Security & Risk Management Summit 2026 — A Field Guide & Compendium

National Harbor, MD · June 1–3, 2026 · 478 sessions

 

1. The Big Picture

This year’s Gartner Security & Risk Management Summit packs 478 agenda items across three days at the Gaylord National Harbor. Strip out the meals, registration windows, networking breaks, engagement zones, and exclusive lounges, and you’re left with roughly 250 content sessions — Gartner analyst talks, vendor (sponsor) sessions, CISO Circle programming for senior leaders, roundtables, workshops, and “Ask the Analyst” clinics. Of those, 138 sessions have presentation materials (slide PDFs) posted in the Conference Navigator.

The shape of the week is familiar to anyone who has done Summit before:

  •  Monday (June 1) is the heaviest content day — 185 agenda items, anchored by the Opening Keynote at 9:30 AM and running deep into evening sponsor “theater” talks. This is the day to be on your feet.
  •  Tuesday (June 2) opens with a guest keynote from chef/humanitarian José Andrés, carries a full slate of analyst sessions, and closes with Peter Firstbrook’s “Future of Cyber 2030” keynote at 4:45 PM.
  •  Wednesday (June 3) is the shorter “get the frameworks” day — guest keynote from Naomi Bagdonas (improv/levity), then the Top Predictions / Top Projects / Magic Quadrant closers before the exhibit floor shuts at 2:00 PM.

The one theme that ate the agenda: AI — and specifically agentic AI

If you read nothing else, read this: the 2026 Summit is overwhelmingly about securing AI and securing with AI, and the center of gravity has moved from “GenAI” to agentic AI and non-human/machine identity. By a wide margin, this is the most-repeated phrase across session titles. The agenda clusters into a handful of dominant themes:

  1.  Agentic AI security & governance — securing AI agents, agent identity, “guardian agents,” runtime governance, the agentic SOC. This is everywhere, in both Gartner and vendor tracks.
  2.  Identity & Access Management (incl. non-human / machine / agent identity) — identity-first security, deepfake/impersonation defense, IAM hygiene, the “identity control plane.”
  3.  Security Operations & the AI-augmented SOC — staffing the SOC in 2030, MDR, SIEM cost reduction, detection/response.
  4.  Continuous Threat Exposure Management (CTEM) / exposure & validation — “we can’t patch our way out,” exposure assessment platforms, attacker’s-eye view.
  5.  Post-Quantum Cryptography (PQC) — a notably large cluster this year: enablement, “three waves,” crypto-agility, quantum-safe migration.
  6.  GRC, board reporting & cyber risk in business terms — outcome-driven metrics, protection-level negotiation, “cyber regret,” board confidence.
  7.  Third-Party / supply-chain cyber risk (TPRM) — vendor trust, software supply chain, AI vendor risk.
  8.  Data security / DSPM / DLP in the AI era — reactive-to-resilient, AI-driven DLP, data security debt.
  9.  Cost optimization & vendor consolidation — drive down costs, mitigate SaaS price increases, four-pillar vendor framework.
  10. Cyber-physical systems / OT security — a smaller but distinct track (Katell Thielemann’s sessions, the Dragos talk).

The practical takeaway for planning: nearly every time slot offers several strong options on the same hot topic. Conflicts are unavoidable — which is the whole point of the recommendations below.

 

2. How to read these recommendations

The “best of” picks below are anchored on the sessions on your personal “My Agenda” (used here as the signal for what matters most to you), expanded with the flagship Gartner sessions most attendees consider unmissable, and the standout talks by theme. Where two strong sessions run at the same time — including clashes within your own agenda — they’re flagged as tough calls.

 

3. The Best Sessions — anchored on your agenda

★ Opening Keynote: Seize the Moment — Leigh McMullen (+ team)

Mon 9:30–10:15 AM · Potomac Ballroom The thesis-setter for the whole week. McMullen’s framing: “It feels like everything is happening, everywhere, all at once. But amidst the chaos, there are ‘moments’ we can seize.” Three provocations anchor it — use the rush to AI as a forcing function to modernize human and machine identity; turn the inevitability of attacks into a continuous learning cycle that makes the program smarter/stronger/faster; and monetize innovation to fund more innovation. Everything else on the agenda is a variation on these themes. Don’t skip it.

