Working with an executive coach to expand my influence, framing, and perception
My coaching program is specifically designed to strengthen executive influence and perception, especially in startup and SMB environments where founders, engineering leads, and operations heads all have very different motivations and risk tolerances.
For example, some skills I am refining include:
how I tailor my approach based on persona (founder, COO, engineering lead, finance lead) rather than defaulting to one communication style
how to engage more collaboratively, instead of cautiously, a blind spot I didn’t realize was shaping perception
Without a doubt, I know that security professionals today must understand the business and think strategically. We don’t need to know how to explain the tech better or fix the controls faster. Security leaders need to think and operate like an executive. This is exactly where I’ve been sharpening my edge.
Expanding My Business Acumen So I Can Operate Like a Strategic Partner, Not a Technical Specialist
One of the biggest shifts in my development has been expanding what I read, study, and engage with. I’ve been deliberately spending more time with executive-focused publications (think Harvard Business Review, McKinsey) because security leadership now requires:
understanding how businesses make money, not just how systems work
recognizing financial trade-offs, operational constraints, and growth pressures
tying controls and investments to business outcomes, not maturity charts
communicating risk in decision-ready language
Without a doubt, this expansion in my learning has helped my mindset shift from strong practitioner (because I have built a strong technical foundation) to a true business leader.
Actively Building a Network for Calibration
The leaders I have been surrounded myself with have become a source of pressure-testing, clarity, and accelerated learning. Talking with CISOs and executives has forced me to:
refine my reasoning
stress-test my assumptions
confront where I may. be over-indexing on caution or under-indexing on clarity
learn from their mistakes so I don’t repeat them (or bounce back quickly if I do, because I’m human)
understand how leaders in fast-moving industries are solving the same challenges
I’m hoping to continue to expand on this in 2026 as every conversation I have had has made me a sharper operator.
Developing Leadership Capabilities You Don’t Learn in Certification Courses
Let me be the first to say out loud: As a security leader, I have been susceptible in defaulting to cautious energy/behavior because I do not want to be perceived as pushy or misaligned. What that reads for other people is hesitation or non-collaborative. It didn’t matter that that wasn’t my intention. And so I have been doing a ton of inner work to ensure that I am being more decisive in ambiguity (a situation I am more often in than not), ensuring I am aware of how I am shaping perception through my interactions, and most importantly shifting from defensive to intentional leadership.
Deepening Technical Strength In The Domains Shaping The Next Decade
While I have a strong background in security and governance, I’ve doubled down on the following areas I believe will define the next decade:
Identity Security
AI Governance
Supply-chain and vendor ecosystem risk
Cloud-native detection and response
Continuous compliance automation and monitoring
Why these you may ask? Because they’re the domains I continue to see where breaches are happening, regulation is tightening and my auditors are asking better questions, and where I see security programs failing for many.
A leader who can’t speak fluently across governance and engineering will hit a ceiling. And I don’t intend to hit one.
A Question for Security Leaders Heading Into 2026
As you look ahead to 2026, which part of your security program do you believe is most at risk of being outpaced (your governance, your identity layer, or your vendor ecosystem) and what are you committing to strengthening first? Let me know in the comments!
