As cybersecurity threats continue to grow in scale, speed, and sophistication, organizations are facing a new kind of tension. They must strengthen their security posture while simultaneously accelerating digital transformation and AI adoption. The challenge is no longer purely technical—it is strategic, measurable, and deeply tied to business outcomes.
At the center of this shift is access governance. Once viewed as a back-office control function, access governance is rapidly becoming a foundational capability for managing enterprise risk in an AI-driven world.
Fresh insights from Altum Strategy Group’s Cybersecurity Leadership Survey 2026 shed light on how security leaders are navigating this evolving landscape and where the biggest gaps and opportunities now exist.
Sensitive Data Takes Center Stage
When security leaders were asked to rank their top cybersecurity priorities for 2026, one theme stood out clearly: protecting sensitive data.
Across industries, CISOs ranked data protection as their top priority, ahead of threat detection and response and even AI enablement itself. This reflects a growing recognition that data—not infrastructure—is the true crown jewel of the digital enterprise. Intellectual property, customer data, pricing models, and trade secrets are now deeply intertwined with AI systems, analytics platforms, and cloud services.
AI enablement emerged as a top-three priority, moving decisively beyond experimentation into active adoption. As a result, leaders are increasingly focused on understanding what data is being fed into AI models, how it is being used, and how misuse or overexposure can be detected before damage occurs.
The Rise of the Non-Human Identity
One of the most consequential changes highlighted in the discussion is the growing risk posed by non-human identities—particularly AI agents.
Non-human identities are not new. Organizations have managed service accounts, APIs, bots, and robotic process automation for years. What makes AI fundamentally different is its ability to consume massive volumes of data continuously and autonomously. Unlike human users, AI agents are not constrained by time, intent, or traditional access policies such as segregation of duties.
As enterprises adopt tools like Microsoft Copilot or deploy custom large language models, these AI systems often operate with broad, over-privileged access to function effectively. In practice, this creates what security leaders describe as an “intelligence gap”—a situation where AI systems ingest far more sensitive data than they technically require, dramatically expanding the attack surface.
The survey discussion revealed that many organizations are still struggling to inventory non-human identities, let alone monitor them with the same rigor applied to human users. Existing IAM programs, while relatively mature for workforce access, often lack the granularity and policy intelligence needed to govern AI-driven access at scale.
Why GRC Is Being Forced to Evolve
The survey also revealed a notable shift in how organizations are prioritizing security investments.
Contrary to expectations, Governance, Risk, and Compliance (GRC) was not ranked as the top area for time, investment, or automation. Instead, Managed Detection and Response (MDR) ranked first across both dimensions, followed closely by security architecture.
This does not signal that governance is becoming less important. Rather, it reflects frustration with how GRC has historically been implemented. Many organizations still view GRC platforms as static documentation repositories—useful for audits, but disconnected from the real-time execution and monitoring of controls.
Boards are no longer satisfied with point-in-time reports. According to the survey, they are increasingly asking for real-time security posture metrics and business resiliency indicators. This demand is pushing security leaders toward technologies that deliver continuous visibility, automated threat detection, and measurable outcomes.
MDR, in particular, is being positioned as a way to operationalize governance—using automation and machine learning to surface dormant accounts, excessive privileges, and anomalous behavior before those weaknesses are exploited.
Moving Beyond RBAC in a Cloud-First World
Another critical theme emerging from the research is the growing limitation of traditional Role-Based Access Control (RBAC).
RBAC was designed for a client-server era where users operated within defined systems behind a firewall. In today’s always-connected, cloud-first environments, that model no longer aligns with how businesses operate—or how attackers think.
Security leaders are increasingly turning to Attribute-Based Access Control (ABAC) and policy-based models to address this gap. ABAC enables access decisions based on contextual attributes such as geography, legal entity, business unit, or data sensitivity, rather than static roles alone.
For example, a finance user in Australia should not automatically be able to post journal entries in a North American ledger simply because they hold a “Finance” role. By enforcing access at the attribute level, organizations can dramatically reduce false positives, improve compliance accuracy, and focus security teams on meaningful risk rather than noise.
DevSecOps Has Crossed the Tipping Point
One of the most encouraging findings from the survey is the widespread adoption of DevSecOps.
According to the data, 78% of organizations report that DevSecOps is fully integrated into their development lifecycle, with an additional segment partially integrated and planning further expansion. Security is no longer treated as a final gate before release—it is increasingly embedded from the earliest stages of design and development.
This shift is especially critical as AI begins to generate more enterprise code. Automated vulnerability scanning, continuous threat modeling, and secure pipelines are no longer optional if organizations want to move quickly without introducing unacceptable risk.
The “shift left” mindset, building security in from the start, is becoming a competitive necessity rather than a best practice.
What Boards Are Asking For Now
Perhaps the most telling insights from the survey come from the boardroom.
When asked what cybersecurity metrics boards are requesting, responses split almost evenly between foundational security metrics and business resiliency metrics. Boards want to understand both the organization’s current security posture and its ability to withstand and recover from disruptive events.
Advanced persistent threats and DevSecOps assurance followed closely behind, underscoring a growing expectation that cybersecurity leaders can demonstrate not just control maturity, but operational resilience and trend-based improvement over time.
This shift reinforces the evolving role of the CISO from technical operator to strategic risk steward with direct accountability to the board.
The Path Forward: Governance That Enables Speed
The central message emerging from the survey is clear. Organizations are not trying to slow innovation. They are trying to protect it.
AI, cloud platforms, and digital ecosystems demand a new approach to access governance—one that extends beyond human identities, connects governance to execution, and leverages automation to operate at machine speed.
By maturing access governance, embracing attribute-based controls, and integrating security into development and operations, enterprises can build the safeguards that allow the business to move faster with confidence.
In 2026 and beyond, the organizations that succeed with AI will be those that treat access governance not as a constraint, but as a strategic enabler of trust, resilience, and sustainable growth.