★ Leadership Vision for 2026: Cybersecurity — Fadeen Davis

Mon 11:00–11:30 AM · Potomac A Gartner’s annual “here’s your year” session for security & risk leaders. Abstract: cybersecurity leaders are key enablers of digital business, accountable for balancing risk and benefit; this vision “helps SRM leaders plan for 2026 and develop presentations for leadership, peers and teams.” In other words, it’s purpose-built to be re-used as your own board/team deck. High signal, low fluff — a strong first breakout of the conference.

★ How to Negotiate Security and Risk Into Technology Vendor Contracts — Oscar Isaka

Mon 12:45–1:15 PM · National Harbor 11 Abstract: CISOs are increasingly on the hook for negotiating security services and for weighing in on security clauses in business-critical agreements. Isaka lays out Gartner’s view on the top risk/security clauses that must be addressed for resiliency and regulatory compliance, plus negotiation tactics to actually win them. Immediately practical for anyone touching procurement. ⚠️ Tough call: runs head-to-head with Stronger Together: CISO-CIO Dynamic (below) — both are on your agenda, and both are excellent. See the conflict note.

★ Stronger Together: Resetting the CISO-CIO Dynamic — Christine Lee

Mon 12:45–1:15 PM · Annapolis Abstract: how CISOs and CIOs build collaborative partnerships even when priorities differ — drawing on Gartner’s latest benchmarking, with practical strategies to define cybersecurity responsibilities, manage conflict across a CISO’s tenure, and navigate reporting structures. Lee is VP of Research and content leader for the cybersecurity team (and notably leads mindfulness/stress-reduction workshops — a nice human touch). ⚠️ Tough call: same 12:45 slot as Isaka’s contract-negotiation session — see the conflict note. A third strong option in this slot is Dennis Xu’s Technical Insights: Secure AI Agents Before They Go Rogue.

★ Drive Down Costs and Improve Security: Vendor Consolidation — Peter Firstbrook

Mon 1:30–2:00 PM · Maryland D Abstract: as complexity rises and budgets tighten, more CISOs are running security vendor consolidation projects to improve outcomes and the bottom line. Firstbrook covers top practices for a successful consolidation and the future of the security platform market — how to evaluate emerging platforms. Firstbrook is a Distinguished VP Analyst with 25+ years covering EPP/EDR/XDR and the lead analyst for Cisco; he also delivers the Tuesday “Future of Cyber 2030” keynote. One of the most credible voices at the show on the market itself.

★ Executive Story: The New CISO in Town — Stacking the Right Pieces — Kevin McCarty

Mon 4:15–4:45 PM · Maryland D A rare, candid “Executive Story” — Kevin McCarty is Gartner’s own CISO, one year into the role, and frames the first year like a game of Tetris: fitting new strategies into existing structures, deciding what to shift or remove. Three takeaways: a no-limits, adaptable vision from day one; communicating clear, quantified risk to secure investment; and building trust/partnership across the business to move fast. Great for new-in-seat leaders and anyone managing up.

★ CISO Cyber Regret: How to Survive a Boardroom Reckoning — William Candrick

Mon 5:00–5:30 PM · Potomac D Abstract: “cyber regret looms on the horizon.” After years of budget growth, CISOs face a reckoning — Candrick argues they must act now to reduce cyber regret and pivot toward more agile ways of working. A provocative, board-facing close to Monday. (Candrick reprises the theme Wednesday in his “Maverick: 3 Ways CISOs Must Transform Their Role to Avoid Obsolescence” — see below.)

 

Vendor sessions on your agenda (worth your time, eyes open)

  •  Island: Is Your Enterprise Ready for AI? — Shawn Surber · Mon 12:00–12:30 PM · Maryland D. Abstract: CISOs are pressured to operationalize GenAI without losing governance, visibility, or compliance — and as browser-based AI tools proliferate, “risk shifts from adoption to control.” Covers Shadow AI risks, data-exfiltration paths, and practical controls to enforce policy while still enabling AI-driven productivity. The enterprise-browser angle on safe AI adoption.
  • Dragos: From OT to xOT — Robert Lee · Mon 2:05–2:25 PM · Theater 2. Abstract: power grids, pipelines, manufacturing, and data centers now have more technologies in the control loop than ever — cloud, IoT, AI-driven automation, robotics — reshaping how operations function and how adversaries exploit them. Dragos CEO Robert M. Lee (a genuine authority on OT/ICS security) examines what securing the full xOT environment requires and the community’s shared responsibility to get it right. A high-quality vendor talk if OT is in your world.

