As we head into 2026, cybersecurity is changing faster than ever — thanks to big leaps in artificial intelligence, increasingly complex regulatory requirements and mounting pressure on critical infrastructure. To help organizations navigate these changes, three Barracuda executives share their top predictions for the coming year, offering valuable insights on the operational challenges, compliance risks and strategic priorities shaping the future of security.
Whether it’s figuring out how to scale up AI, dealing with a maze of global regulations, or tackling emerging threats to the energy sector, their expert perspectives highlight crucial steps organizations need to take now to strengthen cyber resilience and stay ahead of ever-evolving threats in a digital world that’s anything but predictable.
Siroui Mushegian, CIO, Barracuda
1. Companies will hit an AI operations wall as projects scale from pilots to dozens of implementations
Technology and security leaders will face an AI operational bottleneck, struggling to scale from isolated pilots to enterprise-wide implementations. Industries that rely on complex data ecosystems like finance, manufacturing and healthcare will be particularly vulnerable to conflicting data pipelines, inconsistent architectures and uneven security practices. Without AIOps frameworks and strong governance structures, organizations risk losing visibility, control of their tech stacks and long-term operational resilience.
2. AI compliance management will demand constant attention as global regulations diverge
AI compliance will become a continuous, high-stakes challenge in 2026 as global regulations diverge. The EU’s AI Act and California’s Transparency in Frontier Artificial Intelligence Act signal a growing trend of region-specific rules. CIOs will need to navigate a global patchwork of evolving standards, from LLM bias to data privacy, requiring flexible compliance frameworks and real-time monitoring tools to evaluate AI projects. Companies that invest in strong governance will avoid costly retrofits and gain a competitive edge in regulated markets.
3. AI budgets will hinge on measurable business outcomes, not experimentation
AI budgets will be tied directly to measurable business outcomes, marking the end of the experimental phase. The C-suite will increasingly push CIOs to prove clear ROI, using metrics such as productivity gains, customer retention and revenue growth as key benchmarks. Leaders who prioritize initiatives with tangible results will secure board-level support, while those who can’t connect AI spending to strategic goals will risk budget cuts and project cancellations.
Adam Khan, Vice President of Global Security Operations, Barracuda
4. Impact on the energy sector
Rapid AI adoption is creating unprecedented energy demands that current power grids are not engineered to handle. The strain is colliding with the rising threat of sophisticated cyberattacks targeting critical infrastructure like power grids and pipelines, creating a new class of compounding risk. Service disruptions may become a normalized challenge, forcing many organizations to rethink operational resilience.
5. Balancing tension between attackers/defenders with GenAI
In 2026, we’ll see that the organizations that succeed with GenAI are those that adopt it with discipline. The technology’s power to exponentially scale capabilities will continue to accelerate for both attackers and defenders. The leaders who pull ahead will shift from a ‘tool-first’ to an outcome-driven mindset, asking what problems GenAI is truly solving before deployment. They’ll establish robust governance frameworks to mitigate risks like data leakage, enabling safe innovation rather than restricting it. Those who fail to strike this balance will expose their organizations to unnecessary vulnerabilities.
Peterson Gutierrez, Vice President of Information Security, Barracuda
6. Identity under siege: The rise of invisible authentication
Identity is reaching its breaking point as users face fatigue around MFA, rotating credentials and app-specific logins. AI agents will add a new layer of complexity as these tools require user credentials to act on their behalf, often with security as an afterthought. This friction is undermining productivity and creating new vulnerabilities for attacks to exploit. The future of authentication lies in smarter, invisible systems that continuously verify users based on behavior, context and device trust while reducing the need for passwords or tokens. The industry needs to shift from proving who you are to proving you’re still you.
7. Employees as a new threat vector
Employees will become a primary threat vector as hybrid work continues to blur the lines between personal and corporate security. Personal devices, unsecured home networks and shadow AI will create unavoidable insider risks, while adversaries leverage advanced social engineering techniques like quishing and AI-generated phishing to bypass traditional defenses. The attack surface is expanding, and CISOs can no longer rely on perimeter defenses alone. CISOs who adopt user-centric security strategies, including adaptive controls, device trust scoring and continuous security training tailored to hybrid work environments will be best equipped to mitigate insider threats.
8. The compliance bubble bursts — visibility is the new battleground
With hybrid and multi-cloud environments creating unprecedented data sprawl, many companies still can’t answer basic questions about where sensitive data resides or who has access. This lack of visibility is no longer an operational issue and is becoming a compliance liability. Regulators are expected to mandate real-time data classification and discovery as part of readiness programs in 2026 and will push organizations to invest in data observability and unified policy enforcement. Companies that can prove control effectiveness in real time will gain a competitive edge.
Photo: Sam potrait / Shutterstock
This post originally appeared on Smarter MSP.