These are sponsor sessions, so expect a product point of view — but both feature credible speakers on substantive topics.

 

4. Flagship Gartner sessions most attendees won’t want to miss

Keynotes

  • Guest Keynote: Creativity and Innovation for a Better Tomorrow — José Andrés · Tue 9:00 AM. The marquee guest keynote (chef, humanitarian, World Central Kitchen).
  • Gartner Keynote: The Future of Cyber 2030 — Skills, AI, Tech — Peter Firstbrook · Tue 4:45 PM. Abstract: in just three years AI’s impact on cybersecurity has been immense; this keynote explores the future of cybersecurity skills, technology, and the next wave of AI impacts — what’s likely to transpire and what it means for teams, budgets, and the overall program by 2030. The forward-looking closer for Tuesday.
  • Guest Keynote: Leading with Levity — Naomi Bagdonas · Wed 9:00 AM. Improv/humor as a leadership advantage to send the week off.

The “Top / Outlook / Trends” set (high reuse value for your own decks)

  • Top Trends in Cybersecurity for 2026 — Alex Michaels · Mon 4:15 PM (repeats Tue 3:30 PM). Abstract: Gartner’s top eight trends for 2026 across three themes — transforming governance, securing new frontiers, and empowering AI adoption. If you grab one framework deck, make it this one.
  • Top Cybersecurity Predictions for 2026 — Christopher Mixter · Wed 12:00 PM. Abstract: “Change is the only constant in cybersecurity” — this session identifies and explains Gartner’s top cybersecurity predictions for the coming year. Mixter (VP Analyst, board-reporting and CISO-effectiveness specialist) is one of the most polished presenters on the roster.
  • Top Cybersecurity Projects for 2026 — Wayne Hankins · Wed 12:00 PM.
  • Six Big Ideas to Shake Up Cybersecurity — Paul Proctor · Mon 5:00 PM. Abstract: cybersecurity governance “has atrophied and needs a reset.” Proctor pitches six big ideas to shake it up — a standard of due care, stakeholder defensibility, a threat-readiness index, protection-level agreements, and outcome-based governance — and new ways to engage executives, define what “good” looks like, and drive priorities and investment. The boldest governance-reframe session of the week.
  • The full “Outlook for…” series (Mon–Wed) is the analyst-by-domain backbone: Threats/Threatscape (John Watts), Cyber-Risk Management (Deepti Gopal), Data Security (Mike Huskey), Identity & Access Management (Zachary Smith), Application Security (Jason Gross), Privacy (Bernard Woo), AI & Cybersecurity (Craig Porter), Cyber Resilience (Phillip Shattan), SOC (Dhivya Poole), Infrastructure Security (Rajpreet Kaur), Human Factors (Elizabeth Davis), Third-Party CRM (Oscar Isaka), Cyber-Physical Systems (Katell Thielemann). Pick the two or three that map to your portfolio.

Magic Quadrants & market research (if you’re buying) SIEM (Eric Ahlm), SASE Platforms (Neil MacDonald), Application Security Testing (Jason Gross), Exposure Assessment Platforms (Mitchell Schneider), Endpoint Protection (Chris Silva), Hybrid Mesh Firewall (Rajpreet Kaur), Email Security (Max Taggett), plus Market Guides for MDR and Access Management. These are the sessions to attend before a renewal or RFP.

 

The AI-agent / agentic security spine (Gartner-led)

  • How to Secure Enterprise AI Agents — Jeremy D’Hoinne · Mon 2:30 PM
  • Technical Insights: Secure AI Agents Before They Go Rogue — Dennis Xu · Mon 12:45 PM
  • Gartner Top Strategic Technology Trend 2026 — AI Security Platforms — Dennis Xu · Wed 10:30 AM
  • “Use AI Like a Threat Actor” and Other Strategies for AI in Cyber Defense — Leigh McMullen · Wed 12:00 PM
  • Sentinel Stories: Tales of Guardian Agents — Meghan Hollis · Wed 12:00 PM
  • 4 Critical AI Red Teaming Priorities — Dhivya Poole · Wed 3:30 PM

Quietly excellent / differentiated

  • OpenAI Daybreak vs. Anthropic Mythos: What Cybersecurity Leaders Must Do — Leigh McMullen & Dennis Xu · Tue 10:30 AM (a genuinely novel framing).
  • Winning in a World Without Truth — Dave Aron · Tue 2:00 PM (disinformation/trust).
  • Introduction to the Gartner Cybersecurity Operating Model — Jason Malley · Mon 5:00 PM. Abstract: program effectiveness is constantly challenged by complex, ever-changing environments; leaders optimize outcomes by ensuring their function’s operating model is fit for purpose. Introduces the Gartner Cybersecurity Operating Model and how to leverage it. A foundational framework that pairs with the Tuesday “Design Your Future-State Cybersecurity Operating Model” workshop (Gopal & Lee).
  • Maverick: 3 Ways CISOs Must Transform Their Role to Avoid Obsolescence — William Candrick · Wed 2:45 PM (the contrarian “Maverick” research).

5. Time conflicts & tough calls

The defining tension of Summit is that the best stuff overlaps. The most important clashes to plan around:

  • Mon 12:45 PM — the hardest call on your agenda. How to Negotiate Security & Risk into Vendor Contracts (Isaka) vs. Stronger Together: CISO-CIO Dynamic (Christine Lee) — both are on your agenda and both are genuinely excellent; it’ll be tough to decide. A third strong option, Secure AI Agents Before They Go Rogue (Dennis Xu), runs in the same slot. Suggestion: pick based on your nearest-term need (procurement/contracts vs. org/relationship), and grab the other’s slide PDF afterward.
  • Mon 11:00 AM — analyst logjam. Leadership Vision 2026 (Fadeen Davis, your pick) competes with five “Outlook” sessions (Threatscape, Cyber-Risk, Data Security) and the SIEM Magic Quadrant. Leadership Vision is the right anchor; collect the Outlook PDFs.
  • Mon 1:30 PM. Vendor Consolidation (Firstbrook, your pick) vs. AI Drives New Cybersecurity Architecture (Mary Ruddy) and Securing SaaS With Precision (Craig Lawson). Firstbrook wins for cost/market relevance.
  • Mon 5:00 PM. CISO Cyber Regret (Candrick, your pick) vs. Six Big Ideas to Shake Up Cybersecurity (Paul Proctor) vs. Intro to the Gartner Cybersecurity Operating Model (Malley) vs. Seeing Your Organization Through the Eyes of an Attacker (Dhivya Poole). A loaded final slot — Candrick is the boardroom-relevant choice.
  • Wed 12:00 PM — the framework finale. Top Predictions (Mixter), Top Projects (Hankins), “Use AI Like a Threat Actor” (McMullen), and Guardian Agents (Hollis) all collide. If you want the reusable frameworks, Predictions + Projects; if you want the provocative idea, McMullen.

BUT IF YOU ARE A HEALTHCARE EXEC == be sure to come to our CxO Security Forum Executive Luncheon at this time!

 

 6. Day-by-day cheat sheet (your agenda + must-sees)

Monday, June 1

  • 9:30 — Opening Keynote: Seize the Moment (McMullen) ★
  • 11:00 — Leadership Vision 2026 (Fadeen Davis) ★
  • 12:00 — Island: Ready for AI? (Surber) ★ / lunch + dessert reception
  • 12:45 — Isaka (Contracts) or Christine Lee (CISO-CIO) ★ — tough call
  • 1:30 — Vendor Consolidation (Firstbrook) ★
  • 2:05 — Dragos: OT to xOT (Robert Lee) ★
  • 4:15 — Executive Story: The New CISO in Town (McCarty) ★ / Top Trends 2026 (Michaels)
  • 5:00 — CISO Cyber Regret (Candrick)
  • EveningCxO Security Forum reception @ TopGolf (see §7)

Tuesday, June 2

  • 9:00 — Guest Keynote: José Andrés
  • 10:30 — Outlook sessions / “OpenAI Daybreak vs. Anthropic Mythos” (McMullen & Xu)
  • Midday — CxO Security Forum Executive Luncheon (see §7)
  • 2:00 — Winning in a World Without Truth (Aron) / Future of AI in Cybersecurity (D’Hoinne)
  • 4:45 — Keynote: The Future of Cyber 2030 (Firstbrook)

Wednesday, June 3

  • 9:00 — Guest Keynote: Naomi Bagdonas
  • 10:30 — AI Security Platforms (Xu) / Turbulence Report 2026 (Resnick)
  • Midday — CxO Security Forum HITRUST Healthcare Executive Luncheon
  • 2:45 — Maverick: 3 Ways CISOs Must Transform (Candrick)
  • 3:30 — closing analyst sessions; exhibit floor closes 2:00 PM

 7. The best things to do in National Harbor: the CxO Security Forum gatherings

Summit days are dense and vendor-saturated. The highest-value relationship time of the week happens at the CxO Security Forum’s invite-only executive gatherings, held adjacent to Summit (independent of, and complementary to, Gartner — not affiliated or sanctioned by Gartner). The format is deliberately the opposite of an expo hall: small, curated groups of senior leaders, peer-to-peer discussion, no product pitches or slides, Chatham House Rules. Quality of conversation over scale. Details and registration live at CxOSecurityForum.com/Summit.

 

Three gatherings frame the week:

Monday Evening — Executive Reception @ TopGolf A relaxed kickoff to Summit week that beats the traditional conference dinner: private TopGolf bays and lounge (room for up to 50), cocktail-style dinner and open bar, small-group networking, and informal discussion with guest authors and industry leaders. Private shuttles run from the Gaylord area starting ~7:00 PM (a couple of trips), returning to the hotel around 9:30 PM. Supported by Zero Networks & Cequence.ai.

 

🍽️ Tuesday — Executive Luncheon (adjacent to the venue) A curated, moderated roundtable for ~20 senior executives — no slides, confidential peer-sharing — on the exact themes running through the Summit agenda: AI security & governance, Zero Trust execution, identity architecture, board communication, vendor consolidation, and operational security leadership. Located steps from the Summit venue so you don’t miss key sessions. Supported by Illumio.

 

🩺 Wednesday — HITRUST Healthcare Executive Luncheon (adjacent to the venue) An industry-focused discussion for healthcare, life sciences, pharma, provider, payor, and regulated-environment security leaders. Runs ~11:45 AM arrival → 1:45 PM close: executive intros, a moderated discussion on AI in clinical/regulated environments, patient trust, third-party exposure, where TPRM is breaking down across healthcare ecosystems, and scaling assurance across vendors and digital supply chains, plus a HITRUST perspective on evolving trust/assurance approaches. Supported by HITRUST, with help from A-Lign.

 

Special guest participants expected across the gatherings:

  • Dr. Chase Cunningham (“Dr. Zero Trust”) — prolific author and one of LinkedIn’s biggest cybersecurity voices (300K+ podcast subscribers); speaking, on panels, and recording live at Summit.
  • Richard Stiennon — former Gartner VP analyst (the first cybersecurity analyst at Gartner), founder of IT-Harvest, author of the Security Yearbook series and Guardians of the Machine Age; speaks authoritatively on market shifts across 400+ AI-in-cyber vendors and the broader 4,000+ landscape.
  • Josh Woodruff — author of Agentic AI + Zero Trust (foreword by Zero Trust creator John Kindervag), distilling a decade of research into memorable, immediately useful takeaways.
  • Kurtis Minder, an expert in cyber espionage, deciphers ransomware negotiations and the criminal mind of gangs, extorting money from data exfiltration, and more.

…will be there all week.  For Tuesday only, we will also have: 

 

🎖️🇺🇸 Gary Barlet, Lt. Col – USAF (Ret), Former CIO, US Postal Service Office of the Inspector General & Current Federal CTO, Illumio, talks about operationalizing ZT segmentation in environments that can’t afford to get it wrong.

🏛️⚖️ Tim Brown – Former CISO, SolarWinds – Speaking candidly on the SEC case (now dropped) against him, executive accountability, crisis leadership, and the lessons every modern CISO should be paying attention to.

 

Why it’s worth it: the gatherings are built for long-term relationship development rather than transactional lead-gen, and they line up neatly against the Summit’s own dominant themes (agentic AI, Zero Trust, identity, TPRM, board communication). Most executives do both — the official conference by day, the CxO Forum for the candid conversations the conference format doesn’t allow.

 

 Compiled from the Gartner Conference Navigator full agenda (478 sessions) and session detail pages; session abstracts quoted/paraphrased from Gartner’s published descriptions. CxO Security Forum details drawn from the Forum’s own 2026 overview materials.

 

COMMENTS:

Find the SUMMARY version of this article on LinkedIn, and post there!